Data pro­tec­tion in the B2B sec­tor: no such thing? Wrong!

“Data pro­tec­tion? That only affects con­su­mers.” The ans­wer to that is a clear “no!” 

The data pro­tec­tion law which took effect on 25 March 2018 in the form of the EU Gene­ral Data Pro­tec­tion Regu­la­ti­on (“GDPR”) does not distin­gu­ish bet­ween the B2C and B2B seg­ments. The requi­re­ments of data pro­tec­tion law must be hee­ded when­ever “per­so­nal data” is pro­ces­sed, for which an indi­rect rela­ti­onship to a natu­ral per­son is suf­fi­ci­ent. Whe­ther the per­son in ques­ti­on is acting as a busi­ness owner, com­mer­ci­al­ly or as a con­su­mer makes no dif­fe­rence for the pur­po­se of data pro­tec­tion rules. In the view of the Data Pro­tec­tion Aut­ho­ri­ty of Bava­ria, even a user’s IP address qua­li­fies as data of rele­van­ce for data pro­tec­tion law (Acti­vi­ty Report 2017/18, p. 54).


Accor­din­gly, com­pa­nies ope­ra­ting in the B2B seg­ment must ensu­re that they obtain con­sent from data sub­jects for the pro­ces­sing of per­so­nal data, e.g. mana­ging the names and e‑mail addres­ses of news­let­ter sub­scri­bers or the cont­act infor­ma­ti­on of the indi­vi­du­als acting as cont­act per­sons for their busi­ness part­ners, unless other grounds for aut­ho­riza­ti­on exist. The Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on in the Sta­te of Baden-Württemberg points this out in its most recent Acti­vi­ty Report (start­ing on p. 23). Addi­tio­nal cont­act infor­ma­ti­on in par­ti­cu­lar may have a per­so­nal con­nec­tion of rele­van­ce for data pro­tec­tion law. As examp­les, it cites the per­so­nal e‑mail addres­ses and cell pho­ne num­bers of self-employed busi­ness owners which are used both for busi­ness pur­po­ses and privately.

In data pro­tec­tion law, the pro­ces­sing of per­so­nal data is con­side­red to be pro­hi­bi­ted sub­ject to aut­ho­riza­ti­on, i.e. per­so­nal data may only be pro­ces­sed if one of the cri­te­ria for aut­ho­riza­ti­on is met. The­se cri­te­ria are lis­ted in Artic­le 6(1) Sen­tence 1 of the GDPR. Of the­se cri­te­ria, the fol­lo­wing are par­ti­cu­lar­ly rele­vant in the B2B segment:

  • the con­sent of the data sub­ject (let­ter a);
  • a sta­tu­to­ry pro­vi­si­on which allows hand­ling of the data (let­ter c);
  • and pro­ces­sing neces­sa­ry to pro­tect the legi­ti­ma­te inte­rests of the con­trol­ler or a third par­ty, unless tho­se inte­rests are out­weig­hed by the inte­rests of the data sub­jects (let­ter f).

Con­trol­lers, i.e. enti­ties which pro­cess per­so­nal data, also have trans­pa­ren­cy requi­re­ments and duties to pro­vi­de infor­ma­ti­on to the data sub­jects. Data sub­jects must be infor­med about the con­trol­ler’s plans to pro­cess their data, as well as the pur­po­se of pro­ces­sing, by the time the data is coll­ec­ted at the latest. 

An inquiry was sent to the Bava­ri­an Data Pro­tec­tion Aut­ho­ri­ty by the Coburg regio­nal group of the Ger­man Asso­cia­ti­on for Data Pro­tec­tion and Data Secu­ri­ty (GDD) con­cer­ning the cont­act infor­ma­ti­on of B2B cont­act per­sons and the ques­ti­on as to the legal basis for the pro­ces­sing of this data. The aut­ho­ri­ty ruled out Artic­le 6(1)(b) as a rele­vant legal basis, and for good reason: this pro­vi­si­on only appli­es if the­re is a con­trac­tu­al rela­ti­onship with the data sub­ject hims­elf (e.g. an inde­pen­dent busi­ness­man). But if the con­trac­tu­al rela­ti­onship is with a legal enti­ty, the pro­ces­sing of the per­so­nal data of cont­act per­sons and/or employees can be based on Artic­le 6(1)(f) of the GDPR, “if and to the ext­ent neces­sa­ry for the busi­ness rela­ti­onship with the ‘B2B part­ner’ […]” (Daten­schutz news­box, May 2019 edi­ti­on, p. 10).

The use of “cold calls” in tele­pho­ne direct mar­ke­ting has been the sub­ject of cri­ti­cism in con­nec­tion with data pro­tec­tion law. The Sta­te Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on in Saar­land reports in its most recent Acti­vi­ty Report on a stu­dy of mar­ke­ting calls made with no pri­or busi­ness cont­acts (begin­ning on p. 132). It issued a noti­ce pro­hi­bi­ting the respon­si­ble com­pa­ny from making such calls and the pro­hi­bi­ti­on has sin­ce been upheld by the Admi­nis­tra­ti­ve Court of Saarland.

Data pro­tec­tion in the company

But the importance of “data pro­tec­tion” for com­pa­nies is not limi­t­ed to cases whe­re a rela­ti­onship exists with third par­ties out­side the cor­po­ra­te orga­niza­ti­on. Rather, the pro­tec­tion of employee data has pro­ven to be an issue of par­ti­cu­lar rele­van­ce in prac­ti­ce, inclu­ding not only the com­pany’s own employees but also job appli­cants. The issues which have ari­sen in this regard are diver­se, inclu­ding the ques­ti­on as to whe­ther the works coun­cil must be invol­ved when laun­ching new soft­ware or in auto­ma­ted checks, as well as the use of cloud-based appli­ca­ti­on soft­ware in con­for­mance with data pro­tec­tion rules, and data pro­tec­tion pro­blems rela­ting to video sur­veil­lan­ce in the work­place are taking up a gre­at deal of space in the acti­vi­ty reports issued by data pro­tec­tion aut­ho­ri­ties, as well as occu­py­ing the labor courts. Accor­din­gly, the­re is urgent need for com­pa­nies to take action in the area of employee data pro­tec­tion if they have not done so already.

Ide­al­ly, data pro­tec­tion should be part of the com­pany’s com­pli­ance stra­tegy and imple­men­ta­ti­on should be super­vi­sed by an inter­nal or exter­nal data pro­tec­tion offi­cer. The GDPR gives data pro­tec­tion aut­ho­ri­ties broa­der aut­ho­ri­ty to pena­li­ze vio­la­ti­ons of the law. For exam­p­le, if per­so­nal data is pro­ces­sed wit­hout appro­pria­te aut­ho­riza­ti­on, the com­pe­tent aut­ho­ri­ty has the power to assess a fine of up to 20 mil­li­on Euros or up to 4% of the com­pany’s world­wi­de reve­nues in the pre­vious year. In this case as well, the GDPR makes no distinc­tion based on whe­ther the vio­la­ti­on occur­red in the B2C or B2B seg­ment. Data pro­tec­tion and the asso­cia­ted sta­tu­to­ry requi­re­ments are a cross-cutting topic which affects a wide varie­ty of are­as in prac­ti­ce. An inter­nal stra­tegy or data pro­tec­tion manage­ment sys­tem should be cho­sen which takes this holi­stic approach into account. 


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.