Are business email addresses personal data?

Yes. An email address like john.smith@company.com contains a name and is therefore personal data. Even generic addresses like info@company.com can be personal data if you know which individual is behind it.

Do I need a processing register if I only work B2B?

Yes. You process personal data of contact persons, employees, and possibly suppliers. All those processing activities belong in your processing register, including the purpose, legal basis, and retention period.

Can I just put business contacts in my CRM?

Yes, but you need a legal basis. Usually that is legitimate interest (you have a legitimate business interest in maintaining your relationships). You must document this and inform the contact persons via your privacy policy.

GDPR and B2B - Why the GDPR Also Applies to B2B Companies

Q: Does the GDPR also apply to sole traders and freelancers I work with?

Yes. For sole traders and freelancers, the business data is often identical to the owner's personal data. Name, address, bank account - these are all personal data.

A common misconception: the GDPR doesn't apply to B2B companies. But even in B2B you process personal data of contact persons, employees, and suppliers. Read why the GDPR applies to you too.

Short answer: yes

The short answer to the question in the title is unambiguous: yes. The GDPR applies to every company that processes personal data, regardless of whether your clients are consumers or businesses. And as a B2B company, you process more personal data than you think.

The misconception

The reasoning often goes like this: “The GDPR protects consumers. My clients are businesses, not consumers. So the GDPR doesn’t apply to me.”

That reasoning is wrong on two counts.

First: the GDPR doesn’t protect consumers. The GDPR protects natural persons. That is an important distinction. A consumer is someone who buys something as a private individual. A natural person is any living human being. That includes the contact person at your client, the employee who receives your invoice, and the director who signs your proposal.

Second: even if you never deal with consumers, as a B2B company you are guaranteed to process personal data. Let’s look at where that data sits.

Where is your personal data?

Client contacts

You have a CRM or at least an address book. It contains names, email addresses, phone numbers, and job titles of contact persons at your clients. john.smith@clientcompany.com is personal data. The purchasing manager’s phone number is personal data. The note “John is always off on Mondays” is personal data.

Employees

If you have staff, you process a mountain of personal data: name, address, national ID number, salary, sick leave records, performance reviews, copy of identity document. These even include special or sensitive categories. The GDPR fully applies here.

Suppliers and partners

Your accountant, your IT supplier, your freelancers - you have contact details for all of them. And for sole traders and freelancers, the business data is often identical to the owner’s personal data.

Job applicants

Do you occasionally receive an open application or CV? That is personal data. And it has a retention period: you cannot keep a CV indefinitely.

Website visitors

Even if your website targets only business visitors, you process IP addresses, cookie data, and possibly form data. IP addresses are personal data.

What must you arrange as a B2B company?

Exactly the same things as any other company. The GDPR makes no distinction between B2B and B2C. Specifically:

Processing register - document all your processing activities. Maintaining client contacts, payroll, invoicing, marketing, website analytics - it all belongs in there.

Privacy policy - inform data subjects about what you do with their data. That applies to your website visitors, but also to your business contacts. Many B2B companies have a privacy policy on their website but forget that their business contacts must also be informed.

Processing agreements - do you have a processing agreement with your CRM provider? Your accountant? Your cloud provider? In B2B this is often taken more lightly than in B2C, but the obligation is identical.

Legal bases - for every processing activity you need a legal basis. For client relationship management that is usually legitimate interest. For payroll a legal obligation. For a newsletter, consent.

Retention periods - you cannot keep data indefinitely. That quote request from five years ago that never led to an assignment? There probably is no legal basis for that anymore.

B2B-specific considerations

A few matters deserve extra attention in a B2B context:

LinkedIn and networking - business cards collected at a trade fair or contacts added from LinkedIn to your CRM: that is processing of personal data
References and testimonials - if you publish client references on your website with name and job title, you are processing personal data
Shared mailboxes - a shared inbox like sales@yourcompany.com contains emails with personal data of business contacts
Old data - B2B companies often keep relationship data for years “just in case”. Without a valid legal basis, that is not allowed

The good news

The basics of GDPR compliance for B2B companies are no different from B2C. In fact, it is often simpler. You probably process less data, fewer special categories, and have fewer data subjects. But “less” is not “none”. And the supervisory authority makes no distinction.

auto_awesome Do you know what data you process?

GDPRWise maps all your processing activities, including the B2B data you probably overlook. A complete processing register in 15 minutes.

Start your free scan

I Only Work B2B - Do I Still Need to Worry About GDPR?