CONTACT

CERTIFIED NOTIFICATIONS

Postal online burofax

Certified Email

Certified SMS

Certified web publications

Certified WhatsApp

ELECTRONIC CONTRACTING

Electronic signature

Virtual Signature Virtual Room

CERTIFIED DIGITAL IDENTIFICATION

Verification

Authentication

DNI Wallet

Videoidentification

COMPLIANCE SOLUTIONS

GDPR – Consent Management

IDD Regulations

Digitization of ADR processes

REGTECH PLATFORMS

CertySign

PostaMail

OneSpan

TRANSACTIONAL

Transpromo

Dynamic communications

E-Invoice

Archiving

MARKETING

Direct and promotional marketing

Personalized videos

SERVICES

Customer Communications Management

Data Quality

Data Analytics

Tech-Agency

Document digitization

Printing and finishing

OMNICHANNEL PLATFORMS

Communicalia

Quadient

MailShop PHYGITAL

ABOUT OUR COMPANY

MailComms Group

Team

Certifications

Sustainability

Alliances

Sectors

Events

Las claves para el cumplimiento RGPD en los diferentes modelos de negocio: B2B, B2C y B2B2C

Table of Contents

  1. B2B Model
  2. B2C Model
  3. B2B2C Model
  4. Relationship between the GDPR and these business models
  5. How can the above organizations comply with the GDPR?
  6. Technology as an ally: WhatsApp Business

The GDPR is a complex regulation in terms of compliance: it covers many sectors, affects a huge number of companies and is present throughout the life cycle of a customer or user. But, in addition, to ensure that data processing is carried out in accordance with the regulations, other characteristics must also be taken into account, such as the type of business model into which each company can be classified: B2B, B2C or B2B2C (more complex).

In this post of our series of contents on the GDPR we review the regulatory compliance of the General Data Protection Regulation applied to these models.

B2B Model

When we talk about B2B business we refer to those business models in which “transactions of goods or services occur between two companies”.

In this case, organizations establish links with other companies and, as a consequence, large amounts of data, sometimes of a personal nature, are generated, shared and stored. Examples include the names of companies, their directors or employees, capital, other financial data and confidential information such as account numbers, first and last names, e-mails, IP addresses, etc. A typical case in which some of these data are shared is the exchange of contractual information between any company and any sector, such as suppliers of goods and/or services between companies (credits, investment products, means of payment…).

B2C Model

B2C model companies are those that sell or serve their products and services directly to end customers, without the presence of intermediaries. These organizations manufacture their products themselves and market them without going through external distribution systems.

In this case, as in the previous one, personal data are also processed on a massive scale, both identifying data (name, postal address, identity document, telephone number, etc.) and financial data (bank card or account number, among others). Sometimes even commercial communications may be sent, which, depending on the product in question, may or may not require the consent of the recipient.

A clear example of this case is the case of energy supply or insurance companies, when you request the customer’s consent before sending them an offer for a product other than the one they have contracted.

Satisfied customer

B2B2C Model

In this type of business model, companies reach an end consumer through other companies. But at the same time they have the ability to interact with the end customer through their own brand. In other words, we have a company with a B2B(Business-to-Business) business model that partners with another B2C(Business-to-Consumer). This synergy involves a combination of efforts in which the supplier (B2B) establishes a commercial alliance with its distributors, wholesalers or retailers (B2C), with the aim of reaching more end customers.

One example is financial services companies that offer their products through banks or insurance brokers.

Relationship between the GDPR and these business models

In any of the above business models, companies have to process personal data and therefore must comply with the provisions of the current regulations of the General Data Protection Regulation, in the applicable countries and cases.

Does this mean that a company cannot send e-mails and exchange communications with another company’s personnel?

In this case, the sending company must first verify that it can communicate with that person in accordance with the provisions of the GDPR. There are six legal bases for processing personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest.

Under legitimate interest, data must be used in a way that people reasonably expect, but also has a minimal impact on privacy (in the event that an individual’s rights are infringed, their rights will override legitimate interest). Thus, the company will need to ensure that they send emails to the right people with a message that may be of interest to them.

On the other hand, if the company that wants to send the communication has obtained verifiable consent through a registration form, for example, it can proceed without problems. As a data controller, it is important to collect the consent in a valid manner, and it must also be stored. Therefore, obtaining consent has to be done through any channel that allows you to have proof of receipt, email, call, and/or WhatsApp, among others.

However, deciding which legal basis to apply can be complicated and, therefore, our recommendation to any data controller is to consult your organization’s Data Protection Officer.

Finally, if the e-mail address to which the information is forwarded is not linked to any individual (e.g. info@company.com), it may even fall outside the scope of “personal data”.

What else do we have to consider? In the event that legitimate interest is used as a basis for sending commercial communications, the user and/or customer must be able to easily object.

If the basis is consent, then the person receiving the communication has the right to withdraw it at any time. And the company is obliged to stop the processing as soon as this occurs.

Data protection

How can the above organizations comply with the GDPR?

There are some keys to ensure compliance with the GDPR and, therefore, avoid sanctions (in the case of Spain, by the Spanish Data Protection Agency, one of the most active in Europe). These recommendations are:

  • The principle of data minimization must be applied: the more types of data processed, the greater the risk of non-compliance.
  • It is crucial to identify and analyze the legal basis for processing personal data. It is best to do this together with a legal professional.
  • Privacy policies should be easy to read and understand and provide easy access. In addition, they must contain correct and constantly updated information.
  • Systems need to be reviewed on a regular basis to check that they are operating in accordance with the GDPR.
  • A valid record of consents must be maintained.

Our solution for GDPR consent management

Since 2018, the General Data Protection Regulation (GDPR) regulates the processing of personal data of natural persons, which involves a complex management that we at MailComms Group, through our GDPR consulting and proprietary technology, can provide you with. Our solution for the management of GDPR consents will allow you to comprehensively manage consents throughout the customer’s life cycle.

Do you want more information? MailComms Group will answer all your questions.

Please, leave us your data in this form and we will contact you to explain it applied to your particular case.

    Name*

    Last Name*

    Company email*

    Phone*


    Te acompañamos en el camino de la transformación digital

    CONTACTA CON UN ESPECIALISTA
    AGENDA UNA CITA AHORA