Polskie Bazy Firm
English
Polski English Українська
Database generator
Database generator
Language selection
Polski English Українська
Compliance

How to use the B2B company database legally

A guide to GDPR-compliant use of company data from CEIDG, KRS and REGON in cold outreach and marketing.

Why compliance matters

Company data from public registers (CEIDG, KRS, REGON) is publicly available, but further use — especially in cold outreach and B2B marketing — is governed by GDPR, the Act on Providing Services by Electronic Means, and the Electronic Communications Law. Violations can result in fines of up to EUR 20 million or 4% of annual turnover.

GDPR and company data — the key distinction

GDPR protects personal data of natural persons, not companies as such. However:

  • Data of sole proprietorships (JDG) is personal data — fully protected by GDPR
  • Data of companies (LLC, JSC) is NOT personal data — GDPR does not protect it
  • BUT: contact details (email, phone) often contain employees’ personal data (e.g. jan.kowalski@firma.pl)
  • CEIDG data includes the owner’s first and last name — that is personal data

B2B cold email — what is legal

Sending emails to businesses (B2B) differs from sending to consumers (B2C):

  • Emails to generic business addresses (e.g. kontakt@firma.pl) — lawful on the basis of legitimate interest (Art. 6(1)(f) GDPR), provided the content relates to the company’s business activity
  • Emails to personal addresses (jan.kowalski@firma.pl) — may require prior consent if the address contains personal data
  • Every email MUST include: (1) who is sending, (2) a GDPR clause, (3) an easy opt-out
  • The Act on Providing Services by Electronic Means requires consent for sending “commercial information” — the definition is broad
  • Recommendation: always add an “Unsubscribe” link and do not email people who have previously objected

B2B cold calling — the rules

Calling businesses is also regulated:

  • The Electronic Communications Law requires consent for using “automatic calling systems”
  • Manual calls to businesses are generally permitted on the basis of legitimate interest
  • BUT: if you call private numbers (sole proprietors’ mobile phones) — verify whether the number is a business line
  • Every call should start with: where you got the number, the purpose of the call, and the option to opt out

Information obligation

On first contact with a person whose data you obtained from the database, you must fulfil the information obligation (Art. 14 GDPR). You should provide:

  • Who is the controller (you / your company)
  • Purpose of processing (e.g. B2B marketing, commercial offer)
  • Source of data (Polish Company Databases → CEIDG/KRS/REGON)
  • Categories of data (first name, last name, email, phone, tax ID)
  • Retention period (e.g. until objection or end of campaign)
  • Rights: access, rectification, erasure, objection, complaint to the supervisory authority
  • Best done in the first email or at the start of a phone call

Record of processing activities

If you regularly conduct marketing using personal data from the database, you should maintain a record of processing activities (Art. 30 GDPR). The record should include:

  • Name and contact details of the controller (your company)
  • Purposes of processing (e.g. B2B marketing)
  • Categories of data subjects and data (entrepreneurs, contact details)
  • Categories of recipients (e.g. sales team, CRM)
  • Planned data deletion deadlines
  • General description of technical safeguards

Opt-out and objection

Every person has the right to object to the processing of their data (Art. 21 GDPR). If you receive an objection:

  • You must immediately stop processing that person’s data
  • You must delete their data from your systems (unless you have an overriding legitimate interest)
  • You cannot re-add that person to the database on a subsequent purchase
  • We recommend maintaining your own opt-out list (a separate CSV file with emails/phones that objected)

How to use safely — our recommendations

  • Always check whether you are emailing a sole proprietorship (personal data) or a company (business data) — CEIDG → always GDPR, KRS → depends on context
  • Send a minimum of 1–2 emails instead of mass campaigns — 1:1 cold outreach is legally safer than mass spam
  • Maintain your own opt-out list and sync it with every new database purchase
  • Use a professional email template: business purpose + GDPR clause + opt-out option
  • Consider consulting a lawyer before launching a large campaign (over 1,000 emails)
  • Document your actions — in case of an inspection you must show you acted in compliance with the law

Liability

Polish Company Databases provides data from public registers. We are not liable for how it is used. Every buyer becomes a data controller after purchase and bears full responsibility for compliance of their activities with GDPR, the Electronic Communications Law, and the Act on Providing Services by Electronic Means. It is up to you to decide how to use the database lawfully.

⚠️ Important disclaimer

This document is for informational purposes only and does not constitute legal advice. GDPR, the Act on Providing Services by Electronic Means, and the Electronic Communications Law are subject to change and varying interpretations. Consult a lawyer before launching a marketing campaign. Polish Company Databases is not liable for the content of this guide or for actions taken on its basis.

Custom database

Build a fresh lead database from the filters you actually need.

Choose industry, city, contact type and record count. You pay only for matching leads, from 0.19 PLN per lead.

CEIDG, KRS and REGON sourcesCSV/XLSX exportEmail and phone filters
from 0.19 PLN / lead
Generate your database