There was a time when GDPR prompted panic among marketers who thought the arrival of GDPR would mark the end of newsletters and email campaigns and marketing as they knew it. However, things turned out to be not as bad as anticipated. According to recent studies in fact, including research published by the MailUp’s Statistical Observatory and the Politecnico di Milano’s Digital B2B Observatory, email marketing continues to thrive despite limitations and it is still considered one of the most efficient channels in B2B marketing.

Being GDPR compliant is not only a legal matter – companies risk multimillion-dollar penalties commensurate with their size – but it is also a strategic opportunity. Evidence shows that transparency in data management in fact strengthens user trust and fosters long-term, sustainable engagement.

If you work in the B2B sphere, the following article will provide you with all the information you need to ensure your email marketing campaigns stay compliant without sacrificing efficacy.

The General Data Protection Regulation, also known as GDPR, is a European regulation that came into force in May 2018, replacing “Directive 95/46/EC”, which was designed to ensure that personal data of EU citizens was processed lawfully, fairly and transparently, strengthening people’s rights to privacy and protection of their data.

Initially, some thought that GDPR would only apply to consumer marketing and not business contacts; however, this assumption turned out to be wrong. GDPR, in fact, protects all data that identifies an individual, both in a personal and professional context. This includes work email addresses that contain the person’s name (for example, name.surname@company.it). In contrast, generic addresses such as info@company.it, which do not make it possible for a person to be identified, are not constrained by GDPR.

Although GDPR is directly applicable across the European Union, each Member State can adopt national rules specifying or supplementing its application. This concerns mainly areas left to national discretion, such as the processing of data in employment relationships, and health or marketing purposes.

In relation to electronic marketing specifically, the legislation provides specific directives for data processing in the context of promotional communications addressed to businesses. The law does not necessarily require explicit consent for commercial communications addressed to business contacts: in some cases it is possible to rely on legitimate interest, provided that the person concerned has been clearly informed prior, has the opportunity to exercise his or her rights and can easily object to further communications being sent to him or her.

For these reasons, it is necessary to ensure that the contact lists used comply not only with GDPR, but also with national legislation and directives.

Legitimate interest can be used to justify commercial communications, making B2B marketing much easier to manage compared to B2C marketing.

But what is legitimate interest?

Legitimate interest is one of the six legal bases for processing data explicitly defined in Article 6(1)(f) of the General Data Protection Regulation.

Although legitimate interest remains a valid legal basis for B2B marketing under GDPR, it is necessary to question if it is applicable in specific cases. To do so, three questions need to be asked:

1. Do I have a legitimate interest in executing these communications? The reason for processing data can be commercial, i.e., aimed at promoting products or services to a potential business client; individual, i.e., for the purpose of informing a professional contact who has shown interest in an event; or third party, i.e., acting on behalf of a client for marketing matters.
2. Is data processing necessary to achieve this interest? If the goal can be reached in other ways that are less intrusive, you will not be able to rely on legitimate interest.
3. Do the rights of the individual take priority over legitimate interest? If data processing is not necessary or is causing harm, the personal rights, interests, and freedom of the individual in this case override the legitimate interest clause.

If the answer to all three questions is yes, then it is very likely that you are in the clear.

Here’s an example to better understand this concept: if someone leaves a business card at a fair, it would be considered reasonable to follow up; provided that the request is consistent with the original purpose and that the people concerned are clearly informed of the processing of their data.

In such a situation, in fact, the data subject has provided the data in a professional context and with an implicit expectation that the data shared may trigger subsequent contact. Importantly, such processing does not necessarily require explicit consent, because it can be based on the principle of legitimate interest (under Article 6(1)(f) of the GDPR), provided that:

• the purpose of the processing is clear and consistent with the situation in which the data was provided (e.g., a follow-up message about the event or service discussed, and not the automatic subscription to a newsletter or the transfer of data to a third party);
• the person could reasonably expect that type of contact, considering the professional context in which they shared the data;
• transparency is ensured, for example by making it clear from the start that the data will be used only for a specific purpose, offering summary information and the possibility of exercising one’s rights such as requesting deletion or objecting to processing.

When it comes to data processing, consent is a critical element. Along with legitimate interest, consent is one of the six bases, provided by privacy regulations for the processing of personal data, and it is strictly regulated.

Consent must be free, informed, specific, and explicit. Laws and guidelines provided by the data protection authority stress that consent cannot be implicitly granted, and pre-selected boxes or silence may not be used as a way to increase acceptance since this type of strategy doesn’t give the user complete control over his or her information, as highlighted by the European Data Protection Board (EDPB).

In the context of B2B marketing, consent isn’t required where legitimate interest applies. However, if the data concerned relates to individual companies or independent professionals, who are considered individuals, the processing of the data must be carried out with the explicit consent of the subject.

Sending marketing communications to corporate entities is permitted without consent as long as a generic e-mail address such as info@company.it is used, since it does not involve personal data.

In terms of best practices, if your company provides services and/or products to both B2C and B2B audiences, it is essential to separate contacts accordingly to ensure personal data is handled correctly and in line with specific regulations. Particular attention must be paid to freelancers and individual companies, often considered individuals in the eyes of the law and therefore subject to stricter data protection rules. To aid this distinction and easily identify individual enterprises for example, web forms should have fields for company name and structure. Finally, it is crucial to always keep a record of consent for users and regularly assess legitimate interest. 

In an ever-changing landscape, it is critical to stay abreast of data protection changes to avoid penalties and potential legal complications. However, GDPR compliance is not just about regulatory obligations – it is also an opportunity to strengthen customer trust. In fact, ensuring that data is handled securely and transparently can significantly improve your company’s trustworthiness and foster long-term customer relationships.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. We are not lawyers and do not intend to substitute ourselves for the advice of a qualified professional. For specific legal issues, we recommend that you consult a lawyer.