A common question from B2B SaaS founders is whether GDPR applies to them at all — they sell to businesses, not individuals. The answer is yes, but the compliance picture is different. And the follow-up question is usually: do we need consent for everything?
The short answer: no. B2B SaaS companies rarely need consent as their primary lawful basis. Understanding why — and what basis actually applies — is fundamental to building a defensible GDPR position.
Does GDPR Apply to B2B SaaS?
GDPR protects natural persons — individuals. It does not protect companies or organisations. But B2B SaaS companies almost always process personal data about individuals, even if those individuals are acting in a business context:
- Customer contacts: Names, email addresses, phone numbers of the buyers, users, and administrators at your enterprise customers
- End user data: If your product is used by individuals at the customer company (employees using an HR tool, salespeople using a CRM), you process their personal data
- Billing contacts: Finance contacts at customer organisations
- Support data: Communications with named individuals about support issues
GDPR applies to all of this. The fact that these individuals are acting in a professional capacity does not remove their GDPR rights. A named contact at an enterprise customer is still a natural person.
Do You Need Consent for B2B Processing?
Almost never — for the core B2B processing. Here's why:
Contract performance (Article 6(1)(b)) covers processing that is necessary to deliver the contracted service. If a customer buys your SaaS product and provides administrator accounts for named users, you process those accounts to provide the service. This is contract performance — you do not need consent.
Legitimate interests (Article 6(1)(f)) covers most ancillary B2B processing:
- Sending transactional emails, invoices, and service communications
- Customer success management and account health monitoring
- Marketing to existing customers and similar company contacts
- Security monitoring and fraud prevention
Legal obligation (Article 6(1)(c)) covers processing required by law — tax records, accounting, anti-fraud obligations.
Consent is appropriate in a narrower set of B2B scenarios:
- Email marketing to new prospects who have not yet engaged with you
- Optional analytics and tracking cookies on your website
- Processing data for purposes beyond the contracted service
The B2B Contact List Problem
B2B SaaS companies often maintain large lists of prospect contacts — names, job titles, email addresses — obtained from LinkedIn, enrichment tools like Clearbit or Apollo, or purchased datasets. Processing these contacts raises specific GDPR questions:
Are they personal data? Yes. A named individual's work email address is personal data, even if it is a professional email.
What is the lawful basis? Legitimate interest is typically the basis for cold B2B outreach, but it requires:
- A proper legitimate interest assessment showing the commercial interest outweighs the individual's privacy expectations
- Clear opt-out mechanisms in every communication
- Respect for opt-outs immediately and permanently
Must you notify prospects about their data? Article 14 requires notification when you obtained data from a third party. For large-scale B2B prospecting, this is typically done in the first marketing communication (disclosing the source) or via the privacy notice on the company website.
Can you use scraped data? Using data scraped from LinkedIn or other sources without an assessment of the lawful basis and notification obligations is non-compliant. Data enrichment tools like Clearbit are processors — you still need your own legal basis for using the data.
Data Processing Agreements with Your Customers
When your B2B SaaS processes personal data on behalf of customer organisations (employees, end users), you are a data processor and the customer is a data controller. Article 28 requires a written Data Processing Agreement (DPA).
The DPA must include:
- What personal data you process on their behalf
- For what purpose and how long
- That you only process on the customer's instructions
- Your security measures
- Your sub-processors (with the customer's right to object to changes)
- Your support for data subject rights
- Your breach notification obligations to the customer
In B2B SaaS, the DPA is typically included in your Terms of Service or as a downloadable Data Processing Addendum. Enterprise customers will review it carefully. It must be accurate and substantive.
Employee Data at Your Own Company
A B2B SaaS company also processes personal data about its own employees:
- Payroll and HR records
- Performance management data
- IT system access logs
- Communications
- Benefit enrolment
This is a separate controller relationship — you are the controller for your own employee data. All standard GDPR obligations apply.
What B2B SaaS Companies Commonly Miss
No DPA available. Enterprise buyers increasingly require a DPA before signing. Not having one ready delays deals.
Sub-processor list not maintained. Your DPA must cover sub-processors — AWS, Google Workspace, Intercom, Stripe, etc. Keep the list current and notify customers of changes.
Prospect data processed without a proper assessment. Cold outreach lists built from enrichment tools require a legitimate interest assessment and opt-out mechanism.
US transfers not addressed. Your own SaaS stack includes US-based services. Customer data passing through these must be covered by SCCs or DPF certification.