In this article we explain the principle of accountability, key to avoid mistakes in the management of personal data. Enjoy a new entry in our series of contents on the GDPR.

Las claves para el cumplimiento RGPD en los diferentes modelos de negocio: B2B, B2C y B2B2C

The GDPR is a complex regulation in terms of compliance: it covers many sectors, affects a huge number of companies and is present throughout the life cycle of a customer or user. But, in addition, to ensure that data processing is carried out in accordance with the regulations, other characteristics must also be taken into account, such as the type of business model into which each company can be classified: B2B, B2C or B2B2C (more complex).

In this post of our series of contents on the GDPR we review the regulatory compliance of the General Data Protection Regulation applied to these models.

B2B Model

When we talk about B2B business we refer to those business models in which “transactions of goods or services occur between two companies”.

In this case, organizations establish links with other companies and, as a consequence, large amounts of data, sometimes of a personal nature, are generated, shared and stored. Examples include the names of companies, their directors or employees, capital, other financial data and confidential information such as account numbers, first and last names, e-mails, IP addresses, etc. A typical case in which some of these data are shared is the exchange of contractual information between any company and any sector, such as suppliers of goods and/or services between companies (credits, investment products, means of payment…).

Find out! NIS 2 is about to be implemented. Is your company ready?

B2C Model

B2C model companies are those that sell or serve their products and services directly to end customers, without the presence of intermediaries. These organizations manufacture their products themselves and market them without going through external distribution systems.

In this case, as in the previous one, personal data are also processed on a massive scale, both identifying data (name, postal address, identity document, telephone number, etc.) and financial data (bank card or account number, among others). Sometimes even commercial communications may be sent, which, depending on the product in question, may or may not require the consent of the recipient.

A clear example of this case is the case of energy supply or insurance companies, when you request the customer’s consent before sending them an offer for a product other than the one they have contracted.

Key Points for GDPR Compliance in B2B, B2C, and B2B2C

B2B2C Model

In this type of business model, companies reach an end consumer through other companies. But at the same time they have the ability to interact with the end customer through their own brand. In other words, we have a company with a B2B(Business-to-Business) business model that partners with another B2C(Business-to-Consumer). This synergy involves a combination of efforts in which the supplier (B2B) establishes a commercial alliance with its distributors, wholesalers or retailers (B2C), with the aim of reaching more end customers.

One example is financial services companies that offer their products through banks or insurance brokers.

Model Definition Personal data processed Typical example
B2B Business-to-business transactions Names of executives/employees, email addresses, IP addresses, financial and account data Exchange of contractual information between a supplier and a corporate customer
B2C Direct sales to the end customer, without intermediaries Identifying information (name, address, ID number) and financial information (credit card, bank account) Energy or insurance companies offering additional products with consent
B2B2C A B2B company that reaches the end customer through another B2C company, while maintaining its own brand Combined data from both relationships; greater complexity in tracking consent Financial services distributed through banks or insurance brokers

Relationship between the GDPR and these business models

In any of the above business models, companies have to process personal data and therefore must comply with the provisions of the current regulations of the General Data Protection Regulation, in the applicable countries and cases.

Does this mean that a company cannot send e-mails and exchange communications with another company’s personnel?

In this case, the sending company must first verify that it can communicate with that person in accordance with the provisions of the GDPR. There are six legal bases for processing personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest.

Legal Basis What this entails Can the user revoke it?
Consent The user expressly authorizes the processing of their data; this authorization must be verifiable and safeguarded Yes, at any time
Contract Processing is necessary to fulfill a contract with the data subject Does not apply while the contract is in effect
Legal Obligation The processing is required by a regulation applicable to the company No
Vital Interests The treatment protects a person’s life or physical integrity No
Public Duty The processing is carried out in the public interest No
Legitimate Interest The company has a legitimate interest that does not infringe upon the rights of the data subject The user may object at any time

Under legitimate interest, data must be used in a way that people reasonably expect, but also has a minimal impact on privacy (in the event that an individual’s rights are infringed, their rights will override legitimate interest). Thus, the company will need to ensure that they send emails to the right people with a message that may be of interest to them.

