A Canadian analytics firm that worked for Vote Leave has received the UK's first formal notice under a key data law, the UK's data protection watchdog has confirmed.
AggregateIQ (AIQ) was accused of processing people's data "for purposes which they would not have expected".
The firm has appealed against the notice, which was issued by the UK's Information Commissioner's Office.
Law firm Mishcon de Reya said the notice was "significant".
If the company fails to appeal to the ICO's notice or does not comply with it, it could face a large fine.
The Information Commissioner's Office confirmed the story to the BBC.
AIQ is a small Canadian data firm that uses data to target online ads at voters during public polls.
It was paid nearly £2.7m ($3.6m) by Vote Leave to target ads at prospective voters during the Brexit referendum campaign.
It was also used by pro-Brexit youth group BeLeave.
Vote Leave has been fined £61,000 and referred to the police after an Electoral Commission probe said it broke electoral law by exceeding its spending limit by funnelling money through BeLeave.
AIQ also received funding from Northern Ireland's Democratic Unionist Party and Veterans for Britain, amounting to a total of £3.5m from all of its pro-Brexit clients.
The ICO said that although the data was gathered before 25 May, when the GDPR regulations came into effect, it was concerned about the "continued retention and processing" of data after that date. This, it said, meant GDPR applied to AIQ's handling of that information.
Earlier this year it was linked to UK data firm Cambridge Analytica by whistleblower Chris Wylie, who alleged that Cambridge Analytica improperly acquired Facebook data belonging to 50 million people via a third party.
Cambridge Analytica has been credited with helping Donald Trump win the US presidential election in 2016.
Mr Wylie told the Guardian newspaper in March that staff at the now defunct Cambridge Analytica referred to AIQ as "our Canadian office". AIQ rejects this description and says it is 100% Canadian-owned.
Following the allegations, Facebook suspended both firms from its platform. AggregateIQ denied any wrongdoing and stated that it "works in full compliance within all legal and regulatory requirements in all jurisdictions where we operate".
AIQ has previously denied any direct links to Cambridge Analytica. It has also denied ever employing Mr Wylie.
"We appealed the enforcement notice to the first level tribunal [a legal mechanism for challenging ICO notices]," a spokesman for AIQ told the BBC, though he declined to comment further.
"It was just a matter of time before it would happen," said Sandra Wachter, a data regulation expert at the University of Oxford.'s Internet Institute.
"The GDPR makes it very clear that if you process data within the EU obviously the laws are applicable but also if you transfer data out of the EU… or if you are targeting European markets then the GDPR is also applicable."
Meaningful data protection meant that such issues had to be considered "globally not just locally", she told the BBC.
According to Mishcon de Reya, the ICO's notice is phrased in relatively vague terms.
Dean Armstrong QC, chairman of the independent legal advisory service Elias Partnership, told the BBC he agreed with that assessment.
"The ICO has given very vague instructions that are not particularly helpful," he said.
"Perhaps the vagueness of the terminology is a deliberate ploy to ensure entities take an extremely cautious approach in changing their data-handling activities."