I have been wondering to what degree GDPR applies to B2B transactions. Does the implementation of these regulations mean that unless someone has deliberately opted-in, marketing literature for B2B transactions are not legal?
GDPR applies to all sorts of transactions – whether B2B or not. But it does not apply to all transactions. Essentially, it regulates processing of personal data, which means understanding two concepts: “processing” and “personal data”.
“Processing” basically means any business activity that involves data. The formal definition is “any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
“Personal data” means any information relating to an identified human being (i.e. you know who they are) or an identifiable human being (i.e. you don’t know who they are but could work it out with more information or, alternatively, you never know who they are but you know how to send things to them).
There are some exceptions, such as processing by a natural person in the course of a purely personal or household activity. But you are asking about B2B transactions.
If it involves a corporate address (such as firstname.lastname@example.org) then sending to that address is not regulated by GDPR – because you are not processing personal data. If you are sending to a person at a company (such as email@example.com) then you need a “legal basis of processing” in order to send them an email. There are six possible legal bases of processing (which are all set out in Article Six of GDPR) but for B2B transactions there are only two possibilities.
You might use the “consent” basis of processing. This means you have the consent of the individual to send them a marketing communication. Consent doesn’t mean what it used to; under GDPR, consent must be opt-in and “be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the [recipient’s] agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
“This could include ticking a box when visiting a website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the [recipient’s] acceptance of the proposed processing. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes…” (per Recital 32 GDPR). Also the individual must have the right to withdraw consent at any time (per Article 7 GDPR).
The second basis of processing is where it is necessary for the purposes of the legitimate interests pursued by you (such as marketing) “except where such interests are overridden by the interests or fundamental rights and freedoms of the [recipient] which require protection of personal data”. So, if you think it’s in your legitimate interests to send marketing material, you can send it – as long as (in plain English) you do not “naff off,” surprise or inconvenience the recipient.
However, that’s not the end of the story. Whatever basis of processing you use, you still need to comply with a piece of legislation that is nothing to do with GDPR. It’s called The Privacy and Electronic Communications (EC Directive) Regulations 2003, thankfully known as PECR for short. PECR restricts unsolicited marketing by phone, fax, email, text, or other electronic message.
There are different rules for different types of communication and the rules are generally stricter for marketing to individuals than companies. If you are sending marketing materials in the post, then PECR does not apply. But if you are sending by email, you may not send it unsolicited without consent unless:
i) You obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient;
ii) The direct marketing is in respect of your similar products and services only; and
iii) The recipient has been given a simple means of refusing the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. In other words, you give an opt-out.
PECR is due to be updated to make it stricter in line with GDPR – but this will not happen until much later this year.
If you have burning GDPR questions that you’d like answered, please send them to firstname.lastname@example.org and we’ll get these answered for you.
Mark Weston is head of IT, IP and commercial at Hill Dickinson. He advises clients on data protection issues as part of his IT Practice. Mark has presented a number of seminars on preparing for the GDPR, and can advise on both legal and compliance questions and practical considerations for companies, such as governance arrangements, ongoing management of data issues, and reviewing IT systems’ suitability.
Share this story