Data pro­tec­tion in B2B business

What mat­ters accor­ding to the GDPR

The GDPR not only pro­tects con­su­mers in the pro­ces­sing of their per­so­nal data, but also has an
effect in B2B busi­ness.
Many com­pa­nies are nevert­hel­ess not awa­re of this con­se­quence. In this
artic­le, we will show you what you curr­ent­ly need to con­sider when it comes to data pro­tec­tion
com­pli­ance in B2B busi­ness, par­ti­cu­lar­ly with regard to lawful data sources.

The pro­ces­sing of cus­to­mer and sup­pli­er data

Many com­pa­nies are not awa­re that they pro­cess per­so­nal data of their busi­ness part­ners’,
cus­to­mers’ or sup­pli­ers’ employees in their ever­y­day busi­ness. For the lawful pro­ces­sing of the­se
data, it is of gre­at importance that the respon­si­ble com­pa­nies rely on the cor­rect legal basis in
accordance with the GDPR when doing so. Most com­pa­nies incor­rect­ly assu­me data pro­ces­sing
for pur­po­ses of con­tract per­for­mance. They fail to reco­gni­ze, howe­ver, that employees are not
usual­ly the con­trac­ting par­ty at all. Wit­hout a cir­cum­stan­ti­al­ly obtai­ned con­sent, data pro­ces­sing
is only lawful on the basis of a legi­ti­ma­te interest.

The pro­ces­sing of publicly available data

As a jud­ge­ment by the Hig­her Regio­nal Court of Ham­burg in Decem­ber 2020 demons­tra­tes,
company-related data from publicly acces­si­ble regis­ters may be lawful­ly (fur­ther) pro­ces­sed in
other data­ba­ses. Com­pa­nies are not entit­led under data pro­tec­tion law to have com­pa­ny data in
such data­ba­ses dele­ted or blo­cked.
Com­pa­ny data in publicly acces­si­ble regis­ters, such as the Fede­ral Gazet­te, the Com­mer­cial
Regis­ter or the Insol­ven­cy Regis­ter, beco­mes per­so­nal data and thus sub­ject to the GDPR if it
con­ta­ins infor­ma­ti­on about the natu­ral per­son acting on its behalf. Such a data­ba­se ser­ves to
sim­pli­fy coll­ec­tion of infor­ma­ti­on for the pur­po­se of trans­pa­ren­cy and secu­ri­ty of busi­ness
Inso­far as the data­ba­se only brings tog­e­ther data from the public regis­ters wit­hout gene­ra­ting any
new data from them, the natu­ral per­son con­cer­ned can­not object to publi­ca­ti­on in the data­ba­se on
the basis of his or her inte­rest in secrecy.

The trade of cont­act data in B2B business

Tra­ding data or pro­files of busi­ness cont­acts (so-called “leads”) in B2B busi­ness is attrac­ti­ve for com­pa­nies. Leads are crea­ted for adver­ti­sing pur­po­ses to demons­tra­te a person’s pos­si­ble inte­rest in a company’s ser­vices or pro­ducts. Com­pa­nies hire mer­chants direct­ly eit­her to crea­te leads or to obtain leads alre­a­dy crea­ted by third-party com­pa­nies. This prac­ti­ce is not only sub­ject to con­sidera­ble risks under data pro­tec­tion law, but also under com­pe­ti­ti­on law. In order to be able to legal­ly (fur­ther) pro­cess the purcha­sed data and use such data for them­sel­ves, com­pa­nies must legal­ly eva­lua­te every step from coll­ec­tion to use so as not to expo­se them­sel­ves to immense lia­bi­li­ty risk. The requi­re­ments for lega­li­ty are com­plex: Legal basis, trans­pa­ren­cy requi­re­ment vis-à-vis busi­ness cont­acts, dele­ti­on con­cepts, etc. We stron­gly advi­se against such tra­ding wit­hout pri­or legal advice.


B2B data pro­tec­tion only suc­ceeds if you keep your com­pli­ance manage­ment up to date. Con­sider
in par­ti­cu­lar the hand­ling of per­so­nal data in B2B busi­ness, the cor­re­spon­ding legal bases for
pro­ces­sing, and the imple­men­ta­ti­on of data sub­ject rights and era­su­re concepts.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.