What is covered
Two live articles in KB/src/kb/index.ts plus four unwired draft deep-dive modules. This category is the most operationally-relevant content for the DBPOC enrichment pipeline.
Live articles
b2b-enrichment/legitimate-interest-assessment — LIA Walkthrough
KB/src/kb/index.ts:235–293. Step-by-step LIA walkthrough: why you need one (Art. 5(2) accountability), the three-part test in B2B context, factors that favour vs. require caution (sole traders are flagged), documentation requirements. Cites ICO LI guidance + EDPB Art. 15 guidelines.
b2b-enrichment/data-sources — Permissible Sources
KB/src/kb/index.ts:294–345. Legal status of each source DBPOC actually touches: Bolagsverket (public by law), SCB (statistical-purpose restrictions), LinkedIn (ToS prohibits scraping but public profile data still processable with Art. 14 compliance), website scraping (respect robots.txt). Cites Bolagsverket and SCB open-data terms.
Unwired drafts
legitimate-interest.ts
KB/src/kb/b2b-enrichment/legitimate-interest.ts. Deep treatment (~135 lines, 6 sections). Adds: Recital 47 deconstruction, industry comparators (Bisnode, Dun & Bradstreet, LinkedIn Sales Navigator), and Clearview AI red-line analysis (CNIL/Garante/Greek DPA/ICO 2021–22) as the worked example of when LI categorically fails. Broken import ("../../types").
data-minimization.ts
KB/src/kb/b2b-enrichment/data-minimization.ts (~120 lines, 7 sections). Maps DBPOC’s enrichment to five tiers:
- Tier 0: Registry data (Bolagsverket/SCB) — clearly necessary
- Tier 1: Validation/confidence scores — derived, low risk
- Tier 2: Digital footprint (domain, tech stack, web presence) — borderline; sole-trader edge case
- Tier 3: Contact data (names, emails, phones) — strict role + field limitation
- Tier 4: Market intelligence (LinkedIn dossier, news mentions) — aggregation problem
Plus a section on the aggregation problem itself (Clearview pattern). Broken import.
art14-obligations.ts
KB/src/kb/b2b-enrichment/art14-obligations.ts (~115 lines, 6 sections). Practical Art. 14 implementation for an enrichment pipeline: the nine disclosure items in operational language, BullMQ-queue notification design pattern (D+28 deadline), Bisnode case lesson on Art. 14(5)(b), email content/format requirements (subject line not marketing-style, opt-out prominent, dual-language), and deduplication/bounce/logging. Directly applicable to fixing the Article 14 timing bug. Broken import.
retention-limits.ts
KB/src/kb/b2b-enrichment/retention-limits.ts (~120 lines, 7 sections). Concrete retention periods per data category:
| Category | Period | Rationale |
|---|---|---|
| Registry data (Tier 0) | 90-day refresh, 180-day flag | Bolagsverket churn |
| Contact data (Tier 3) | 12 months from last verification | ~25–30% annual decay |
| RoPA logs | 3 years from end of activity | Swedish admin limitation period |
| Opt-out hashes | indefinite | Re-collection prevention |
| Art. 14 notification logs | 3 years | Accountability evidence |
Includes a BullMQ implementation sketch for automated deletion. Broken import.
Cross-references
- GDPR Legitimate Interest — production-side framing.
- Article 14 — production gap (notification fires at export, not collection).
- Lead Scoring — Tier 1 confidence score concept maps to scoring rubric.
- Crawlee Scraper — Tier 2/3 collection mechanism.
See also
KB Content Index, KB GDPR Articles, KB IMY Decisions, Article 14, GDPR Legitimate Interest.