GDPR and B2B channel marketing

Suppliers and partners each have controller responsibilities

Most B2B suppliers rely on channel partners to grow their business or to enter new markets. For example, a US company might be present in London, and rely on partners in other European countries.

Here are the three most common scenarios:

  • Supplier-sourced leads: the supplier generates qualified leads to be shared with partners, who then handle the sales cycle. Such partners are called resellers.
  • Partner-sourced leads: partners (resellers) generate their own leads and handle the sales cycle, but also share prospect and customer information with the supplier.
  • Partner-sourced referrals: partners recommend, rather than sell, the product. They generate qualified leads to be shared with the supplier or with other partners, who then handle the sales cycle. These are called referral partners.

What does GDPR say about the roles and responsibilities between supplier and partner when they share personal data?

Joint controllers or separate controllers?

If the supplier and partner work together for specific and agreed purposes, then they “jointly determine the purposes and means of processing” (Article 26). They are therefore joint controllers. An example would be a reseller who relies on the expertise of the supplier to close a deal, which is an objective they both share. Or the supplier delivers the service, but the partner owns the customer relationship, and the customer interacts with both.

Another possibility is that the two players are not really joint controllers, but rather separate controllers who happen to be sharing a common set of personal data, which they each process independently for different purposes. An example is a referral partner who plays no further role in the sales cycle after handing over the lead, and who may subsequently target the prospect for a different commercial purpose.

Supplier and partner responsibilities

Besides the usual obligations around security, accountability and international transfers, suppliers and partners must ensure they are in sync in the following three areas:

  • Type of controller. First and foremost, they must decide whether they are joint controllers or separate controllers. To determine this, the supplier must assess how personal data is used across the life cycle, with whom it is shared and how, e.g. in a CRM or PRM system. This will depend on who owns the prospect, who manages the sales cycle, who deploys the product or service, and who owns the customer. The resulting agreement (it doesn’t have to be a contract) will reflect each player’s roles and relationships toward the data subjects.
  • Privacy Policy. Once the controller relationships are clear, they have to be clearly communicated in each party’s privacy policy, so that the prospect knows who his data will be shared with. Note that if a supplier is relying on consent, then channel partners have to be explicitly named. If, however, the legal basis is legitimate interest, it is sufficient to mention the partner category, e.g. reseller.
  • Rights. Finally, data subjects have to be able to exercise their rights with either supplier or partner, even if one of them has been designated as a point of contact. It is up to each controller to ensure that SARs flow both ways. So, for example, if a prospect no longer wants to receive any marketing from a partner, then that should implicitly extend to the supplier, because that would be the logical expectation.

The subject of GDPR compliance for B2B channel marketing has not received much press in 2018, probably because there were far more important compliance issues to address. But it’s a safe bet that in 2019, it’s going to come out of the woodwork, so channel managers had better be prepared.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

Further Reading

Are Your Channel Partner Data-Privacy Policies and Processes GDPR Compliant?

Understand the responsibilities and risks around GDPR compliance for Channel Programs

How to comply with provisions on joint controllers under the GDPR

Joint Controllers, or Separate Controllers?