On the other hand, if the company that wants to send the communication has obtained verifiable consent through a registration form, for example, it can proceed without problems. As a data controller, it is important to collect the consent in a valid manner, and it must also be stored. Therefore, obtaining consent has to be done through any channel that allows you to have proof of receipt, email, call, and/or WhatsApp, among others.

However, deciding which legal basis to apply can be complicated and, therefore, our recommendation to any data controller is to consult your organization’s Data Protection Officer.

Finally, if the e-mail address to which the information is forwarded is not linked to any individual (e.g. info@company.com), it may even fall outside the scope of “personal data”.

What else do we have to consider? In the event that legitimate interest is used as a basis for sending commercial communications, the user and/or customer must be able to easily object.

If the basis is consent, then the person receiving the communication has the right to withdraw it at any time. And the company is obliged to stop the processing as soon as this occurs.

Check out our post: From Care to Accreditation: The SAC Act (Law 10/2025).

GDPR compliance across different business models

How can the above organizations comply with the GDPR?

There are some keys to ensure compliance with the GDPR and, therefore, avoid sanctions (in the case of Spain, by the Spanish Data Protection Agency, one of the most active in Europe). These recommendations are:

  • The principle of data minimization must be applied: the more types of data processed, the greater the risk of non-compliance.
  • It is crucial to identify and analyze the legal basis for processing personal data. It is best to do this together with a legal professional.
  • Privacy policies should be easy to read and understand and provide easy access. In addition, they must contain correct and constantly updated information.
  • Systems need to be reviewed on a regular basis to check that they are operating in accordance with the GDPR.
  • A valid record of consents must be maintained.

Our solution for GDPR consent management

Since 2018, the General Data Protection Regulation (GDPR) regulates the processing of personal data of natural persons, which involves a complex management that we at MailComms Group, through our GDPR consulting and proprietary technology, can provide you with. Our solution for the management of GDPR consents will allow you to comprehensively manage consents throughout the customer’s life cycle.

Frequently Asked Questions

What is the difference between GDPR compliance in B2B and B2C models?

In B2B, the personal data processed typically belongs to executives or employees of another company (email addresses, job titles, contact information) within the context of a contractual relationship. In B2C, the company processes personal data from end consumers on a large scale—including both identifying and financial information—and often needs a specific legal basis—consent or legitimate interest—to send marketing communications.

What are the six legal bases under the GDPR for processing personal data?

The six legal bases under the GDPR are: consent, contract, legal obligation, vital interests, public task, and legitimate interest. Each one determines what the company must demonstrate and what rights the data subject has; for example, only consent and legitimate interest can be revoked or objected to directly by the user.

Can I send marketing communications to a customer without their consent?

Yes, if the company can rely on a legitimate interest: the processing must be something the individual would reasonably expect, with minimal impact on their privacy, and must always allow them to easily object. If that basis does not exist, it is necessary to obtain verifiable and properly documented consent before sending any commercial communication.

What are the obligations of a company operating under the B2B2C model with regard to the GDPR?

In the B2B2C model, the supplier (B2B) and its distributor or partner (B2C) process data from the same end customer based on different relationships. Both parties must independently identify their legal basis for processing, maintain separate consent records, and ensure that consent remains traceable even as the data is transferred from one company to another.

How should a company manage the recording and revocation of GDPR consents?

Consent must be obtained through a channel that provides proof of receipt—such as a form, email, recorded phone call, or certified WhatsApp message—and the data subject must be able to revoke it at any time. As soon as consent is revoked, the company is required to immediately stop processing that data.

Would you like more information? At MailComms Group, we'll answer all your questions.

Please fill out this form with your information, and we'll contact you to explain how this applies to your specific situation.

    Name*

    Last Name*

    Company email*

    Phone*