PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - December 2006

December 2006

When do privacy rules cover business-to-business data?


One of the most common misconceptions about the scope of European Privacy legislation is that it does not apply to the processing of business data. The definition of personal data in the Data Protection Directive is very wide: “Personal Data shall mean any information relating to an identified or identifiable natural person”. Identifying factors include not just personal characteristics but economic ones as well. To be clear, business information without reference to a named individual is not covered but where a named individual is present, the data is personal.


Business database owners must, therefore, apply the same stringent requirements for consent as their consumer counterparts. For postal communications that generally means that the business person must be offered an opt-out when the data is collected. But the advent of the Directive on Privacy and Electronic Communications has brought another layer of possible confusion into the mix. The Directive applies to “natural persons” but also requires that “the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected.” (Article 13)


The UK’s interpretation of this requirement in the Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR) has been to include some classes of business contacts within the definition of an “individual subscriber”. The definition covers not just residential subscribers but sole traders and non limited partnerships in England, Wales and Northern Ireland and any partnerships in Scotland. Individuals within corporates or public service employees are not covered but emails to them are still governed by the  Data Protection Act 1998 and the PECR requirements to identify the sender of an email and to include an unsubscribe option still apply.


Other European countries have extended the protection in the Directive to corporate subscribers making no differentiation between “natural persons” and legal persons or their employees. Holland, Germany, Denmark, Italy and Spain are among the countries which require opt-in consent for email communications. Many countries have a strict interpretation of the so called “soft opt-in” rule. In the UK, this allows email addresses collected “in the course of a sale or negotiations for a sale” to be gathered using opt-out – this includes collections which occur before the sale is completed. This is not so in most of the rest of Europe where the sale has to be completed for the dispensation to apply. Given the protracted nature of most B2B sales processes this de facto means that details have to be collected with opt-in.


Other recent items: