Customer data in asset deals: privacy and information obligations

The difference between a share deal and an asset deal

In a share deal, the buyer assumes the legal position of the seller by transferring shares, i.e. the buyer assumes the rights and obligations of the other company. As a result, the company continues to exist unchanged. Therefore, the responsibility for data protection remains the same and it is not a data transfer. There is no need for a separate legal basis. However, the purpose limitation principle of the GDPR must still be observed.

In contrast, in an asset deal, only individual assets are transferred to the acquirer, such as real estate, machinery, customer base, rights or a domain. Personal data - such as employee and customer data - may also be transferred. In such cases, this is a data transfer that requires a legal basis. Responsibility also changes under the GDPR.

General conditions for the acquisition of a company

Data protection relationship

Even before due diligence, the parties need to consider their data protection relationship. In the context of a company acquisition, the exchange of personal data is usually a joint responsibility of the companies according to Art. 26 GDPR. The key provisions should be included in non-disclosure agreements (NDAs) and letters of intent / memoranda of understanding.

Privacy standards and legal basis

The services used as part of the due diligence, such as data room providers (e.g. Merrill Datasite), must fulfil appropriate data protection standards, particularly with regard to IT security. In addition, a so-called data protection due diligence should be carried out during the due diligence, an examination of the data protection compliance of the target company in order to assess risks and prevent later problems and even possible fines.

Before the asset deal is finalised, the transfer of personal data (e.g. data of customers, suppliers, employees) is generally not permitted. However, a transfer to the potential acquirer may be permissible in individual cases based on the voluntary consent of the person affected by the transfer.

As a rule, Art. 6 para. 1 lit. f GDPR will serve as the legal basis for data transfer in the context of due diligence. This requires a comprehensive and documented balancing of interests. When transferring data, the general principles of the GDPR, such as data minimisation, must also be observed. This means that only the personal data that is actually required for the respective phase of the company acquisition may be transferred.

How are data protection issues dealt with in the subsequent purchase agreement?

Guarantees regarding compliance with the data protection standards of the GDPR should be included in the purchase agreements. Indemnification clauses should also be considered in order to be indemnified against risks. In general, the purchase agreement should also include how data protection has been handled in the company and how the principles of the GDPR have been complied with.

Information obligations vs. confidentiality interests

Both the seller and the potential buyer are subject to information obligations under Art. 13, 14 GDPR. According to Art. 13 para. 3 GDPR, the seller must inform about the change of purpose (transfer of data in the context of due diligence) and provide other relevant information. If the transfer of data in the context of due diligence is based on legitimate interests, Art. 6 para. 1 lit. f GDPR, a right to object must also be granted and information about this must be provided. However, the data subject is also subject to information obligations due to the acquisition of the data pursuant to Art. 14 GDPR.

The obligation to provide information conflicts with the confidentiality interests and secrecy obligations of the parties, who do not want to inform customers, employees and the public in advance about the possible initiation of a corporate acquisition. However, specific exceptions from the old BDSG in Sec. 33 (2) Sentence 1 No. 3, No. 7b have not been included in either the GDPR or the new BDSG. It is therefore necessary to take a close look at the legal possibilities for exemptions.

Exceptions to the prospective customer's duty to inform

The prospective customer can rely on an exception in Art. 14 para. 5 lit. b GDPR. According to this, the provision of information is not required if it proves impossible or would involve a disproportionate effort. This is because identifying all potentially affected parties would generally be extremely time-consuming, and objections or requests for information could also block or delay the due diligence process.

In addition, interested parties can also rely on Section 29 (1) sentence 1 BDSG, according to which the information obligations under Art. 14 GDPR do not apply if information would be disclosed which by its nature must be kept secret. In both cases, however, a carefully documented balancing of the interest in confidentiality and the interests of the data subject is required.

Exceptions to the vendor's information duties

It is difficult for the transferor to obtain an exemption from the otherwise applicable information requirements.

Art. 13 para. 4 GDPR in principle provides for an exception to the duty to provide information. However, this does not apply in the context of due diligence or asset deals. This is because the exception only applies if the data subject already has the information required under Art. 13 para. 1 to 3 GDPR.

