B2B vs B2C under GDPR

B2B and B2C aren't treated the same under GDPR. Here's why it matters.

GDPR applies to personal data processing regardless of context. But the national ePrivacy rules that sit on top of GDPR — and how regulators apply the legitimate interest balancing test — treat business contacts and consumer contacts very differently. For a named director at a registered company receiving a relevant commercial email, the privacy intrusion is low and the legitimate interest case is strong. For a consumer at a personal address, the bar is much higher. The problem is the grey zone in between — sole traders, partnerships, personal business email addresses, and consumer-adjacent roles — where B2B protections stop applying without being obviously B2C.

Try for free Read the B2B vs B2C breakdown

You probably came here because

You're not sure whether a ZZP'er or sole trader counts as a B2B contact under your ePrivacy rules.
Your enrichment tool returns personal email addresses for some contacts and you don't know if those are in scope.
You're emailing into a sector where the line between professional and personal role is blurry — coaches, consultants, small practices.
Your legal team is asking whether your outbound motion is B2B or B2C and you're not certain.

If any of that lands, the rest of this page is for you.

Free trial, no card

Ten prospects built on verifiably B2B contacts.

Hooklyne only builds packages for registered company contacts at business email addresses. No personal emails, no ZZP personal addresses, no grey-zone contacts. Free trial, no card.

Try for free

Where the B2B / B2C line sits

Four factors that determine whether a contact is B2B or B2C under GDPR.

The distinction isn't about what the person does for a living. It's about the legal status of the entity they represent, the nature of the email address, and what the national ePrivacy rules say about that combination.

Factor 1: legal form of the entity — company registration is the cleanest test.

A contact at a registered legal entity — BV, NV, stichting, Ltd, LLP, PLC — is a business contact for ePrivacy purposes in NL and UK. The Art. 11.7 Tw carve-out in NL and PECR Reg. 22 corporate subscriber definition in UK both turn on whether the entity is a legal person rather than a natural person. Check the KVK number or Companies House entry. If it's there, you're in the B2B zone. If the business is registered in the name of a natural person (eenmanszaak, sole trader), you're not.

Factor 2: email address — business domain vs personal domain is non-negotiable.

A contact with an email at a company domain (naam@bedrijf.nl, name@company.co.uk) is receiving mail at a business address. A contact with a personal email (gmail, hotmail, icloud, outlook personal) is at a personal address — regardless of whether they're the CEO of a company. Personal email addresses are always individual subscriber addresses under PECR and always carry a stronger privacy expectation under GDPR. Even if the KVK registration is clean, filter personal email addresses out of your B2B outbound.

Factor 3: ZZP'ers and sole traders — natural persons are treated as consumers.

A ZZP'er registered as a natural person (eenmanszaak) is not a corporate subscriber under NL law. The Telecommunicatiewet Art. 11.7 carve-out applies to sending to a rechtspersoon — a legal person — not to natural persons acting commercially. The AP consistently treats ZZP'ers, eenmanszaken, and other natural person business forms as individual subscribers with full consumer-equivalent ePrivacy protections. The same principle applies in UK: sole traders and most ordinary partnerships are individual subscribers per ICO guidance. Check the business form, not just the trade name.

Factor 4: consumer-adjacent roles carry higher privacy weight.

Even at a registered company, some roles function in contexts that are partially consumer-adjacent. A sole-practice lawyer, a one-person therapy practice, a family doctor at a small practice: the professional and personal lives overlap, the practice may be a BV but the email recipient functions partly as an individual. Regulators have latitude to weigh this in the balancing test — the more consumer-adjacent the role, the harder the legitimate interest case. Outreach needs to be specifically relevant to the professional function.

Factor 5: the content — a B2C offer through a B2B channel is still B2C.

A business email address at a registered company doesn't convert a consumer offer into a B2B one. If you're selling a product that is primarily consumer-facing and sending to a business contact hoping they'll use it personally, you're in B2C territory regardless of the email domain. The GDPR legitimate interest balancing test asks whether the data subject would 'reasonably expect' this communication in their professional capacity. A head of HR at a manufacturing company does not reasonably expect personal finance offers in their professional inbox.

