In November 2025, an investigative consortium including Netzpolitik, Le Monde, and BNR published the Databroker Files — 278 million location records from Belgium alone, drawn from a dataset of 13 billion records spanning nearly every EU country. The data tracked European Commission officials, diplomats, and NATO personnel. The brokers selling it required nothing more than a marketing company facade to access it.
Three months later, the European Data Protection Board published its first-ever market study on data brokers. The finding that matters: there is no EU-wide registry of data brokers. The study identified over 40 operating in Belgium alone, across eight distinct categories — from AdTech location vendors to credit reference agencies to data marketplace intermediaries. No one knows the full number operating across the EU.
This is the environment in which Europeans are expected to manage their own data broker exposure. Some do. Most cannot — not because they lack the right, but because the infrastructure working against them is industrial in scale and deliberately opaque.
This article is for people who have read the guides, understand the problem, and are evaluating whether to hire someone to handle it.
Why Automated Services Fall Short in Europe
The most rigorous independent study of data removal services to date — published in the Proceedings on Privacy Enhancing Technologies (PoPETs) in 2025 — tested ten services across 1,759 unique brokers. The results were sobering.
The average removal rate across all services was 48.2 per cent. The best performer, Incogni, achieved 76.6 per cent. The worst managed 23.4 per cent. Perhaps more concerning: only 41.1 per cent of the records these services identified as belonging to the test subjects were actually accurate. Nearly a third belonged to other people with similar names.
The services also showed remarkably little overlap. The Jaccard similarity between their broker coverage was just 0.21 — meaning they target largely different sets of brokers, with only around ten in common across all services tested.
For Europeans specifically, the problem deepens. These services were built for the US market — Spokeo, BeenVerified, Whitepages, PeopleFinder. The European broker landscape is structurally different: credit reference agencies like CRIF and Schufa, AdTech location data vendors exposed by the Databroker Files, public register harvesters, and B2B intelligence platforms like Whitebridge AI — which NOYB filed a complaint against in September 2025 for scraping social media to generate AI-powered “reputation reports” and selling them for €30 each.
One EU-based automated service exists — CrabClear, at €79 per year. Everything else routes your personal data through US infrastructure, which introduces its own GDPR compliance questions.
For a detailed breakdown of why automated tools underperform, see our analysis: Why Automated Data Broker Removal Doesn’t Work the Way You Think.
Discovery: The Phase Most People Skip
You cannot remove what you have not found. This is where most self-directed efforts fail — not in the removal itself, but in the mapping that should precede it.
A professional discovery phase uses OSINT techniques to map exposure across every category of broker that might hold your data: people-search sites, AdTech data vendors, credit reference agencies, dark web breach databases, data marketplace listings, and the less visible layer of intermediaries who aggregate and resell without any public-facing product.
The EU broker landscape does not look like the US one. A European engagement must account for credit agencies operating under different national frameworks — Germany’s Schufa, Austria’s CRIF, the Netherlands’ BKR — alongside AdTech vendors selling location data from mobile apps, public register harvesters pulling from municipal and commercial registries, and DGA-registered data intermediaries operating under the Data Governance Act.
Our EU Data Broker Opt-Out Directory lists 75 brokers across these categories. A professional engagement uses this as a starting point, not a ceiling. The EDPB study identified eight distinct broker types. No public directory covers all of them.
Deletion Versus Suppression — and Why You Need Both
GDPR Article 17 grants Europeans the right to “erasure.” But the regulation never defines what erasure technically means — it does not appear in the definitions article. This ambiguity is not accidental, and brokers exploit it.
In practice, most brokers implement an opt-out as suppression, not deletion. Your record is flagged and removed from public-facing search results and marketing databases. But a suppression record — typically your name and email or a hashed identifier — is retained internally.
This creates a paradox that regulators have acknowledged. The ICO accepts that organisations may keep a minimal suppression list under legitimate interest, specifically to ensure they do not re-process data belonging to someone who has exercised their rights. The French CNIL has a formal concept for this: the liste d’opposition. Both regulators consider it lawful, provided the retained data is the minimum necessary and is used solely for suppression.
Here is the part that most privacy guides miss: true deletion without suppression is often worse for the individual. When a broker deletes your record completely — no suppression flag, no retained identifier — there is nothing to block re-ingestion when your data arrives again from an upstream source. And it will arrive again. Brokers ingest continuously from hundreds of commercial partners, public records feeds, and scraped sources.
