GDPR Legitimate Interest
Legal basis for the entire enrichment pipeline: GDPR Article 6(1)(f) — legitimate interests.
Source: docs/SYSTEM_OVERVIEW.md § GDPR.
Why it applies
- Data is corporate registry information, not consumer data.
- Individuals appear in their professional capacity (VD, board members, contact persons).
- All source data is publicly available because Swedish law mandates publication for company registration.
The Bisnode case (Poland, 2019, €220K)
Bisnode collected publicly available named contacts and was fined for relying solely on a privacy policy page to satisfy GDPR Article 14. The decision established:
- A privacy policy page is not sufficient notification.
- Article 14 requires proactive notification within one month of collection when personal data is collected from a source other than the data subject.
Implications for DBPOC
- We must notify each collected contact within one month — see Article 14.
- Notification must fire at collection, not at export.
- Opt-out and erasure requests must be honoured — see Opt-Out Hashes.
- Every processing decision must be logged — see RoPA Log.
Warning
Current implementation fires Article 14 notifications at export time, not collection time. P0 in Known Issues.
See also
Article 14, Reklamspärr, RoPA Log, Opt-Out Hashes, Known Issues.