🛒 He Buys, She Buys – Consumer Rights vs. B2B Sales 

B2B, B2C – sounds a bit like chemical formulas, doesn’t it? 🧪 Don’t worry, running an e-commerce business isn’t nearly as complicated as conducting scientific experiments 😊. However, if you’re planning to launch an online store, it’s important to have a basic understanding of Business-to-Business (B2B) and Business-to-Consumer (B2C) sales channels, as well as selling to quasi-consumers. The key difference between these channels? It’s all about who your target audience is. Selling to businesses and individual customers may have some similarities, but they’re actually quite different. Then there’s selling to entrepreneurs, who, in certain cases, might be treated like consumers. The differences between these sales channels touch on many areas, like communication and marketing strategies, the buying process, pricing and payment methods. But the most important thing to remember as you start your e-commerce business—and what we’ll focus on now—is that B2B and B2C sales come with different legal requirements that will shape how you run your online store. 🛍️  

How does it impact your shop whether your customer is a consumer or a business? 🤔 

The general rule is that in B2B transactions, the seller has more flexibility. This means that the B2B relationship, being a professional one (seller – business and buyer – business), does not include the protective measures afforded to consumers as the weaker party in a contract. Consequently, sellers are subject to fewer strict regulations that enforce specific solutions and customer rights can be shaped more flexibly. However, this changes when you identify that the buyer of your goods or services is a consumer—someone purchasing for personal use rather than for their business or professional activities. 🛒 

In both cases, the terms outlining your mutual rights and responsibilities—those of you as the seller and those of your customers, whether they are businesses or consumers—should be included in your shop’s terms and conditions. You don’t need to create separate terms for each sales channel (although you could). It’s sufficient to clearly outline the rights of both consumer customers and business customers within a single set of terms and conditions. 📜 

What issues should you address depending on whether the buyer is a business or a consumer? 🧐 

Unfair contract terms 🚫 

The first issue is “unfair contract terms.” According to the regulations, if a particular clause in a contract with a consumer was not individually negotiated, it does not bind the consumer if it creates an imbalance in their rights and obligations, contrary to accepted principles of morality and severely undermines their interests. 

Examples of unfair clauses include: 

  • A clause that requires the consumer to cover the cost of shipping in order to file a complaint about the purchased goods. 
  • A provision allowing the business to change the shop’s terms and conditions at any time and without needing to provide a reason for the changes. 

Before drafting your store’s terms and conditions, check the list of unfair clauses to make sure that none of the terms you plan to include are on it. Use common sense—if a clause seems “unfair,” abuses the seller’s position or removes rights that consumers would normally have, you’re treading on thin ice. 🧊 

The right of withdrawal 🛑 

You’ve shopped online as a consumer many times, so you’re familiar with the fact that in B2C sales, customers have the right to withdraw from the purchase within 14 days. A business cannot limit this right for consumers, except in a few specific situations. However, the rules are different when you’re selling your goods to another business. 

Of course, you can provide the buyer—who is a business—with the right to withdraw from the contract or to return/exchange goods (as many established e-commerce businesses do). However, in such cases, these rights will be governed solely by your sales policy, and you can tailor them to fit the needs of your shop. 🛍️ 

 Warranties and complaints 🛠️ 

The biggest differences between B2B and B2C sales are found in the area of customer rights related to warranties for defects in the sold goods (or, for consumer sales after 1 January 2023, regarding non-conformity with the contract). In B2B sales, a business can generally define the customer’s rights as it sees fit. However, in B2C sales, an online shop must ensure that consumers can exercise their statutory warranty rights.  

Information Obligations 📝 

Last but not least, in B2C sales, the Consumer Rights Act requires online businesses to provide consumers with a range of information, including: 

  • the characteristics of the product being sold 
  • its price 
  • the consumer’s rights related to the purchase 
  • contact details of the business 

This has a significant impact on the shopping experience. While you will also need to provide information to clients in B2B sales, often similar to what is required in B2C, the obligations regarding the scope and detail of the information are much less stringent in the B2B context. 

Can a business be a consumer? 🕵️♂️ 

Here’s a little exception 😉 Until 31 December 2020, the distinction between consumers and businesses was clear and straightforward. However, since 1 January 2021, a new, third category has been introduced: the “entrepreneur with consumer rights.” 

Who is this? 🤔 

This applies to sole proprietors—individuals running a sole proprietorship registered in the CEIDG—who enter into a sales contract with a business if the contract is directly related to their business activity but indicates that it is not of a professional nature for them. 

Examples: 

  • a lawyer buying a printer for their office 🖨️ 
  • a doctor purchasing a car to commute to work at the hospital 🚗 
  • an architect buying a coffee machine for their office  

For such clients, you’ll need to ensure they are treated as consumers in your shop. However, to reassure you, in the event of a dispute, the buyer will have to prove that they qualify as an entrepreneur with consumer rights.

Note! ⚠️ 

In practice, you might see the term “prosumer” used to describe entrepreneurs with consumer rights. However, keep in mind that “prosumer” is also used in the Renewable Energy Sources Act to refer to someone who both produces and consumes what they have created (e.i. electricity). So, don’t confuse these two types of prosumers!  

