The GDPR is a complex regulation in terms of compliance: it covers many sectors, affects a huge number of companies and is present throughout the life cycle of a customer or user. But, in addition, to ensure that data processing is carried out in accordance with the regulations, other characteristics must also be taken into account, such as the type of business model into which each company can be classified: B2B, B2C or B2B2C (more complex).
In this post of our series of contents on the GDPR we review the regulatory compliance of the General Data Protection Regulation applied to these models.
B2B Model
When we talk about B2B business we refer to those business models in which “transactions of goods or services occur between two companies”.
In this case, organizations establish links with other companies and, as a consequence, large amounts of data, sometimes of a personal nature, are generated, shared and stored. Examples include the names of companies, their directors or employees, capital, other financial data and confidential information such as account numbers, first and last names, e-mails, IP addresses, etc. A typical case in which some of these data are shared is the exchange of contractual information between any company and any sector, such as suppliers of goods and/or services between companies (credits, investment products, means of payment…).
Find out! NIS 2 is about to be implemented. Is your company ready?
B2C Model
B2C model companies are those that sell or serve their products and services directly to end customers, without the presence of intermediaries. These organizations manufacture their products themselves and market them without going through external distribution systems.
In this case, as in the previous one, personal data are also processed on a massive scale, both identifying data (name, postal address, identity document, telephone number, etc.) and financial data (bank card or account number, among others). Sometimes even commercial communications may be sent, which, depending on the product in question, may or may not require the consent of the recipient.
A clear example of this case is the case of energy supply or insurance companies, when you request the customer’s consent before sending them an offer for a product other than the one they have contracted.

B2B2C Model
In this type of business model, companies reach an end consumer through other companies. But at the same time they have the ability to interact with the end customer through their own brand. In other words, we have a company with a B2B(Business-to-Business) business model that partners with another B2C(Business-to-Consumer). This synergy involves a combination of efforts in which the supplier (B2B) establishes a commercial alliance with its distributors, wholesalers or retailers (B2C), with the aim of reaching more end customers.
One example is financial services companies that offer their products through banks or insurance brokers.
| Model | Definition | Personal data processed | Typical example |
|---|---|---|---|
| B2B | Business-to-business transactions | Names of executives/employees, email addresses, IP addresses, financial and account data | Exchange of contractual information between a supplier and a corporate customer |
| B2C | Direct sales to the end customer, without intermediaries | Identifying information (name, address, ID number) and financial information (credit card, bank account) | Energy or insurance companies offering additional products with consent |
| B2B2C | A B2B company that reaches the end customer through another B2C company, while maintaining its own brand | Combined data from both relationships; greater complexity in tracking consent | Financial services distributed through banks or insurance brokers |
Relationship between the GDPR and these business models
In any of the above business models, companies have to process personal data and therefore must comply with the provisions of the current regulations of the General Data Protection Regulation, in the applicable countries and cases.
Does this mean that a company cannot send e-mails and exchange communications with another company’s personnel?
In this case, the sending company must first verify that it can communicate with that person in accordance with the provisions of the GDPR. There are six legal bases for processing personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest.
| Legal Basis | What this entails | Can the user revoke it? |
|---|---|---|
| Consent | The user expressly authorizes the processing of their data; this authorization must be verifiable and safeguarded | Yes, at any time |
| Contract | Processing is necessary to fulfill a contract with the data subject | Does not apply while the contract is in effect |
| Legal Obligation | The processing is required by a regulation applicable to the company | No |
| Vital Interests | The treatment protects a person’s life or physical integrity | No |
| Public Duty | The processing is carried out in the public interest | No |
| Legitimate Interest | The company has a legitimate interest that does not infringe upon the rights of the data subject | The user may object at any time |
Under legitimate interest, data must be used in a way that people reasonably expect, but also has a minimal impact on privacy (in the event that an individual’s rights are infringed, their rights will override legitimate interest). Thus, the company will need to ensure that they send emails to the right people with a message that may be of interest to them.
On the other hand, if the company that wants to send the communication has obtained verifiable consent through a registration form, for example, it can proceed without problems. As a data controller, it is important to collect the consent in a valid manner, and it must also be stored. Therefore, obtaining consent has to be done through any channel that allows you to have proof of receipt, email, call, and/or WhatsApp, among others.
However, deciding which legal basis to apply can be complicated and, therefore, our recommendation to any data controller is to consult your organization’s Data Protection Officer.
Finally, if the e-mail address to which the information is forwarded is not linked to any individual (e.g. info@company.com), it may even fall outside the scope of “personal data”.
What else do we have to consider? In the event that legitimate interest is used as a basis for sending commercial communications, the user and/or customer must be able to easily object.
If the basis is consent, then the person receiving the communication has the right to withdraw it at any time. And the company is obliged to stop the processing as soon as this occurs.
Check out our post: From Care to Accreditation: The SAC Act (Law 10/2025).

How can the above organizations comply with the GDPR?
There are some keys to ensure compliance with the GDPR and, therefore, avoid sanctions (in the case of Spain, by the Spanish Data Protection Agency, one of the most active in Europe). These recommendations are:
- The principle of data minimization must be applied: the more types of data processed, the greater the risk of non-compliance.
- It is crucial to identify and analyze the legal basis for processing personal data. It is best to do this together with a legal professional.
- Privacy policies should be easy to read and understand and provide easy access. In addition, they must contain correct and constantly updated information.
- Systems need to be reviewed on a regular basis to check that they are operating in accordance with the GDPR.
- A valid record of consents must be maintained.
Our solution for GDPR consent management
Since 2018, the General Data Protection Regulation (GDPR) regulates the processing of personal data of natural persons, which involves a complex management that we at MailComms Group, through our GDPR consulting and proprietary technology, can provide you with. Our solution for the management of GDPR consents will allow you to comprehensively manage consents throughout the customer’s life cycle.
Frequently Asked Questions
What is the difference between GDPR compliance in B2B and B2C models?
In B2B, the personal data processed typically belongs to executives or employees of another company (email addresses, job titles, contact information) within the context of a contractual relationship. In B2C, the company processes personal data from end consumers on a large scale—including both identifying and financial information—and often needs a specific legal basis—consent or legitimate interest—to send marketing communications.
What are the six legal bases under the GDPR for processing personal data?
The six legal bases under the GDPR are: consent, contract, legal obligation, vital interests, public task, and legitimate interest. Each one determines what the company must demonstrate and what rights the data subject has; for example, only consent and legitimate interest can be revoked or objected to directly by the user.
Can I send marketing communications to a customer without their consent?
Yes, if the company can rely on a legitimate interest: the processing must be something the individual would reasonably expect, with minimal impact on their privacy, and must always allow them to easily object. If that basis does not exist, it is necessary to obtain verifiable and properly documented consent before sending any commercial communication.
What are the obligations of a company operating under the B2B2C model with regard to the GDPR?
In the B2B2C model, the supplier (B2B) and its distributor or partner (B2C) process data from the same end customer based on different relationships. Both parties must independently identify their legal basis for processing, maintain separate consent records, and ensure that consent remains traceable even as the data is transferred from one company to another.
How should a company manage the recording and revocation of GDPR consents?
Consent must be obtained through a channel that provides proof of receipt—such as a form, email, recorded phone call, or certified WhatsApp message—and the data subject must be able to revoke it at any time. As soon as consent is revoked, the company is required to immediately stop processing that data.
