What are data-broker transparency requirements under GDPR?

GDPR imposes specific obligations on data brokers and those who use their services.

Data broker obligations:

Right to be informed: Individuals must be told their data is being processed, by whom, and for what purpose

Source disclosure: Data subjects can request where their data came from

Lawful basis: Brokers need legal grounds for collecting and selling data

Access rights: Individuals can request copies of data held about them

Deletion rights: Individuals can request erasure under certain conditions

Your obligations when using broker data:

Inform recipients at first contact (or within 30 days) that you have their data

Explain where you got it and why you're contacting them

Provide privacy notice and contact details

Respond to access and deletion requests

Conduct your own lawful basis assessment

Practical implication: Simply buying data doesn't transfer compliance responsibility. You become a data controller with your own obligations. Due diligence on broker practices is essential, not optional.