One discussed - albeit highly controversial - possibility would be to apply Art. 14 para. 5 lit. b GDPR analogously to Art. 13 GDPR. The objection to this is that Art. 13 and 14 GDPR have different objectives and are not comparable. In principle, however, it is argued that it would be contradictory to grant an exception only to the prospective purchaser. Moreover, Recital 62 of the GDPR also recommends an exemption from the obligation to provide information in cases of disproportionate effort (and is not limited to Art. 14 GDPR).

However, an analogous application of Art. 14 para. 5 lit. b GDPR fails in any case because there is no need for an analogy. In order for a provision to be applied by analogy, in addition to the aforementioned comparability of facts or interests, a so-called unintended regulatory gap is also required. This means that the legislator has inadvertently failed to regulate a situation.

This cannot be assumed here. With Art. 13 para. 4 GDPR, the European legislator has shown awareness that there may also be an exception to the information obligation under Art. 13 GDPR. It is therefore likely to have been a deliberate decision to establish different exceptions for the information obligations under Art. 13 and Art. 14 GDPR.

Section 32 (1) no. 4 BDSG is cited as a further exception, according to which there would be no obligation to provide information in the event of a change of purpose if it would impair the assertion of legal claims. However, it is questionable whether there is a right to carry out due diligence at all, which is why this exception is uncertain.

Furthermore, a reduction of the scope of Art. 13 GDPR or a broad interpretation of Art. 13 para. 3 GDPR is proposed. It is then recommended that the potential transfer of personal data to prospective buyers be included in advance in every privacy policy and information notice. In this case, a new notice pursuant to Art. 13 para. 4 GDPR would not be necessary. This solution is already used by some large companies.

The transferor should justify and document the chosen option in advance. They should carry out a comprehensive balancing of interests and identify and formulate the opposing interests.

GDPR-compliant transfer of customer and employee data in an asset deal

In September 2014, the German Data Protection Conference (DSK) revised the guidelines on data transfer in asset deals. The resolution focuses on two categories of data that regularly play a special role in asset deals, namely the transfer of customer data, employee data and supplier data.

Transfer of customer data

The transfer of customer data in an asset deal depends on the stage of the asset deal. A distinction must be made between the initiation of the contract, an ongoing contractual relationship between the seller and the customer, and a fully performed or terminated contractual relationship between the seller and the customer.

Here is a summary of the main case groups:

1. Transfer of customer data during contract negotiations: A distinction has to be made here: if the customers continue negotiations with the buyer on their own initiative and without objection, the processing is justified under Art. 6 (1) (b) GDPR. However, if the buyer conducts the contract negotiations, the transfer is justified on the basis of legitimate interests (Art. 6 (1) (f) GDPR). However, customers then have the right to object within a reasonable period of time (approximately 6 weeks).
2. Transfer in the case of ongoing contractual relationships: In the case of ongoing contractual relationships between the Seller and its customers and the transfer and assumption of these contracts to the Buyer, Art. 6 (1) (b) GDPR applies as the legal basis. The same applies to the assumption of debt pursuant to Section 415 (1) of the German Civil Code (BGB). [If, on the other hand, there is only an assumption of performance, such as the release of the seller from a debt to the customer, the legitimate interest under Art. 6 (1) (f) GDPR.
3. Terminated contractual relationship: For the purposes of the statutory retention obligations, a data processing agreement (DPA) is required pursuant to Art. 28 GDPR. The transfer of data is permitted, but the data may only be used for the purposes of the statutory retention periods. The acquirer may only use the data for its own purposes with the effective consent of the customer. The acquirer must store the data separately from other customer data (e.g. using a "two-cabinet solution"). Alternatively, it may remain with the seller.

In addition to these categories of cases, the DSK decision also deals with the transfer of certain categories of customer data and the purposes for which the transfer takes place.

