GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C activities.

  • Privacy and Electronic Communication Directive 2002/58
  • General Data Protection Regulation (GDPR) and local adaptation of the law

Companies must comply with both. Previously topics “How regulations affect direct marketing and profiling” and “Direct marketing rules and exceptions” were applicable more to B2C businesses. This time focus is on GDPR in B2B Marketing.

GDPR in B2B Marketing. Guidelines for sending promotional emails to B2B contacts

Companies (legal entities) are considered as corporate subscribers”. Therefore, unlike B2C, B2B direct marketing messages to corporate email addresses are allowed to be sent without prior consent. However, the sender is required to identify itself and provide contact details.  The GDPR must be followed whenever personal data is being processed. The same rules, with some exceptions, apply regardless whether the person is contacted as an individual or an individual acting in a professional capacity. For example, business contact, that contains an individual’s name on a file or their email address (first name.last, is considered as a physical person’s and not corporate subscriber’s information.

Here are some rules for businesses to approach B2B contacts for direct marketing purposes:

  • Sole traders are treated as individuals. Meaning, email can be sent only if they have consented specifically or alternatively. For example, they bought a similar product previously, but never opted out from marketing messages.
  • It is required that person, contacted for direct marketing purposes, would represent the business is related to the topic area. e., data protection related topics should reach and sales –
  • It is generally considered as a good practice to discontinue any marketing messages if the receiver requests to do so. A list of unsubscribed or opted-out leads should be kept.
  • If the company email address contains an individual’s name, the GDPR applies and the person can opt-out from direct marketing emails.
  • Opt-out or “unsubscribe” option should be provided in all promotional material.

GDPR in B2B Marketing. National approaches

Rules on direct marketing on the EU level are regulated by the GDPR and PECR. However, companies should consider that national rules may differ as the member states may apply stricter rules. Therefore, before sending marketing messages via email, it’s crucial to know the differences between opt-out, single opt-in and double opt-in options. As well as to know which EU country applies which option.

General Data Protection Regulation rules in B2B Marketing
Local GDPR rules in B2B Marketing


The easily identifiable and accessible option. The receiver of an email is given an option can unsubscribe from a list easily. If the receiver hasn’t opted out and you are doing business in an opt-out country, you can continue to communicate with them. Such examples – Estonia, Finland, Latvia, Sweden etc. Businesses are allowed to contact corporate subscribers. However, if the email address contains a person’s name, they have a right to opt-out. The receiver needs to work in the relevant department in regard to the topic of the message.

Single Opt-In

It requires a positive action for a receiver to be subscribed to a B2B marketing email lists if similar goods/services were not required to be promoted/sold before.  Such examples – Lithuania, Poland, Romania, etc. In Lithuania Direct Marketing over email is regulated by the Electronic Communications Act.  if the target of direct marketing is a company, the consent must be gained from the head of that company or authorized person. Meaning, that the newsletter cannot be sent to B2B lead without a consent. General email addresses  info/marketing/ are being dealt with in the same manner as the ones with a person’s name in it.

Double opt-in

The strictest requirements for B2B communications. 1st step – the form of filling out a subscription form of some sort and 2nd step – clicking a link in a confirmation email to enable their subscription. In double opt-in regimes, you cannot start email marketing to a prospect until he or she has completed both opt-in steps. Such examples – Germany and Switzerland.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data