Can a company sell my data?

Verdict: Not without a basis you almost never gave

“We may share data with partners” is where selling hides. Actual sale of identifiable data needs consent that names the buyers’ purposes — vague partner clauses don’t survive contact with a regulator.

There is no “sale” exception in the GDPR — transferring your data to a third party for money is just processing, needing a lawful basis. Why real sales almost always fail: consent must be specific and informed — “partners may send you offers” buried in clause 14 names no buyers, no purposes, and no free choice; legitimate interest collapses at the balancing test, because monetising your identity against strangers’ marketing interests is nobody’s reasonable expectation. Courts and DPAs have hammered the classic vehicles: address-trading, list brokers, “data enrichment” resellers, apps selling location trails. What is NOT a sale (and confuses everyone): processors working under contract (your mail provider isn’t “sold” your data — see controller vs processor), legally-required disclosures, and ad-tech’s auction model — which monetises access to you rather than handing datasets over, and gets fought through the tracking rules instead. Your counterattack when you suspect a sale: the Art. 15 access request’s sharpest field — “name the recipients or categories of recipients of my data” — the CJEU (Österreichische Post, C-154/21) held you’re entitled to named recipients on request. Then: object, demand erasure downstream (Art. 17(2) makes the seller chase its buyers), and hand the DPA a case they enjoy. Data you volunteered to a broker for payment exists as a business — but that’s your deal to make, never their default.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Is this allowed?📞 Your data protection authority