In principle, there are no exceptions for business transactions in the business-to-business (B2B) and business-to-consumer (B2C) sectors. Where the lack of practical jurisprudence creates ambiguity, companies are required to implement the regulation “in good faith” following the legal principle.

The still young General Data Protection Regulation (GDPR) lacks concrete interpretation in many places. Without practical case law, many statements about possible pitfalls of the GDPR remain unconfirmed interpretations.

It is well known that customers now have to expressly give their consent to the processing of personal data. This requires a clear and easily accessible declaration of consent, in which those affected must tick the box themselves. Example: A person gives their email address in order to receive a newsletter or white paper. That alone is not a valid consent. The e-mail address may not be saved or added to the mailing list without a declaration of consent. Even visiting a website for the first time (with or without a cookie banner) does not constitute consent. This form of consent does not only apply to online marketing. B2B companies are often represented at trade fairs, where they drum up advertising with special campaigns and occasionally accept business cards from interested parties. Because the contact details are personal, a declaration of consent in accordance with the GDPR should also be completed here. So far it is unclear to what extent this applies if the business card only contains the general contact details of the company. Because personal data of legal persons are excluded according to recital no. 14 sentence 2 EU-DSGVO. It is not yet clear which dates are actually meant by this.

GDPR-compliant data processing for business initiation

Data processing is only permitted if it serves to initiate business. This means that only data relating, for example, to preliminary contracts and measures to develop business agreements (e.g. requests for offers) may be processed. However, this does not change the information obligation. According to the GDPR, customers must be informed for what purpose and to what extent the data is processed. This affects the forwarding of collected addresses of potential customers.

Double opt-in as a solution to the problem

A strategy for overcoming the hurdles in the B2B environment was established early on: double opt-in. The customer must actively agree to standardized forms, and then receives a link that must be opened to confirm. This action is then stored in the Customer Relationship Management (CRM) or Master Data Management (MDM) system in such a way that the transparency and verification obligations are met in case of doubt. According to experts, an MDM system (or similar central data hubs) should facilitate the implementation of the regulation. More information on the subject of the General Data Protection Regulation (GDPR) is available at