Many marketers assume GDPR only covers consumer data, but business contact details — a name and a work email — are personal data under the regulation. That makes GDPR central to how you handle B2B data involving people in the EU and UK. Here’s a plain-English overview of what’s generally allowed and what isn’t.
How GDPR Applies to B2B Data
GDPR governs the processing of personal data of individuals in the EU and UK, regardless of whether that data is “business” or “personal” in nature. Because a named individual at a company is identifiable, their work contact details count as personal data. So handling B2B contacts for EU/UK individuals brings you within GDPR’s scope.
Personal Data in a B2B Context
A generic, non-personal address like info@company.com is generally not personal data. But jane.smith@company.com, tied to an identifiable person, is. This distinction matters: targeting role-based inboxes carries different considerations than targeting named individuals, whose data attracts the full set of GDPR protections.
Lawful Bases: Consent vs. Legitimate Interest
GDPR requires a lawful basis to process personal data. For B2B marketing, organizations often rely on
legitimate interest rather than explicit consent but that requires a balancing assessment weighing your interest against the individual’s rights, and individuals can object. Consent is another basis, required in some contexts. Which basis applies depends on the specifics, and getting it right matters.
What You Can Generally Do
With a valid lawful basis and proper safeguards, you can generally process B2B contact data for relevant marketing — for example, reaching a business contact about something genuinely relevant to their role, where they’d reasonably expect it. Transparency about who you are and how you got their data, plus an easy way to opt out, supports this.
What You Generally Can’t Do
You generally can’t process personal data without a lawful basis, ignore individuals’ rights to access or erase their data, hide who you are or how you obtained their details, or keep emailing someone after they’ve objected. Note too that electronic-marketing rules (ePrivacy/PECR and national laws) add channel-specific consent requirements that vary by country, sometimes requiring opt-in for email.
Practical Steps for Compliance
In practice: identify and document your lawful basis, keep a record of where data came from, provide clear privacy information, make opt-out and erasure easy and honor them promptly, and check the national electronic-marketing rules for each country you target. Working with vendors who can evidence lawful sourcing makes all of this considerably easier.
Key Takeaways
GDPR treats identifiable business contacts as personal data, so it applies to much B2B marketing involving EU/UK individuals. You need a lawful basis (often legitimate interest, with a balancing test), must respect individuals’ rights, and must follow national electronic-marketing rules. Because the details are nuanced, consult a data-protection professional.
Frequently Asked Questions
Does GDPR apply to B2B data?
Yes. Business contact details for an identifiable individual in the EU or UK are personal data, so GDPR applies to processing them. Generic role inboxes are treated differently.
Do I need consent to email B2B contacts under GDPR?
Not always — organizations often rely on legitimate interest with a balancing test. However, national electronic-marketing rules vary and can require consent for email, so it depends on the country.
What is legitimate interest?
A lawful basis under GDPR that lets you process data for a genuine interest, provided it’s balanced against the individual’s rights and they can object. It requires a documented assessment.
What can’t I do with B2B data under GDPR?
Process it without a lawful basis, ignore access or erasure rights, hide how you got the data, or keep contacting someone after they object.
How can I evaluate whether a B2B data vendor is GDPR-conscious?
Ask how the vendor sources its data, what lawful bases it relies on, how privacy notices are handled, how individuals can exercise their rights, and whether compliance documentation is available upon request.
Do GDPR rules apply if my company is outside the EU?
They can. GDPR may apply when processing the personal data of individuals located in the EU or UK, regardless of where the organization performing the processing is based.
What information should a compliant B2B data vendor provide?
Reputable vendors should be able to explain their data sources, verification methods, privacy practices, data retention policies, and procedures for handling data subject requests and objections.
What happens if someone objects to being contacted?
Organizations should honor valid objections and update their records to prevent further outreach where required. Maintaining accurate suppression and opt-out processes is an important part of compliance.
Can I keep B2B contact data indefinitely under GDPR?
Generally, personal data should not be retained longer than necessary for the purpose for which it was collected. Organizations should establish appropriate retention policies and regularly review stored data.
Why is documentation important when using B2B data under GDPR?
Documentation helps demonstrate accountability by showing how data was obtained, why it is being processed, what lawful basis is being relied upon, and how privacy rights and compliance obligations are being managed. 