Where to actually look

The primary sources, in case you want to read them yourself rather than trust a vendor blog post:

- Telecommunicatiewet Art. 11.7 (NL) — the B2B corporate entity carve-out.
- PECR Reg. 22 and ICO Direct Marketing Guidance — the UK corporate subscriber definition.
- GDPR Recital 47 on direct marketing as a possible legitimate interest.
- EDPB Opinion 06/2014 (WP29) on the legitimate interest balancing test.
- Autoriteit Persoonsgegevens published guidance on direct marketing and ZZP'ers.
- GDPR Article 21(2) — the absolute right to object to direct marketing.

Where the B2B / B2C distinction breaks down in practice

Three failure modes that look like B2B but aren't.

Each of these appears regularly in outbound programs that believe they're running a compliant B2B motion. Each has been visible in AP and ICO enforcement reasoning in the last five years.

Emailing a professional at their personal Gmail address.

An enrichment tool returns naam@bedrijf.nl and naam.consulting@gmail.com for the same contact. You send to both. The first is a business address at a registered entity — B2B. The second is a personal domain address — B2C, regardless of what the person does professionally. The distinction is the domain, not the person. Most teams don't segment this; most teams have CRM records with personal emails mixed in with corporate ones.

Prospecting ZZP'ers and eenmanszaken with a B2B motion.

A KVK search returns hundreds of freelancers and sole traders registered under their own name. They look like B2B contacts — they run businesses, they buy professional services, they're on LinkedIn. Under Telecommunicatiewet Art. 11.7 and AP guidance, they're not corporate subscribers. Sending to them requires either consent or a prior commercial relationship. Running NL B2B outbound without filtering for entity type produces a list that's partly legal and partly not, with no visible marker between the two.

Selling a consumer product through a B2B channel.

A contact is head of HR at a registered BV. You're selling personal finance software 'for professionals.' The email address is business, the entity is corporate. But the product is consumer-adjacent and the recipient is being approached in a personal capacity. The GDPR legitimate interest balancing test asks whether the data subject would 'reasonably expect' this processing. A head of HR at a manufacturing company does not reasonably expect personal finance offers in their professional inbox. The ePrivacy carve-out doesn't help you there.

When this approach works (and when it doesn't)

The B2B basis holds when the contact mechanics are built to that standard from the start.

Works when

- Sending to a named professional at a registered legal entity (BV, Ltd, LLP, NV) at a company domain email address.
- Your offer is materially relevant to the recipient's professional role and decision-making authority.
- You've filtered out personal email addresses, eenmanszaken, and ZZP natural persons before sending.
- Your suppression list covers opt-outs regardless of which email address the objection came from.

Doesn't work when

- Your contact list includes personal email addresses mixed in with corporate ones.
- You're sending to ZZP'ers or sole traders registered as natural persons.
- The product or service is consumer-facing and you're sending through a business channel.
- The role is consumer-adjacent and the offer isn't specifically relevant to that professional context.

Honest steelman

The B2B / B2C line is genuinely ambiguous for large parts of the Dutch freelance and SME market. A ZZP'er running a BV is a corporate subscriber. The same person running as an eenmanszaak is not. They might be indistinguishable from the outside unless you've run the KVK check. The safest posture isn't 'check everything' — it's to build your outbound lists from KVK and Companies House registrations from the start, so entity type is a field in the contact record, not an afterthought. That's what Hooklyne does by default.

How Hooklyne is built for this

The B2B basis starts at the company registration, not the enrichment hit.

Every Hooklyne prospect package is built from a registered company as the starting point, not a LinkedIn profile or an enrichment hit. The KVK number or Companies House entry is the first check — if the entity is registered as a natural person (eenmanszaak) or if there's no company registration, the contact doesn't make it into the package. What you receive is a business contact at a verified registered legal entity, with the company registration type in the record so you know the B2B basis holds.

Email addresses returned in packages are filtered by domain type. Personal email addresses (gmail, hotmail, icloud, outlook personal domains) are excluded before the package ships. Where no business domain email is available for a contact at a registered company, the package flags phone-or-LinkedIn-only rather than returning a personal email as a fallback. The B2B basis holds because the contact mechanics are built to the B2B standard.

For consumer-adjacent sectors — sole practitioners, micro-practices, personal service providers — Hooklyne's signal scoring includes sector context that helps identify whether a contact is in a professional buying role or a personal capacity. The target is always a named professional function at an identifiable company with a clear professional buying context: operations director at a logistics BV, CFO at a software NV, procurement head at a manufacturing firm. If the segment you define is consumer-adjacent, we flag it before building.

Simple pricing.

Simple credit system. Every action priced transparently. Switch plans or cancel anytime.

Start

from€39/mo

100credits / month

Solo rep. Test and validate your outbound. Self-serve.

Recommended

Growth

from€129/mo

400credits / month

1-2 reps. Full pipeline. Setup call included.

Scale

from€239/mo

800credits / month

Small sales team. Volume outbound. Up to 5 reps.

See full pricing Request pilot access

FAQ

B2B vs B2C GDPR questions, answered.

Does GDPR apply differently to B2B and B2C?

GDPR itself applies equally to all processing of personal data. The difference is in the ePrivacy rules that govern electronic marketing and in how regulators apply the legitimate interest balancing test. ePrivacy carves out corporate entity contacts for unsolicited B2B email in NL and UK; GDPR's legitimate interest is easier to sustain for a business contact receiving a professional message. Neither regulation treats B2B as GDPR-exempt.

Is a ZZP'er ever a B2B contact?

Yes — if they're registered as a BV or NV. A ZZP'er who incorporated as a BV is a legal entity (rechtspersoon) and the corporate subscriber distinction applies. A ZZP'er registered as an eenmanszaak is not. Check the KVK: rechtsvorm BV or NV = B2B. Rechtsvorm eenmanszaak or maatschap = treat as B2C for ePrivacy purposes.

What about partnerships (maatschappen, VOFs)?

A maatschap and VOF in the Netherlands are not rechtspersonen — they don't have separate legal personality. Their members are natural persons. The AP treats them similarly to eenmanszaken for ePrivacy purposes. In the UK, most ordinary partnerships are individual subscribers per ICO guidance. Limited partnerships and LLPs are different — they have a form of legal personality.

What if I've already sent to mixed B2B/B2C contacts?

Clean the list going forward: run a KVK or Companies House check on uncertain contacts, remove personal email addresses and eenmanszaak contacts from your B2B sequence, and ensure opt-outs from either list are suppressed across both. For contacts already processed, assess whether you have a separate basis and document what you find. The AP's enforcement approach for first-time corrections tends to be documentation-first, not fine-first.

Do the B2B rules apply to consumer B2B2C companies?

It depends on who receives the email. If you're selling B2B software to a head of IT at a registered company, that's a B2B contact in a professional role. The issue arises when the offer itself is consumer-facing and you're using the B2B channel as a proxy. The end-use doesn't change the immediate recipient's B2B status — but the offer's consumer nature affects the balancing test.

How do I know if my list is clean?

Run every company through KVK (for NL entities) or Companies House (for UK entities) and record the rechtsvorm / company type. Filter out eenmanszaken, natural person registrations, and entities without a company number. Then filter email addresses by domain — remove personal domains. What's left is a defensible B2B list. Hooklyne does this by default as part of package-building.

Is this legal advice?

No. Plain-language guidance based on the Telecommunicatiewet, PECR, GDPR text, and AP/ICO published guidance. Your specific motion — especially in grey-zone sectors — should be reviewed by a qualified DPO or data protection counsel.

Plain-language guidance, not legal advice. Sector-specific edge cases should be reviewed by a qualified DPO or counsel.