Data protection in the B2B sector: no such thing? Wrong!
“Data protection? That only affects consumers.” The answer to that is a clear “no!”
The data protection law which took effect on 25 March 2018 in the form of the EU General Data Protection Regulation ("GDPR") does not distinguish between the B2C and B2B segments. The requirements of data protection law must be heeded whenever "personal data" is processed, for which an indirect relationship to a natural person is sufficient. Whether the person in question is acting as a business owner, commercially or as a consumer makes no difference for the purpose of data protection rules. In the view of the Data Protection Authority of Bavaria, even a user's IP address qualifies as data of relevance for data protection law (Activity Report 2017/18, p. 54).
Accordingly, companies operating in the B2B segment must ensure that they obtain consent from data subjects for the processing of personal data, e.g. managing the names and e-mail addresses of newsletter subscribers or the contact information of the individuals acting as contact persons for their business partners, unless other grounds for authorization exist. The Commissioner for Data Protection and Freedom of Information in the State of Baden-Württemberg points this out in its most recent Activity Report (starting on p. 23). Additional contact information in particular may have a personal connection of relevance for data protection law. As examples, it cites the personal e-mail addresses and cell phone numbers of self-employed business owners which are used both for business purposes and privately.
In data protection law, the processing of personal data is considered to be prohibited subject to authorization, i.e. personal data may only be processed if one of the criteria for authorization is met. These criteria are listed in Article 6(1) Sentence 1 of the GDPR. Of these criteria, the following are particularly relevant in the B2B segment:
- the consent of the data subject (letter a);
- a statutory provision which allows handling of the data (letter c);
- and processing necessary to protect the legitimate interests of the controller or a third party, unless those interests are outweighed by the interests of the data subjects (letter f).
Controllers, i.e. entities which process personal data, also have transparency requirements and duties to provide information to the data subjects. Data subjects must be informed about the controller's plans to process their data, as well as the purpose of processing, by the time the data is collected at the latest.
An inquiry was sent to the Bavarian Data Protection Authority by the Coburg regional group of the German Association for Data Protection and Data Security (GDD) concerning the contact information of B2B contact persons and the question as to the legal basis for the processing of this data. The authority ruled out Article 6(1)(b) as a relevant legal basis, and for good reason: this provision only applies if there is a contractual relationship with the data subject himself (e.g. an independent businessman). But if the contractual relationship is with a legal entity, the processing of the personal data of contact persons and/or employees can be based on Article 6(1)(f) of the GDPR, "if and to the extent necessary for the business relationship with the 'B2B partner' […]" (Datenschutz newsbox, May 2019 edition, p. 10).
The use of "cold calls" in telephone direct marketing has been the subject of criticism in connection with data protection law. The State Commissioner for Data Protection and Freedom of Information in Saarland reports in its most recent Activity Report on a study of marketing calls made with no prior business contacts (beginning on p. 132). It issued a notice prohibiting the responsible company from making such calls and the prohibition has since been upheld by the Administrative Court of Saarland.
Data protection in the company
But the importance of "data protection" for companies is not limited to cases where a relationship exists with third parties outside the corporate organization. Rather, the protection of employee data has proven to be an issue of particular relevance in practice, including not only the company's own employees but also job applicants. The issues which have arisen in this regard are diverse, including the question as to whether the works council must be involved when launching new software or in automated checks, as well as the use of cloud-based application software in conformance with data protection rules, and data protection problems relating to video surveillance in the workplace are taking up a great deal of space in the activity reports issued by data protection authorities, as well as occupying the labor courts. Accordingly, there is urgent need for companies to take action in the area of employee data protection if they have not done so already.
Ideally, data protection should be part of the company's compliance strategy and implementation should be supervised by an internal or external data protection officer. The GDPR gives data protection authorities broader authority to penalize violations of the law. For example, if personal data is processed without appropriate authorization, the competent authority has the power to assess a fine of up to 20 million Euros or up to 4% of the company's worldwide revenues in the previous year. In this case as well, the GDPR makes no distinction based on whether the violation occurred in the B2C or B2B segment. Data protection and the associated statutory requirements are a cross-cutting topic which affects a wide variety of areas in practice. An internal strategy or data protection management system should be chosen which takes this holistic approach into account.
[We updated the news in July 2019]