German DPA imposes fine for unlawful acquisition of personal data in asset deal
August 20, 2015
Privacy questions are largely ignored in the due diligence phase of transactions. A recent decision of a German Data Protection Authority shows that this should be mandatory, at least in asset deals.
These days it is common understanding that personal data of customers are becoming more and more important to companies. There are business models which are exclusively built on personal data. In traditional business models the use of personal data has also become increasingly relevant for their success in the future.
Nonetheless, privacy compliance aspects are still underestimated in the acquisition. While trademark, patent and software questions are analysed, privacy aspects are often not part of the due diligence. This can become an expensive mistake in asset deals as a recent decision of a German data protection authority shows.
In asset deals, every single asset of the company has to be purchased and transferred. This includes real estate, machines and even pencils, but crucially it also covers personal data. The seller needs to legal justification for the transfer of personal data, e.g. of customers, to the purchaser.
A common mistake is to make the transfer on the basis of a data processing agreement in the belief it could be a vehicle to transfer data. This is usually not possible because the seller must remain the data controller and the purchaser may not use the data for its own purposes. It may also not be sufficient to cover data protection violations by guarantee clauses in the purchase agreement. The guarantee clause would only entitle the seller to damages but the data itself may not be used and the purchaser should well consider to phrase precisely in the purchase agreement which claims shall result from a violation. Moreover, violations of data protection laws may lead to a criminal responsibility of the seller and the purchaser because the breach is made for the purpose of making revenues.
The Data Protection Authority of Bavaria has now fined the seller and the purchaser of a company, which has unlawfully transferred customer e-mail addresses of online shop customers as a part of their asset deal. The exact amount of the fine was not disclosed but it has been revealed to be a five digit amount (Euros). While such amount may not be a cause for major concerns, it is clear that the online shop customer data concerned are lost for the purchaser. An initial analysis could have saved transaction costs.
It can be assumed that the data protection authorities will keep a closer eye on asset deals in future, which will be relatively easy task for them to the extent the transaction is published.