There is also the frontend-versus-API gap. Data removed from a broker’s public website may remain accessible through their commercial API or bulk data products. Suppression from the consumer-facing search tool does not guarantee suppression from the data pipeline feeding their paying clients.
A professional engagement requests both deletion and suppression, specifies the scope of each, and verifies both independently. Our EU opt-out directory explains this distinction in more detail.
The Request Phase: What Leverage Actually Looks Like
A GDPR Article 17 request can be submitted in any form — email, web form, even verbally — to any part of an organisation. There is no prescribed format and no requirement to use a specific contact address. This is established in EDPB guidance and is one of the few procedural advantages individuals hold.
In practice, the advantage is theoretical. A UC Irvine study published in 2025 found that 43 per cent of data brokers never responded to access requests at all. Among those that did respond, 95 per cent demanded additional personal information for “verification” — creating a situation where exercising your privacy rights introduces new privacy exposure.
This is where professional engagement changes the dynamic. A practitioner knows which legal basis to cite for each broker type, how to frame requests that are harder to ignore, and — critically — when and how to escalate.
Escalation means filing a complaint with the relevant data protection authority. Under the GDPR one-stop-shop mechanism, a single lead supervisory authority handles cross-border complaints. In practice, DPA response times range from three months to over a year, though new rules adopted in 2025 cap most investigations at 15 months.
The enforcement environment is shifting. In May 2025, France’s CNIL issued the first explicit fine against a data broker — €900,000 against Solocal Marketing Services for processing data acquired through deceptive consent forms. The Dutch AP’s €30.5 million fine against Clearview AI in September 2024 was followed by NOYB filing criminal charges against Clearview’s executives in Austria in October 2025 — the first attempt to hold individual data broker directors personally liable under EU law. The UK has moved in the opposite direction: the Upper Tribunal dismissed the ICO’s appeal against Experian in April 2024, leaving the UK without a flagship systemic win against a major broker — our UK data broker rights guide covers the Experian ruling and the DUAA 2025 amendments that followed.
Not every jurisdiction cooperates equally. Swedish data brokers like MrKoll claim a “media licence” exemption that makes GDPR deletion requests legally unenforceable — a loophole NOYB has challenged but that remains open.
Related Service
The Eraser€3,800
Full discovery, removal, and ongoing monitoring — including the Mirror and Lockdown investigation as foundation. 90-day re-scrub guarantee included.
Monitoring: The Part That Never Ends
The PoPETs study and industry data converge on a single statistic: 73 per cent of data brokers re-add consumer information within 90 days of removal.
Re-listing happens because brokers source data continuously from hundreds of upstream providers — public records offices, commercial data partners, app-derived location feeds, scraped web sources. An opt-out or deletion at one broker does not propagate upstream. When new data arrives with a slightly different format — a middle initial added, a new address, a maiden name — the suppression match fails and a fresh profile is created.
This is why one-time removal is not removal. It is a temporary gap in a continuous data flow. Any service or engagement that does not include ongoing monitoring is, at best, a snapshot of a single moment.
A professional engagement builds in recurring scan cycles — typically every 30 to 90 days — to detect re-listings, re-submit removal requests, and track which brokers are persistent re-listers requiring escalation. Over time, the re-listing rate trends downward as suppression records take hold and the most resistant brokers are addressed through DPA complaints or legal channels.
What “Done” Looks Like
It does not look like zero exposure. That is not achievable and anyone claiming otherwise is selling something that does not exist.
A realistic outcome from a professional removal engagement in Europe looks like this: identified brokers reduced from dozens or hundreds to a managed residual. Suppression records in place at the brokers most likely to re-list. Ongoing monitoring catching new listings within weeks rather than months. A clear record of which brokers complied, which resisted, and which were escalated to DPAs.
The typical timeline: six to eight weeks for the initial removal wave, covering discovery, requests, follow-ups, and first-round verification. Then ongoing monitoring on a recurring cycle. The first 90-day re-scrub catches the majority of re-listings. After that, the cadence depends on the individual’s exposure profile and risk level.
This is exposure management, not disappearance. The goal is to reduce your attack surface to the point where finding you requires effort that most threat actors — whether data-harvesting marketers, social engineers, or anyone else trawling broker databases — will not invest.
For anyone still evaluating whether to start with a self-directed approach, our practical guide to data broker removal and GDPR DSAR template are the right starting points. Our Data Broker Ecosystems hub provides additional context on the full landscape of brokers operating across the EU. When the scale of the problem exceeds what you can maintain yourself, that is when a professional engagement earns its cost.