1. Use by the buyer for advertising purposes: The Buyer may regularly use the data for advertising purposes in accordance with Art. 6 (1) (f) GDPR, as was also permitted by the seller, provided the data was lawfully transferred in accordance with the principles outlined above during the contract initiation or during an ongoing contractual relationship. However, competition law poses a hurdle here, as the provisions of the Unfair Competition Act (UWG), in particular Section 7 UWG, must be observed in the balancing of interests. According to this provision, consent is required in particular for advertising by telephone or e-mail. The exception in Section 7 (3) No. 1 UWG is generally not applicable, as there is no contractual relationship with the customer.
2. Special categories of personal data (Article 9 GDPR): This data (e.g. health data) may only be transferred with the express consent of the customer.
3. Bank details outside the contract initiation or contractual relationship: Bank details may be transferred as part of a contract initiation or during an ongoing contractual relationship in accordance with Art. 6 (1) (b) GDPR. Otherwise, only with your explicit consent.
4. Customer data for outstanding debts: This data transfer is permitted within the scope of legitimate interests, provided there are no contractual restrictions.

Transfer of customer data as a single asset

A special case of transferring customer data is the sale of customer data as a separate asset - for example, in the case of a sale of customer databases. In such cases, the transfer of data can generally only take place with the consent of the customers concerned. This is especially true if the databases are to be used for advertising purposes unrelated to the original company.

An exception can only be made for micro and small enterprises. If such an enterprise wishes to transfer its customer base to another micro or small enterprise in the same sector due to the cessation of its activities, the postal addresses may be transferred once in accordance with Art. 6 par. 1 lit. f GDPR. However, customers must be given the right to object with a notice period of around 6 weeks.

Transfer of employee data

In principle, the transfer of employee data in the event of a transfer of business (§ 613a BGB) can be based on Art. 6 para. 1 lit. b GDPR and, to the extent that special categories of personal data are also affected, Section 26 para. 3 BDSG.

The transferor processes the employee data for the fulfilment of the contract with the employees, namely for the termination or handling of the employment relationship. Accordingly, the acquirer also processes the data in accordance with Art. 6 para. 1 lit. b GDPR or § 26 para. 3 BDSG for the performance of the employment contract.

However, there are also groups of cases in which the legal assessment and permissibility of the transfer of employee data is different.

1. Contract negotiations: The transfer of employee data prior to the conclusion of a contract for the transfer of a business is generally prohibited. This can only be allowed with the consent of the employees.
2. Information of employees by the acquirer prior to the transfer of a business: Pursuant to Section 613a (5) of the German Civil Code (BGB), employees must be informed of the transfer of a business in writing (e.g. by e-mail). This information obligation can be fulfilled by either the seller or the acquirer. However, if the information is provided by the acquirer, only the data necessary for the processing of the employment relationship in accordance with Article 6(1)(b) of the GDPR may be transferred to the acquirer until the transfer of the business.
3. Employees' objection prior to the transfer of the business Pursuant to Section 613a(6) of the German Civil Code (BGB): employees may object to the transfer of their employment relationship to the acquirer. If the employees have been informed by the seller of the transfer of the business and exercise their right to object to the buyer before the transfer, the data of the objecting employees may not be transferred.
4. No transfer of business under Section 613a of the German Civil Code (BGB): If the conditions for a transfer of business under Section 613a of the German Civil Code (BGB) are not met, individual agreements between the seller, the buyer and the employees are required. The transfer of data is generally only possible with the consent of the employees.

Supplier data transfer

Of the three categories of data, the transfer of supplier data is the least complicated. The transferor may transfer current data on suppliers and their employees to the transferee in accordance with Art. 6 para. 1 lit. f GDPR. As a rule, this will not conflict with overriding interests - especially when it comes to business contact data. In most cases, it should even be in the supplier's interest to continue the existing business relationship with the acquirer.

Conclusion on data transfers in asset deals

In the M&A sector, data protection issues have not yet been properly recognised and have received little or no attention. However, the contracts and processes involved in an acquisition need to include compliance with all key aspects of data protection law.

As part of the due diligence process, it is also essential to check that the target company (seller) complies with and has implemented data protection regulations and that the necessary IT security is in place. It is therefore advisable to involve data protection experts at an early stage in the acquisition or sale of a company and to support the entire process from a data protection perspective.

We are happy to assist you in the preparation and implementation of a business acquisition from a data protection perspective and help you to ensure that the process is carried out in compliance with data protection law in order to minimise your risk.