GDPR-Compliant Competitive Intelligence: What You Need to Know

TL;DR Most CI tools are US-based and process data through US servers — a compliance gap many European companies overlook. GDPR-compliant CI means your competitive data stays in Europe, you only collect publicly available information, and your provider has appropriate data processing agreements in place. This matters not just for legal compliance but for trust with your own customers.

Why GDPR Matters for Competitive Intelligence

Competitive intelligence involves collecting, processing, and storing data — some of which may include personal data (names in job postings, LinkedIn profiles of executives, contact information on websites). Under GDPR, this makes your CI tool a data processor.

Common Compliance Gaps

Data Residency

Most CI platforms (Crayon, Klue, Kompyte) are US-based and process data through US infrastructure. After the Schrems II ruling invalidated the EU-US Privacy Shield, data transfers to the US require additional safeguards that many vendors handle inconsistently.

What CI Tools Typically Collect

  • Website content — Generally fine (publicly available)
  • Job postings — May contain recruiter names, contact details
  • LinkedIn data — Profile data of company employees
  • News articles — May reference individuals
  • Social media posts — May include personal opinions attributed to individuals

The "Publicly Available" Misconception

Just because data is publicly available doesn't mean GDPR doesn't apply. Publicly available personal data is still personal data. The legal basis for processing it is typically "legitimate interest" (Art. 6(1)(f) GDPR), which requires a balancing test.

What GDPR-Compliant CI Looks Like

Data Processing

  • European hosting — Data stored and processed within the EU/EEA
  • Data Processing Agreement (DPA) — Your CI vendor must offer a GDPR-compliant DPA
  • Purpose limitation — Data collected for CI should only be used for CI
  • Data minimization — Collect only what's needed for competitive analysis

Technical Measures

  • Encryption at rest and in transit — Standard but verify
  • Access controls — Only authorized team members access competitive data
  • Data retention policies — Don't store competitive data indefinitely
  • Audit logging — Track who accessed what data

Organizational Measures

  • Document your CI program in your records of processing activities
  • Conduct a DPIA (Data Protection Impact Assessment) if you're doing large-scale monitoring
  • Train your CI team on what data they can and cannot collect

Choosing a GDPR-Compliant CI Tool

RequirementWhat to Ask
Data residencyWhere are servers located? Is all processing in the EU?
Sub-processorsWhich third-party services process your data? Where are they based?
DPA availabilityCan you sign a GDPR-compliant DPA before starting?
Data portabilityCan you export and delete all your data on request?
Security certificationsSOC 2, ISO 27001, or equivalent?

12signals and GDPR

12signals is built for European requirements:

  • All data hosted on European servers (Supabase EU, Hetzner Germany)
  • No data transfer to US infrastructure
  • DPA available on request
  • Only publicly available data sources (websites, job postings, LinkedIn Ad Library, news)
  • Based in Düsseldorf, Germany
Start 30-day free trial