Does it sound complicated? It can be—creating a comprehensive and compliant set of terms and conditions for your online shop isn’t the simplest task, but it’s definitely achievable! If you need help, contact LBKP, the e-commerce experts who put together the legal section of our guide. 📚

DORA on the horizon: key changes for the financial sector 🏦

DORA – new standards for cyber security 🔒

In the digital age, when most financial transactions take place online, the security of our data and funds is becoming a priority. We’ve all seen recently – with the example of Microsoft’s operating systems crashing – what happens when one of the more commonly used online services for business, Office 365, is affected. ✈️🚫

Airline connections were cancelled, the London Stock Exchange did not work, and bank customers also reported problems (in Poland, Santander Bank and PKO BP, among others, were affected). Microsoft estimated that up to 8.5 million Windows devices were affected by the incident. The effects of what turned out to be ‘just’ a crash brought part of the world to a halt for a moment. The scale of the disruption to the operations of entities in many industries makes one wonder what might happen when we are dealing not with a crash, but with a successful cyber-attack. 🤔💻

The European Union, recognising the growing risks in the area of digital security for the financial sector and its customers, in December 2023 enacted the Digital Operational Resilience Act (DORA for short), which sets new standards for the cyber-security of financial entities, aiming to ensure their resilience to all ICT-related disruptions and threats. 🌐📜

The new regulations aim to:

Minimise the risks associated not only with cyber attacks, but more broadly with security incidents. By establishing uniform standards and procedures, DORA is expected to contribute to protecting the integrity, security and continuity of financial services in the European Union. 🛡️🇪🇺

The countdown is on ⏳

Financial entities have until 17 January 2025 to comply with DORA. After this date, there will be no concessionary tariffs – the FSA, during trainings and meetings with the financial sector, warns that it will not wait for latecomers and plans to verify and enforce the implementation of the new obligations from day one. 📅🔍

Importantly, DORA is not a directive (as is the case with another cyber-security-relevant act such as NIS2), but a regulation. This means that it is binding in its entirety on the entities to which it is addressed and is directly applicable in all countries of the European Union, without the need to implement it into local legal orders by means of laws. 📜⚖️

Who is affected by DORA? 🏦💼

DORA primarily – but not exclusively – covers a broad spectrum of financial institutions and digital finance entities. Among others, banks, insurance companies, investment funds, credit institutions, cryptocurrency providers, e-money institutions and other financial services providers are obliged to comply with the new regulations. 💳🏢

In addition, DORA introduces certain obligations for technology providers, including cloud service providers and other ICT service providers. ☁️💻

What does DORA mean for the financial sector? 📊🔒

DORA imposes obligations on financial sector players, requiring financial institutions not only to respond to incidents, but also to take a number of preventive measures, based on the principle that prevention is better than cure. 💡🔧

In practice, this means taking action primarily in the following key areas:

  1. ICT risk management 🖥️⚠️Instytucje finance should develop and implement a comprehensive ICT risk management strategy. This strategy should include identifying, assessing, monitoring and controlling ICT risks to ensure the security and integrity of IT systems.
  2. ICT incident management 🛡️🚨Classification and reporting of ICT incidents are key to effective security management, according to DORA. Financial institutions will be required to follow clear guidelines for incident classification, which is expected to lead to appropriate tracking, analysis and response.Responsibilities in this area will include, but are not limited to:Creating and implementing uniform incident classification guidelines to categorise incidents by level of severity and type of threat.Regular reporting of incidents to relevant authorities and stakeholders, in accordance with applicable standards and regulations.Conducting root cause analysis of incidents to identify vulnerabilities and implement corrective actions.
  3. Risk management from external ICT service providers 🤝🔍Financial institutions should define policies for managing cooperation with external ICT service providers. Responsibilities in this area will include, among other things, developing criteria for the evaluation and selection of ICT service providers to ensure that they meet security and compliance requirements, ensuring that contracts entered into with ICT providers comply with the requirements set by DORA, and regularly monitoring and evaluating the performance of providers.
  4. Operational digital resilience testing 🔄🛠️Obowiązki in this area will include, among other things, the establishment of a comprehensive operational digital resilience testing programme. Financial entities other than micro-enterprises will be required to test all ICT systems and applications at least once a year. For some obliged entities, DORA also provides for an additional obligation to carry out advanced penetration testing (TLPT) for threat searches at least every 3 years.

Where there are obligations, there are also sanctions ⚖️💰

Understanding and adapting to the requirements of DORA are essential from the point of view of financial actors, not only for the need to ensure an adequate level of operational digital resilience, but also to avoid serious legal and financial consequences.

DORA implies that the competent authorities (in Poland this will primarily be the FSA) will be granted broad powers to supervise and enforce DORA. They will be entitled to request access to any documents and data they deem relevant in the context of their investigations. Financial institutions must be prepared for possible audits and inspections. Failure to cooperate or provide the requested information may lead to additional sanctions. 🔍📋

In the event of violations of DORA, various administrative sanctions may be applied by the supervisory authorities. These include, inter alia, cease and desist orders for non-compliant activities, the requirement to terminate practices contrary to the regulations and the application of financial sanctions aimed at enforcing compliance. 💼💸

Summary 📊✍️

Of course, a full assessment of the impact of the new regulations will only be possible after some time, but we already dare to hypothesise that DORA is a milestone towards ensuring digital operational resilience in the EU financial sector. With the introduction of new ICT risk management standards and the requirement for a proactive approach to digital security, DORA should not only help protect financial institutions, but also increase customer confidence in financial services. The move is now on the side of the financial sector – achieving the goal of DORA and the associated benefits will only be possible if the implementation of the new regulations is taken seriously. 🔜🔧

Contact

Any questions?see phone number+48 663 683 888
see email address

Hey, have you
signed up to our newsletter yet?

    Check how we process your personal data here