What matters according to the GDPR
The GDPR not only protects consumers in the processing of their personal data, but also has an
effect in B2B business. Many companies are nevertheless not aware of this consequence. In this
article, we will show you what you currently need to consider when it comes to data protection
compliance in B2B business, particularly with regard to lawful data sources.
The processing of customer and supplier data
Many companies are not aware that they process personal data of their business partners’,
customers’ or suppliers’ employees in their everyday business. For the lawful processing of these
data, it is of great importance that the responsible companies rely on the correct legal basis in
accordance with the GDPR when doing so. Most companies incorrectly assume data processing
for purposes of contract performance. They fail to recognize, however, that employees are not
usually the contracting party at all. Without a circumstantially obtained consent, data processing
is only lawful on the basis of a legitimate interest.
The processing of publicly available data
As a judgement by the Higher Regional Court of Hamburg in December 2020 demonstrates,
company-related data from publicly accessible registers may be lawfully (further) processed in
other databases. Companies are not entitled under data protection law to have company data in
such databases deleted or blocked.
Company data in publicly accessible registers, such as the Federal Gazette, the Commercial
Register or the Insolvency Register, becomes personal data and thus subject to the GDPR if it
contains information about the natural person acting on its behalf. Such a database serves to
simplify collection of information for the purpose of transparency and security of business
transactions.
Insofar as the database only brings together data from the public registers without generating any
new data from them, the natural person concerned cannot object to publication in the database on
the basis of his or her interest in secrecy.
The trade of contact data in B2B business
Trading data or profiles of business contacts (so-called “leads”) in B2B business is attractive for companies. Leads are created for advertising purposes to demonstrate a person’s possible interest in a company’s services or products. Companies hire merchants directly either to create leads or to obtain leads already created by third-party companies. This practice is not only subject to considerable risks under data protection law, but also under competition law. In order to be able to legally (further) process the purchased data and use such data for themselves, companies must legally evaluate every step from collection to use so as not to expose themselves to immense liability risk. The requirements for legality are complex: Legal basis, transparency requirement vis-à-vis business contacts, deletion concepts, etc. We strongly advise against such trading without prior legal advice.
Conclusion
B2B data protection only succeeds if you keep your compliance management up to date. Consider
in particular the handling of personal data in B2B business, the corresponding legal bases for
processing, and the implementation of data subject rights and erasure concepts.