My data was sold to a third party — what now?
Selling requires explicit consent + transparency. Access at original + erasure at third party + AP complaint. Fines up to 4% turnover.
Selling personal data is a separate processing — requires explicit consent specifically given for transfer to third party. Hidden in general terms = no valid consent. How to discover? Unknown ads in mailbox or phone, "you may be interested in..." in a service you never visited, BKR / credit registry mention without original application. Routes: (1) Access at original business (Art. 15) — explicitly ask "to which parties has my data been transferred or sold, and on which basis?". (2) Erasure at every third party (Art. 17) — if transfer without basis = unlawful processing. (3) AP complaint — data sharing without basis is one of the most serious GDPR breaches, fines Art. 83(5) up to €20m / 4%. (4) Damages claim Art. 82 — since CJEU 2023-2024 (UI v Österreichische Post) also stress + loss of control = damage. Typical amounts €500-€2,500. Notorious cases 2023-2025: energy companies, telcos, and data brokers in NL have sold hundreds of thousands of customer records without valid consent — multiple AP fines >€500k.
Step by step
Access at original business
Specifically ask: "to which parties + basis". generator.
Erasure request at each third party
letter generator per third party.
AP complaint
Data sale without basis = heaviest GDPR category.
Damages claim Art. 82
On harm civil court. CJEU 2023-2024 = low threshold.
Ready to act?
We'll draft the right letter for you
Personalised PDF · Send-ready · One-off €9,99
- ⚡ PDF in your inbox in 60 seconds
- 📄 BTW-compliant invoice included
- ↩️ 30-day fix-it guarantee
Sources
🔎 Common search variants
Recognise your own search? Our answer above covers these too.
- “data sold to third party”
- “data brokering gdpr”
- “unknown business has data”
- “data broker complaint”