Sharing personal data in connection with the sale of a business can create risk for both the seller and the purchaser if not undertaken in compliance with data protection requirements as illustrated in a recent German case. In this post, we point out the perils of sharing personal data in connection with an asset deal and provide tips on how to manage these risks.
A typical scenario
Let’s say (as was the case in the recent German example) a seller is running an online shop. In the course of an asset deal, it transfers all of its assets, including customer data, to the purchaser. It does not notify the affected customers of the transfer, let alone obtain their consent. Following the transfer, the purchaser uses transferred customer email addresses for direct email marketing.
The perils of transferring personal data as part of asset deals
A transfer of personal data as illustrated above raises serious concerns from a data protection perspective. It constitutes a transfer or disclosure of personal data to a third party which is subject to strict conditions in most jurisdictions. Generally, as the acting Bavarian DPA pointed out, such a transfer of personal data requires the data subject’s consent or, at least, the prior notification of the data subject coupled with an opportunity to opt-out of the transfer which opt-out is not exercised. Unlike commonly assumed, the asset deal itself does not legitimise the data transfer.
In the German case, both the seller and purchaser were fined five-digit Euro amounts for unlawfully transferring the customer data. Importantly, the purchaser was also ordered to delete the unlawfully transferred customer data meaning it paid money for a crucial asset it cannot use after all.
Four steps to follow to avoid falling into the asset deal trap
The following steps should be taken when transferring personal data as part of an asset deal.
1. Identify the data to be transferred as part of the due diligence process.
This could include a variety of personal data but, generally, customer data will be the most relevant, such as customer names and contact details, payment or credit card details, purchase histories, personal preferences or even complex user profiles.
2. Assess whether/ under what conditions relevant data may be transferred.
Often the data subject’s consent will be required but a notification with a right to object might suffice. Sensitive data, such as health data, will likely be subject to stricter conditions. Equally, if data is intended to be transferred to a different jurisdiction, further limitations are likely to apply.
3. Evaluate if/ how compliance with the transfer requirements can be achieved.
For example, is it possible (and practical) to obtain the relevant consents or send out required notifications prior to the transaction going ahead? Or do existing privacy notices adequately cover the intended transfer? Should certain personal data be carved out of the deal?
4. Reflect any data protection issues in the transaction documents.
The prudent purchaser would require the seller to warrant that it has taken the necessary steps to legitimise the transfer (e.g., obtained necessary consents/ provided adequate notifications). These warranties should be backed by adequate indemnities. The prudent seller would only provide such warranties and indemnities to the extent it is satisfied that these won’t expose him/her to claims from the purchaser. To the extent certain data cannot be legally transferred as part of the asset deal, such data should be carved out of the deal which must, of course, be reflected in the purchase price.
Contributors – Anna von Dietze