New Company Contact Data — Legal GDPR Methods in Poland

Acquiring contact data of new companies sounds simple — download a database, send an offer, wait for replies. In reality every step is subject to GDPR, and in 2026 supervisory authorities and aware entrepreneurs increasingly challenge illegal outreach. Mistakes do not end with fines alone — they damage email domain reputation, brand, and relationships with potential clients.

This article explains how to legally acquire and use contact data of newly registered companies in Poland. This is not legal advice — it is a practical guide based on common GDPR interpretations in B2B context. When in doubt, consult a data protection lawyer.

What Are "New Company Contact Data" in Legal Context?

Contact data of new companies are information enabling reach to entrepreneur or business entity: email, phone, address, website. In CEIDG entrepreneurs voluntarily provide email and phone — it is not a registration requirement.

Key legal distinction:

| Data type | Example | Status in CEIDG | | :---------------------- | :---------------------------------- | :---------------------------- | | Identification data | NIP, REGON, company name, full name | Mandatory, public | | Address data | Street, city, postal code | Mandatory, public | | Industry data | PKD, business start date | Mandatory, public | | Contact data | Email, phone, website | Voluntary, public if provided |

All CEIDG data is public — anyone can view it. That does not mean you can process it any way you want. GDPR regulates purpose and legal basis of processing, not mere availability.

Legal Bases for Processing Company Data

GDPR Art. 6(1) — Processing Bases

In B2B prospecting context most often cited:

Lit. f) — legitimate interest of controller. Your company has legitimate interest in offering B2B services to other businesses, provided it does not override rights and freedoms of the data subject. Most common basis for B2B cold email and cold calling in Poland.

Lit. b) — contract performance or pre-contractual steps. When company itself sent inquiry or filled form — stronger basis.

Lit. a) — consent. Rarely used in cold outreach because consent must be freely given, specific, and easy to withdraw. Buying "databases with consents" is a red flag.

Balancing Test

With "legitimate interest" basis you must conduct balancing test:

1. Is your interest real and justified? (e.g. offering accounting services to new companies)
2. Is processing necessary? (can goal be achieved less invasively?)
3. Do data subject rights not override your interest?

In B2B practice: business offer to business email provided in public register usually passes balancing test — provided professional, non-aggressive outreach and easy opt-out.

Legal Sources of New Company Contact Data

1. CEIDG — Public Register (Safest Source)

CEIDG is official register under Business Activity Central Register Act. Entrepreneur knowingly publishes data knowing it is public.

What you can legally do with CEIDG data:

• Download data on newly registered companies.
• Process NIP, name, PKD, address, registration date.
• Contact email provided in CEIDG — with appropriate legal basis.
• Store data in CRM for B2B sales.

What you cannot:

• Sell raw CEIDG data as "mailing database" without source disclosure.
• Process data for purposes inconsistent with collection information.
• Ignore deletion requests (opt-out).

Aggregators like nowe-firmy.pl pull CEIDG data and deliver prospecting-ready format — source is open and public.

2. KRS — Corporate Entity Data

KRS contains company data but rarely direct emails. Contacting company CEO requires enrichment (e.g. LinkedIn, company website). Legal basis remains same — legitimate B2B interest.

3. Company Website

If new company has website with email (e.g. office@, contact@), that is data provided for business contact. Can be used for B2B offer — with opt-out and professional tone.

4. LinkedIn and Social Media

Public LinkedIn data (position, company) can be used in B2B context, but LinkedIn has own terms (e.g. Sales Navigator). GDPR and platform rules are two separate rule sets.

5. What to Avoid — Illegal or Risky Sources

• Purchased "databases with phones and emails" without provenance. Most common UODO problem source.
• Scraping private profiles without legal basis.
• "Opt-in databases" with unclear consent origin.
• Reselling CEIDG data as final product without processing information.

B2B Cold Email to New Companies — GDPR Compliance Rules

Cold email to entrepreneur running sole proprietorship is not the same as spam to consumers. In Poland B2B outreach on legitimate interest basis is common practice — provided rules are followed:

GDPR-Compliant Cold Email Checklist

1. Sender identity — full company name, address, NIP in footer.
2. Legal basis — information that you process data on legitimate interest basis (GDPR Art. 6(1)(f)).
3. Processing purpose — e.g. "presenting accounting services offer".
4. Right to object — clear information how to opt out of further messages.
5. Right to complain to supervisory authority — required information clause.
6. Offer relevance — offer must relate to recipient activity (PKD, industry).
7. Professional tone — one message, not aggressive follow-up series without response.
8. Opt-out register — honor every deletion request immediately and permanently.

Sample GDPR Clause in B2B Cold Email

The controller of your personal data is [Company Name], [address], NIP [number]. We process data to present a commercial offer based on legitimate interest (GDPR Art. 6(1)(f)). You have the right to object to processing, access data, rectification, and complaint to the supervisory authority. To opt out of contact, reply "STOP" to this message.

Electronic Communications Law — Do You Need Consent?

Polish electronic communications regulations concern direct marketing. In B2B context interpretations vary:

• B2B commercial offer to business email from public register — often classified as business contact, not consumer marketing.
• Mass, irrelevant offers ("buy our shoes") to business email — risky.

Key: offer relevance to activity profile. Accounting for new JDG — relevant. Loan offer to restaurant business email — questionable.

Cold Calling — B2B Phone Prospecting Rules

Phone call to entrepreneur on number from CEIDG follows similar logic to email:

• Basis: legitimate B2B interest.
• Controller information — verbally or follow-up email.
• Right to object — if recipient asks no further contact, respect immediately.
• Do Not Call register — applies to consumer marketing, not B2B entrepreneurs. Good practice is maintaining own exclusion list.

