May a data broker resell personal data based on an old contract?

Data brokers and marketing companies often rely on outdated databases and general terms and conditions from the past to trade personal data. However, in a decision of 27 November 2025 (No. 199/2025), the Belgian Data Protection Authority (DPA) sent a clear message: without explicit, free, and specific consent, the resale of data for direct marketing purposes is unlawful. A contract with a supplier does not suffice as proof of consent.

The facts: old dates, new rules

The case revolves around a citizen's complaint against Infobel, a well-known commercial data broker. The complainant found that his personal data (name, address, phone number) were being processed by Infobel and resold to third parties for direct marketing purposes, without his ever having given direct consent to Infobel to do so.

Infobel defended itself by arguing that it had legally obtained this data through a telecom operator (referred to as ‘Z4’ in the decision). According to Infobel, in 2006, when taking out its telephone subscription, the complainant would have given its consent through the operator's general terms and conditions. Infobel relied on contracts with this operator and argued that responsibility for consent lay with the source.

The key question was whether a data broker may hide behind contractual warranties from a supplier and past implied consent (‘opt-out’) to commercially exploit data under the current General Data Protection Regulation (GDPR).

The decision: no evidence, no processing

The DPA's Litigation Chamber ruled scathingly against Infobel's practices. The DPA found that Infobel violated Article 5.1.a (lawfulness), Article 6 (legal basis) and Article 24 (accountability) of the GDPR.

The main pillars of the decision are:

• Invalid consent: The DPA ruled that so-called consent through the operator's terms and conditions did not suffice. The terms and conditions employed an “opt-out” system (customers had to ask not to be listed), which under the GDPR does not count as an unambiguous active act.
• Lack of Information: The complainant was never informed that specifically Infobel would process his data. For informed consent, the identity of the data controller must be known.
• Accountability: Infobel itself could not produce any document demonstrating the complainant's expression of will. Merely referring to contracts with the supplier (Z4) does not relieve the data broker of the obligation to prove the validity of the consent itself. Since the data transfer predated the GDPR (2006), full responsibility for the current use lies with the party now exploiting the data (Infobel), and not with the original source.

The DPA imposed an administrative fine of 40,000 euros on Infobel and ordered the removal of the unlawfully processed data, as well as notification of this decision to all parties who had purchased the data.

Legal analysis and interpretation

This decision confirms and strengthens the case law surrounding the quality of consent in the GDPR era. It marks the definitive end of the era when companies could rely on “dormant” data collected under pre-GDPR law, where silence was often interpreted as consent.

The criteria for consent

The DPA strictly applies the four cumulative conditions for consent, as defined in Article 4.11 GDPR and clarified in the guidelines of the European Data Protection Board (EDPB):

1. Free: Consent should not be tied to the performance of a contract if it is not necessary. In this case, the marketing consent was intertwined with the telephone contract.
2. Specifically: A general permission for “commercialization” in general terms and conditions is insufficient. There must be specific permission for resale to third parties such as Infobel.
3. Informed: The data subject must know who is processing the data. If the name of the data broker is not in the original notification, the consent is invalid.
4. Unambiguous: Silence, pre-ticked boxes or failure to opt-out do not constitute legally valid consent.

The data broker's active duty of inquiry

Legally, the most interesting aspect is the interpretation of Article 24 GDPR. The DPA states that a data controller (in this case, the buyer of the data) has an independent burden of proof. One cannot hide behind guarantees in a B2B contract with the supplier. This means that any organization purchasing external databases must perform due diligence on the origin of the consent (the ‘opt-in’ evidence). If this evidence is missing, then the processing is unlawful.

The DPA also refers to the Proximus ruling of the Court of Justice (C-129/21), which already ruled that consent for publication in a telephone directory does not automatically apply to other commercial purposes.

What this specifically means

This decision has implications for various parties in the economy:

• For consumers: You have more control than you think. If you receive marketing from companies you do not know, it is not enough that they refer to an “affiliate.” They must prove that you specifically gave permission to them. You can successfully demand the deletion of your data as well as ask who your data was sold to.
• For data brokers and marketing agencies: The business model of buying and selling databases without hard ‘opt-in’ evidence has become untenable. Note that databrokering in itself is not illegal, but the lack of this evidence is problematic. You risk not only fines, but also orders to destroy your database. You must proactively verify that the individuals in your purchased files meet AVG standards, regardless of what your vendor contractually promises.
• For companies that collect data (such as telecom): General terms stating that data may be “commercialized” are legally worthless for resale to third parties if no specific, granular opt-in is provided.

Frequently Asked Questions (FAQ)

May a company resell my data for marketing?

No, not just like that. Under the GDPR, this requires your free, specific, informed and unambiguous consent. You must have explicitly said ‘yes’ to the resale to that specific party or category of parties.

Is an ‘opt-out’ system valid under the GDPR?

No. The system that requires you to take action to not receive advertising (e.g., “uncheck this box if you don't want a newsletter”) is prohibited. Consent requires an active action by the user (opt-in).

What if I gave ‘consent’ via terms and conditions years ago?

That consent is probably no longer valid. If the consent was not specific at the time or was ‘hidden’ in a contract, it does not meet current GDPR requirements. Companies should re-evaluate old consents and renew if necessary.

Conclusion

The decision against Infobel makes it clear that the DPA takes strict action against the trading of personal data without a solid legal basis. Accountability weighs heavily: anyone processing data must be able to prove consent. “We bought the data in good faith” is no longer a valid defense.