What you need to know.
GDPR not only applies to relations between companies, their employees and (B2C) customers, but also plays an important role in B2B relations with suppliers and (B2B) customers. In these relations there will always be a transfer of personal data. Think, for example, of e-mail correspondence that mentions the professional e-mail address and the position of the employees involved. The transfer of personal data can also be a direct consequence of cooperation, for example when using a social secretariat for payroll services or an IT company for software development.
Due to GDPR, the obligations linked to these transfers depend on the nature of the companies involved (see, GDPR Toolkit 09). For instance, between a controller and a processor, Article 28 of the GDPR requires parties to enter into a data processing agreement. Whereas, between joint controllers Article 26 of the GDPR requires a division of tasks. Transfers outside the EEA are further subjected to special mechanisms aimed at ensuring an equivalent level of protection for the personal data concerned. Please keep an eye on our following Privacy Talks for practical tips on this subject.
There are no specific rules in the GDPR relating to the processing of personal data that belongs to supplier contacts, customers and other partners (e.g. as a result of e-mail correspondence). Of course, the "general" obligations such as the requirement of a legal basis and transparency, etc. do apply. These obligations are now often given a practical translation in B2B contracts. It is indeed important that companies take the “appropriate measures” in the transfer of personal data (Article 24 GDPR).
What you need to do.
Whenever your company enters into a new B2B agreement, it is important to determine what personal data will be transferred within the framework of that agreement, in what capacity your company and the other contracting party(ies) act (separate data controller, processor and/or joint data controller) and where the parties are located (within or outside the EEA).
In light of this analysis, the necessary data protection clauses should be included in the B2B agreement:
- In every B2B relationship there will be at least one (reciprocal) transfer of personal data between individuals (such as professional contact details, position etc.). In principle, this is a transfer between separate data controllers. This means that each of them, on their own accord, must comply with the obligations of GDPR. It is useful to include this explicitly in the agreement.
- Further restrictions and obligations regarding the use of such personal data by the receiving party can be added to this. This can be done, for example, by specifying the purposes for which the personal data may be used.
- In addition, it is useful to include a mutual assistance obligation, for example, in the context of the transparency obligation and requests of data subjects. In this respect, you should certainly also consider your general terms and conditions.
Authors:
Anouk Focquet - anouk.focquet@contrast-law.be
Laurence Vanhyfte - laurence.vanhyfte@contrast-law.be