Storing Data in CRM — Controller Obligations

After acquiring contact data and first contact, data goes to CRM. Your obligations:

GDPR Documentation

• Processing activity register — description: data source (CEIDG), purpose (B2B sales), basis (lit. f), retention period.
• Privacy policy — published on company website.
• Opt-out procedure — who handles, within what time (recommendation: 24h).
• Balancing test — documented for B2B prospecting.

Retention Period

Do not store data "forever". Recommended rules:

• Active lead in pipeline — until opportunity close + 12 months.
• No response after 3 contacts — delete or anonymize after 6 months.
• Opt-out — delete immediately, keep only NIP on exclusion list (no personal data).

Technical Security

• CRM with access control (who sees data).
• Encryption in transit (HTTPS) and at rest.
• Backup with limited access.
• Processing agreements with CRM providers (HubSpot, Pipedrive — standard in DPA).

GDPR and nowe-firmy.pl Data — How It Works

nowe-firmy.pl delivers data from public CEIDG register. As data recipient you are controller for further processing (CRM, outreach). nowe-firmy.pl is processor at aggregation stage.

Your steps after downloading database:

1. Document data source (CEIDG via nowe-firmy.pl).
2. Conduct balancing test for your use case.
3. Add GDPR clause to outbound communication.
4. Maintain opt-out register.
5. Do not resell raw data to third parties.

Standard model in data-driven sales industry — analogous to LinkedIn Sales Navigator or Apollo, with difference that source (CEIDG) is public and transparent.

Most Common GDPR Mistakes in New Company Prospecting

Mistake 1: No Opt-Out

Sending emails without ability to unsubscribe. Simplest path to complaint and fine.

Solution: Link or "STOP" reply in every message. Exclusion register in CRM.

Mistake 2: Buying "Consent Databases"

"500,000 emails with consents" for 200 PLN — consents are fake or outdated.

Solution: CEIDG + own outreach with lit. f basis.

Mistake 3: Mass, Irrelevant Offers

Same offer to all PKD codes. Weak legal interest and low conversion.

Solution: PKD and region segmentation. Industry-matched offer. Tools like nowe-firmy.pl enable filtering.

Mistake 4: No Documentation

No processing activity register or balancing test.

Solution: One-time GDPR audit with lawyer. Documentation template costs less than one fine.

Mistake 5: Ignoring CEIDG Deletions

Contacting company that already ceased activity.

Solution: Regularly filter entry status. Fresh CEIDG aggregator data minimizes this problem.

Mistake 6: Transferring Data Outside EEA Without Safeguards

CRM hosted in USA without Standard Contractual Clauses.

Solution: Check CRM provider DPA. HubSpot, Pipedrive offer SCC.

Practical Workflow — From Data to Legal Contact

Proven process for B2B sales team in 2026:

Step 1: Data acquisition Download new company list from CEIDG (manually or via nowe-firmy.pl). Filter by PKD and region.

Step 2: Qualification Check entry status (active), main PKD, contact data presence.

Step 3: Communication preparation Personalize offer for industry. Add GDPR clause in footer.

Step 4: Send / contact One email or call. Professional tone. No aggressive follow-ups.

Step 5: Response handling Interested → opportunity in CRM (lit. b basis). Opt-out → immediate deletion. No response → max 2 follow-ups in 14 days, then archive.

Step 6: Documentation Update processing register. Quarterly — exclusion list review.

More on sales strategy: how to use new company data in B2B sales.

When Do You Need a Lawyer?

This guide covers standard B2B prospecting from CEIDG data. Consult a lawyer if:

• You process sensitive data (health, personal finances).
• You operate outside EU (UK, USA — different regulations).
• You received UODO complaint or summons.
• You build SaaS product processing company data for clients (then you are processor or joint controller).
• You send offers to individuals not running business (consumers — different rules).

Summary — Legal Methods for Acquiring Contact Data

Contact data of new companies in Poland can be acquired legally if:

1. Source is transparent — CEIDG, KRS, public website.
2. Legal basis is documented — most often legitimate interest (GDPR Art. 6(1)(f)).
3. Offer is relevant — matched to activity profile (PKD).
4. Opt-out works — immediate and permanent.
5. Documentation exists — processing register, balancing test, privacy policy.

nowe-firmy.pl delivers CEIDG data in prospecting-ready format — you are responsible for legal outreach. Check new companies database and build GDPR-compliant sales process from day one.

---

FAQ — Frequently Asked Questions

1. Can I send cold email to companies with CEIDG data?

Yes, in B2B context, on legitimate interest basis (GDPR Art. 6(1)(f)), provided relevant offer, information clause, and opt-out possibility.

2. Do I need recipient consent for B2B cold email?

Not in typical B2B scenario from public register. Consent (Art. 6(1)(a)) not required if you passed balancing test for legitimate interest.

3. Is nowe-firmy.pl data GDPR-compliant?

Data comes from public CEIDG register. As recipient you are controller of further processing and responsible for legal outreach (clause, opt-out, documentation).

4. What to do when someone requests data deletion?

Delete immediately from CRM and mailing lists. You may keep NIP on exclusion list (no personal data) to avoid re-contact.

5. Is cold calling new companies legal?

Yes in B2B context, on legitimate interest basis, with controller information and respect for objection. Do Not Call register applies to consumers, not entrepreneurs.

6. Can I buy an email database and send offers?

Risky if you do not know provenance and legal basis. Safer path: CEIDG data + own outreach with GDPR documentation.