Article Index
Complete catalog of all Knowledge Base articles. Articles are TypeScript modules exporting KBArticle objects, organized by category.
b2b-enrichment/
Legitimate Interest as Legal Basis (legitimate-interest.ts)
| Field | Value |
|---|---|
| ID | b2b-enrichment-legitimate-interest |
| Title | Legitimate Interest as Legal Basis for B2B Data Enrichment (Art. 6(1)(f)) |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Deep analysis of the three-part legitimate interest test: Purpose, Necessity, Balancing
- B2B professional context reduces privacy expectations (strongest factor favoring LI)
- Public registry data (Bolagsverket, SCB) easily passes necessity test
- Industry comparators: Bisnode, Dun & Bradstreet, LinkedIn Sales Navigator
- Clear red lines where LI fails: biometric data, location tracking, inference of special categories
- References Clearview AI enforcement (€100M+ in fines across EU) as the canonical failure case
Legal References:
- GDPR Art. 6(1)(f), Recital 47
- EDPB Guidelines 06/2020
- WP29 Opinion 06/2014
- UODO Bisnode decision (ZSPR.421.2.2019, 2019)
- Clearview AI: CNIL MED-2022-001, ICO UKN_532498
Article 14 Notification Obligations (art14-obligations.ts)
| Field | Value |
|---|---|
| ID | b2b-enrichment-art14-obligations |
| Title | Article 14 Notification Obligations for Enriched Contacts |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Art. 14 applies to virtually all B2B enrichment data (indirect collection)
- Nine mandatory disclosure items must be provided to data subjects
- Timing: within one month of collection, or at first communication, or before disclosure — whichever is earliest
- The Bisnode case (UODO Poland, 2019) established that the Art. 14(5)(b) “disproportionate effort” exemption is narrow — if you have email addresses, you must use them
- Practical notification email format and content requirements
- Deduplication, bounce handling, and logging requirements
Legal References:
- GDPR Art. 12, 14, 14(5)(b), 21
- EDPB Guidelines 2/2018 on Transparency
- UODO Decision ZSPR.421.2.2019 (Bisnode Poland)
- IMY Guidance on Art. 14 Obligations
Data Minimisation and Purpose Limitation (data-minimization.ts)
| Field | Value |
|---|---|
| ID | b2b-enrichment-data-minimization |
| Title | Data Minimisation and Purpose Limitation in B2B Enrichment (Art. 5(1)(b) and 5(1)(c)) |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Five data tiers analyzed for minimisation:
- Tier 0 (Registry data): Clearly necessary — public by Swedish law
- Tier 1 (Validation scores): Low risk derived data
- Tier 2 (Digital footprint): Borderline — watch sole traders and social media linkage
- Tier 3 (Contact data): Most sensitive — strict field/role/source limitation required
- Tier 4 (Market intelligence): Highest aggregation risk — LinkedIn + news mentions create professional dossiers
- The “aggregation problem”: combining innocuous data points creates intrusive profiles
- Purpose limitation: derived scores must not be repurposed for credit risk or pricing
Legal References:
- GDPR Art. 5(1)(b), 5(1)(c), 9, 25
- EDPB Guidelines on Automated Decision-Making (WP251)
- WP29 Opinion 06/2014
- Aktiebolagslagen (2005:551)
- IMY Guidance on Data Minimisation
Retention Periods (retention-limits.ts)
| Field | Value |
|---|---|
| ID | b2b-enrichment-retention-limits |
| Title | Retention Periods for B2B Enrichment Data |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Registry data: Quarterly refresh; delete if not refreshed within 6 months
- Contact data (Tier 3): 12–24 months from last verification; 12 months default, 24 months only with active engagement
- RoPA logs: Minimum 3 years
- Opt-out hashes: Indefinite retention (legally required to prevent re-processing)
- Art. 14 notification logs: 3 years
- Automated retention enforcement is mandatory — IMY requires technical implementation, not just policy
- BullMQ cron job pattern for scheduled deletion with audit trail
Legal References:
- GDPR Art. 5(1)(e), 17, 21, 30
- EDPB Guidelines 2/2018
- IMY Retention Guidance
- Handelsregisterlagen (1974:157)
gdpr/
Article 6 — Legal Bases (article-6.ts)
| Field | Value |
|---|---|
| ID | gdpr/article-6 |
| Title | GDPR Article 6: Legal Bases for Processing — Deep Dive for B2B Enrichment |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Exhaustive analysis of all six legal bases with focus on why consent fails for B2B enrichment at scale
- Contract basis (Art. 6(1)(b)) only applies where the natural person is the contractual counterparty
- Legitimate interest (Art. 6(1)(f)) is the only practical basis — requires documented three-part test
- EDPB Guidelines 06/2020 (draft 2024) clarify LI must be “real and present,” not hypothetical
- IMY’s 2025 written LIA requirement: absence of documented LIA is treated as evidence of inadequate compliance
- Red flags that cause LI to fail: no LIA, Art. 9 data, no opt-out, bulk resale without purpose limitation
Legal References:
- GDPR Art. 4(11), 5(1)(a), 6(1), 7, 9, 21
- EDPB Guidelines 06/2020, 05/2020, 02/2019
- UODO Bisnode decision (ZSOŚS.440.748.2019)
- IMY Guidance on Legitimate Interest
Articles 13 and 14 — Transparency (article-13-14.ts)
| Field | Value |
|---|---|
| ID | gdpr/article-13-14 |
| Title | GDPR Articles 13 and 14: Transparency Obligations for Data Enrichment Platforms |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Core distinction: Art. 13 = direct collection; Art. 14 = indirect collection (enrichment scenario)
- Nine mandatory disclosure items under Art. 14(1) and 14(2)
- Three timing triggers under Art. 14(3): one-month rule, first communication, first disclosure
- Bisnode case (UODO, 2019): 6.4M records, ordered to notify 5.7M people individually, fined for claiming disproportionate effort
- Practical Art. 14 notification email template with all required elements
- RoPA, LIA, and Art. 14 notice must be consistent — inconsistency is a compliance failure
Legal References:
- GDPR Art. 12, 13, 14, 14(5)(b), 30
- UODO Decision ZSOŚS.440.748.2019
- EDPB Guidelines 01/2022, WP260
- IMY Guidance on Articles 13 and 14
Article 30 — Records of Processing Activities (article-30.ts)
| Field | Value |
|---|---|
| ID | gdpr/article-30 |
| Title | GDPR Article 30: Records of Processing Activities (RoPA) for B2B Enrichment |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Art. 30(5) exception (under 250 employees) does not apply to enrichment platforms — three conditions all fail
- Model RoPA structure with 5 example activities: Bolagsverket ingestion, website scraping, data export, opt-out register, client account management
- Electronic RoPA must be version-controlled, linked to LIA/privacy notice, with named owners
- IMY requests RoPA first in audits — incomplete RoPA is an immediate compliance finding
- Processor RoPA (Art. 30(2)) is separate from controller RoPA
Legal References:
- GDPR Art. 5(2), 30, 33
- IMY RoPA Guidance
- CNIL Practical Guide
- EDPB Accountability and Governance Guidelines
GDPR Overview (overview.ts)
| Field | Value |
|---|---|
| ID | gdpr/overview |
| Title | GDPR Overview: Scope, Definitions, and Application to B2B Data Enrichment |
| Applicability | 🇪🇺 EU |
| Last Updated | 2025-01-15 |
Key Points:
- Territorial scope: establishment principle (Art. 3(1)) applies to Swedish-domiciled platforms
- Personal data definition (Art. 4(1)): captures sole traders, named directors, direct-dial business contacts
- Recital 14: Legal entities are NOT data subjects — company name, org nr, SNI codes fall outside GDPR
- Six legal bases overview table with applicability to enrichment
- Data subject rights most relevant to enrichment: access (Art. 15), erasure (Art. 17), objection (Art. 21)
- IMY fine regime: up to €20M or 4% of worldwide turnover for serious infringements
- Dataskyddslagen national adaptations: personnummer restriction, freedom of expression carve-outs
Legal References:
- GDPR Recital 1, 4, 14; Art. 1–4, 6, 12–22, 51, 58, 83
- Dataskyddslagen (2018:218)
- IMY Guidance on Personal Data
enforcement/
IMY Decisions (imy-decisions.ts)
| Field | Value |
|---|---|
| ID | enforcement-imy-decisions |
| Title | Swedish IMY: Structure, Enforcement Powers, and Key Decisions (2019–2025) |
| Applicability | 🇸🇪 Sweden |
| Last Updated | 2025-01-15 |
Key Points:
- IMY enforcement powers under Art. 58: audits, warnings, reprimands, processing bans, fines up to €20M/4%
- Key decisions timeline:
- 2020: Google — SEK 75M (~€7M) for Art. 17 de-listing failures
- 2021: Healthcare analytics — SEK 16M total for Art. 9/28 violations
- 2022: Klarna — SEK 7.5M for Art. 13 transparency failures
- 2024: Recruiting companies — SEK 2.1M and 3.4M for minimisation and transparency failures
- 2025 Written LIA Requirement: IMY requires documented, activity-specific LIAs with 7 minimum elements
- Investigation procedure: “begäran om yttrande” (request for statement) → 30-day response → assessment → draft decision
- Current priorities: AI/automated decision-making, cookie consent, data broker sector, DPAs, international transfers
- Cooperation with IMY reduces fines; obstruction is an aggravating factor
Legal References:
- GDPR Art. 51, 56, 57, 58, 60, 77, 83
- Lag (2018:218)
- Förvaltningslagen (2017:900)
- IMY Annual Reports 2019–2024
swedish-law/
Bolagsverket (bolagsverket.ts)
| Field | Value |
|---|---|
| ID | swedish-law/bolagsverket |
| Title | Bolagsverket: Public Registry Data, Bulk Access, and Lawful Enrichment Use |
| Applicability | 🇸🇪 Sweden |
| Last Updated | 2025-01-15 |
Key Points:
- Bolagsverket maintains registries for AB, HB, KB, enskild firma, filial, stiftelser, SE, SCE
- Public access principle (Tryckfrihetsförordningen 2 kap.) makes most registered documents public
- Permissible fields: org nr, company name, address, SNI codes, status, board names, VD, signatories, annual reports
- Personnummer restriction: Full personnummer not in standard FTF bulk feed; Dataskyddslagen Ch. 3 § 10 requires “clearly justified” reason
- FTF bulk data terms: require current data, prohibit raw redistribution, allow value-added products
- SNI codes are legal entity metadata — entirely outside GDPR scope
- Six-step lawful use framework: obtain legitimately → separate entity/personal data → apply GDPR basis → exclude personnummer → maintain accuracy → document in RoPA
Legal References:
- Aktiebolagslagen (2005:551)
- Handelsregisterlagen (1974:157)
- Tryckfrihetsförordningen 2 kap.
