May my supplier use my data for "market research"?

Market research = new purpose, so separate basis requirement (GDPR Art. 5(1)(b) + Art. 6). Three scenarios: (1) Fully anonymised (k-anonymity, differential privacy, no re-identification possible) → GDPR not applicable. Here supplier can freely sell aggregates, publish benchmarks. (2) Pseudonymised (customer ID replaced by token) → GDPR APPLIES. Not "anonymous" — just personal data processing with basis requirement. (3) Raw customer data → explicit consent required + separate registration. What is NOT real anonymisation? "We omit name + address" — combination of other fields (DoB + postal code + gender) is unique identifier in 87% of cases (Sweeney 2002). Tip for customers: on suspicion of unlawful market-research use: GDPR Art. 15 access at supplier — specifically ask "for which research purposes has my data been used + which other parties received data?". No solid answer = GDPR breach. AP complaint possible. For suppliers: never use raw customer data without consent. Synthetic data + differential privacy are better. For market-research firms (Kantar, Ipsos, GfK): they have own consent flow + DPA with commissioner. 2024-2025: NOYB complaints against multiple data-broker network aggregators for unlawful cross-business data pool.