GDPR and DPDP compliance

A plain-English walkthrough of what compliance means for prospiq users in Europe and India.

Last updated May 11, 2026

GDPR (Europe) and DPDP (India) are the two data protection regimes most prospiq customers ask about. This article explains how prospiq operates under each, and — more importantly — what your obligations are as a customer doing outreach.

What GDPR and DPDP actually require

Both laws share the same broad shape:

  • Lawful basis for processing. You need a defensible reason to handle personal data.
  • Purpose limitation. Use the data only for what you said you'd use it for.
  • Data minimization. Don't hold more than you need.
  • Accuracy. Keep data accurate and up to date.
  • Storage limitation. Don't keep it longer than necessary.
  • Security. Protect it appropriately.
  • Accountability. Be able to show you're doing the above.

The mechanics differ between the two laws, but the principles are similar enough that complying with one mostly gets you compliance with the other.

prospiq's role

prospiq is a data processor for the contact data we deliver to you, with characteristics of a data controller for our own collection and verification activities. In plain language:

  • We control how we source and verify B2B contact data, under the legitimate-interests basis described in How prospiq sources contact data.
  • When you use prospiq to look up contacts, you become the data controller for what you do with that data. We process it on your behalf.

The Data Processing Agreement on our site formalizes this relationship and is automatically in force when you become a paying customer.

Your role as a customer

The most important thing to understand: prospiq returning a contact does not authorize you to send them anything. It identifies a verified business contact. What happens next is governed by your own lawful basis, not ours.

For most B2B outbound, your lawful basis is also legitimate interests — you have a genuine business reason to reach out, the recipient would reasonably expect contact in their professional capacity, and the impact on them is minimal. This basis has to be documented and balanced; you can't just assert it without thought.

A non-exhaustive list of things you should have in place:

  • A documented legitimate-interests assessment if you're contacting anyone in the EU/UK
  • An honest reason for the outreach that the recipient would recognize as legitimate
  • A clear, working opt-out path in every message — and a system that actually honors opt-outs going forward
  • Compliance with marketing law for the specific countries you're contacting into (CAN-SPAM in the US, PECR in the UK, etc. — these are separate from GDPR/DPDP)

Specific things people get wrong

Treating prospiq as your lawful basis

It isn't. prospiq's lawful basis covers how we collect and process. It doesn't cover what you do with the data afterward.

Confusing B2B contact data with consent

GDPR's "consent" basis is rarely the right one for cold outbound. Legitimate interests is. They're different — consent requires affirmative opt-in, legitimate interests requires balancing tests and minimal impact. Get this distinction right with your legal advisor.

Ignoring jurisdiction-specific marketing law

GDPR governs personal data processing. Anti-spam laws govern marketing messages. They overlap but aren't identical. A perfectly GDPR-compliant cold email can still violate CAN-SPAM if it lacks a physical mailing address. Make sure you're checking both.

Forgetting that opt-outs are forever

If a recipient opts out, the obligation to stop contacting them survives indefinitely. You need a suppression list that persists across campaigns, tools, and team members. If you fire your SDR and they walked off with the list, you're still on the hook.

What we provide to help

  • A signed DPA at no extra cost
  • An opt-out mechanism that suppresses individuals from our enrichment results going forward
  • Data residency in Singapore (AWS ap-southeast-1) — see Where your data lives
  • Standard contractual clauses for international transfers in our DPA
  • Documentation of our sources, retention, and security practices

What we can't do for you

  • We can't be your DPO or appointed representative
  • We can't give legal advice on whether your specific outreach is compliant
  • We can't sign individual contract addenda that contradict our DPA — talk to us if you have specific clauses you need

For complicated cases, talk to a privacy lawyer. We can refer you if you don't have one.

Related

Related articles

How prospiq sources contact data

Where our data comes from, what makes it lawful to process, and what we never do.

Opt-out requests

How a person can ask to be excluded from prospiq's enrichment results, and how we handle the request.

Where your data lives

Singapore data center, encryption in transit and at rest, and what we keep separate from product systems.

Need more help?

Email us and we will get back to you.

Contact support