- Bolagsverket FTF Terms
- Lag om registrering av verkliga huvudmän (2017:631)
- SCB SNI 2007 (NACE Rev. 2)
Dataskyddslagen (dataskyddslagen.ts)
| Field | Value |
|---|---|
| ID | swedish-law/dataskyddslagen |
| Title | Dataskyddslagen (2018:218): Sweden’s National GDPR Supplement |
| Applicability | 🇸🇪 Sweden |
| Last Updated | 2025-01-15 |
Key Points:
- Supplementary law exercising Member State derogations under Arts 6(2), 9(4), Chapter IX
- Personnummer (Ch. 3 § 10): may only be processed when “clearly justified” by purpose, identification necessity, or weighty reason
- Freedom of expression (Ch. 4): extraordinarily broad exemption for journalistic/academic/artistic/literary purposes — but commercial enrichment cannot claim it
- Criminal record data (Ch. 3 §§ 5–9): prohibited for commercial enrichment; civil/regulatory sanctions in public records are distinguishable
- IMY procedural powers: on-site inspections, binding orders, administrative fees (sanktionsavgifter)
- Adjacent laws: Kreditupplysningslagen (credit reporting), Marknadsföringslagen (marketing transparency)
- Offentlighetsprincipen enables collection but does not override GDPR for commercial processing
Legal References:
- Dataskyddslagen (2018:218)
- Tryckfrihetsförordningen (1949:105)
- Yttrandefrihetsgrundlagen
- Kreditupplysningslagen (1973:1173)
- Marknadsföringslagen (2008:486)
- IMY Guidance on Personnummer
Legacy Articles (kb/index.ts)
The legacy article registry (src/kb/index.ts) contains 10 additional articles that provide complementary coverage:
| ID | Title | Category | Applicability |
|---|---|---|---|
gdpr/article-6 | GDPR Article 6 — Lawfulness of Processing | gdpr | 🇪🇺 EU |
gdpr/article-14 | GDPR Article 14 — Transparency for Indirectly Obtained Data | gdpr | 🇪🇺 EU |
gdpr/article-17 | GDPR Article 17 — Right to Erasure | gdpr | 🇪🇺 EU |
swedish-law/dataskyddslagen | The Swedish Data Protection Act (Dataskyddslagen) | swedish-law | 🇸🇪 Sweden |
swedish-law/imy-supervision | IMY — The Swedish Data Protection Authority | swedish-law | 🇸🇪 Sweden |
b2b-enrichment/legitimate-interest-assessment | Conducting a Legitimate Interest Assessment (LIA) | b2b-enrichment | 🇸🇪 Sweden |
b2b-enrichment/data-sources | Permissible Data Sources for Swedish B2B Enrichment | b2b-enrichment | 🇸🇪 Sweden |
enforcement/imy-fines-2023-2024 | IMY Enforcement Actions 2023–2024: Key Decisions | enforcement | 🇸🇪 Sweden |
templates/art14-notice | Template: Article 14 Notification Email | templates | 🇸🇪 Sweden |
templates/dpa-template | Template: Data Processing Agreement (DPA) | templates | 🇪🇺 EU |
Citation Credibility Tiers
All citations in KB articles are tagged with a credibility tier:
| Tier | Score | Color | Examples |
|---|---|---|---|
authoritative | 95 | Green | IMY, EDPB, EUR-Lex, Riksdagen, Bolagsverket, SCB |
official | 78 | Blue | Europa.eu, UODO, Garante, CNIL, ICO |
practitioner | 62 | Amber | GDPR.eu, gdprhub.eu, law.cornell.edu, SSRN |
uncertain | 15–42 | Red | Reuters, FT, BBC, SVT, tech blogs |
See src/lib/credibility.ts for the full domain scoring logic.