GDPR-compliant lead acquisition

Date of publication

How can you ensure, for example, at a trade fair that the lead is the person he or she claims to be by handing over a business card? Or how can you ensure that the lead acquisition and subsequent information transfer is carried out in compliance with the GDPR?

Example of the actual situation at a trade fair

I am an exhibitor at a trade fair. A visitor is interested in my products and wants to know more about them. But because he doesn't have time, he hands me his business card, asks for detailed information via e-mail and moves on.

I attach his business card to my lead form, briefly enter what is wanted and turn to the next prospect.

After the trade fair closes, I enter the trade fair contacts in my CRM and send out information and, if necessary, offers as requested.

The problem

This is not GDPR-compliant. Why? Because there is no way to prove that the person who sent the business card also agreed to receive information or offers. As stupid as it sounds, how can you know whether the business card and the interested party are one and the same person? And even if they are, handing over a business card does not constitute consent to contact.

So I need something in writing or in digital form with which I can prove that the interested party with his business card and the e-mail address given on it is one and the same person and also gives his consent that I can contact him. And all of this is verifiable.

A solution to the problem

The visitor hands me his business card, I briefly enter his name, company and e-mail address as well as the choice whether information or a call is desired into my tablet. Then I hand him the tablet with the reference to my privacy policy, ask him to read through the explanations for two required ticks, to set these and to send the contact. Immediately, he receives an e-mail with another reference to my privacy policy and the request to confirm the contact request by clicking on the attached link. He can also do this later if he takes the time to do so.

After clicking on the link, I receive the GDPR-compliant confirmation, which stands as proof of an intended contact and can continue with the follow-up of my new lead.


You don't have to be fined right away because you're still handling your trade show contacts the way you did ten years ago. But it is reassuring to generate leads in compliance with the GDPR. Our solution is based on open source software and is quickly adapted and ready for use.

Profile picture for user DeepL

DeepL is a deep learning company that develops AI systems for languages. The company, based in Cologne, Germany, was founded in 2009 as Linguee, and introduced the first internet search engine for translations. Linguee has answered over 10 billion queries from more than 1 billion users.

Profile picture for user manfred.woeller

Manfred Wöller

Manfred Wöller is a TÜV-certified data protection officer who makes data protection requirements technically feasible as part of the team. He is also a passionate vegan cook who takes care of the physical well-being at community events.