Sale of customer data as hidden risk in M&A transactions
In the process of a sale or a purchase of a company or parts of a company, both sides have to act most diligently in various fields in order to avoid conflicts, both between the parties and with third parties after a successful transfer of the company or parts of the company. In addition to the main focus areas in each acquisition however, previously neglected or perceived side issues become more and more important, among others the data protection regulations.
In an acquisition of a company, which was not carried out as a share deal but as an asset deal, only single valuable company assets were transferred to the purchaser, among others also the customer data. The customer data sold did not only contain the name and postal address of the customer, but – as usual by now – the far more valuable customer information like email addresses. The Bayrische Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection) has fined both, the seller and the purchaser with a five digit fine. While it was certainly not a coincidence that this press release has been given out by the Bayrische Landesamt für Datenschutzaufsicht, however their explanations and arguments are nevertheless essential also for other mergers and acquisitions regardless of the company’s location and the respective authorities.
From a data protection point of view it makes a big difference, whether a company is sold in form of a share- or an asset deal. In the case of a share deal, the company itself does not change for the customer; only the ownership of the company is transferred. However in the case of an asset deal, certain assets are removed from the initial company and sold to a new and for the customer unknown company and incorporated there. Accordingly a transfer of customer data is possible without any problems in case of a share deal (always assuming that the data was legally obtained and stored by the company), whereas in case of an asset deal the parties have to act with greater diligence.
When selling personal data, it is to be distinguished between so called “Listendaten” (which are certain criterias of a group such as car driver, reader of a newspaper etc., professions, industry sectors or company name, name and address, title and academic degree or the year of birth, which can generally be sold and transferred also for promotional purposes without the customer’s consent and other, usually more valuable and therefore more expensive personal data like email addresses, telephone numbers, bank account and credit card data and in particular also buying habits and purchase history. The sale of such data is only permitted, if either the customer gave his consent to the transfer in writing or if the customer was informed about the ensued sale of the data in advance and given a right of rescission, which he did not exercise upon. However even in the case of customer’s consent, the purchaser may only process and use the sold and transferred customer data for the purpose, for which it was originally transmitted to the selling company. This means that the purchaser, when using the customer data, for example as part of a promotional letter, has to disclose from whom he got the respective data.
The data protection responsibility in case of a sale of the personal data is bore by the seller and the purchaser, for the seller as the “transmitter” and for the purchaser as the “collector” of the data. Consequently both can be assigned separate fines in case of an infringement as has been done by the Bayrisches Landesamt für Datenschutzaufsicht in the aforementioned case.
In addition to the data protection regulation, in particular when it comes to the sale and transfer of email addresses and telephone number, also the law against unfair competition has to be observed. In accordance with that, the transmittance of advertising and promotional materials via email and/or fax without the customer’s consent is classified as an unacceptable harassment and can give grounds for consumer associations as well as competitors for serving a warning letter, which can be associated with costs. Direct advertisement via telephone calls (so called cold calls) towards consumers is not permitted without their prior explicit consent; with regard to entrepreneurs there is a relief in such a way that his consent can be presumed.
Usually the information provided by the customer is transferred when initiating the business relationship and email addresses transmitted in that way are usually also used for future promotional activities of the company that collected the data. Due to an exception in the unfair competition law this is permitted without the explicit consent of the customer. However this exception only applies to the company that actually collected the data, which also entered into the business relationship with the customer and also only with regard to similar goods and services, which were bought or used by the customer when transmuting his email address. But even in that case the customer has to be informed about his right of rescission and must not have exercised this.
The aforementioned exception however does not help the purchaser in case of an asset deal, in which personal data is being sold and transferred, since the sold and transferred data was not transmitted to the purchaser by the customer in connection with the sale of goods and services.
The law of unfair competition also provides for penalty provisions; however those only refer to unacceptable harassments through telephone calls or automatic calling machines towards consumers. However in addition there is always the aforementioned risk of a service of a warning letter by consumer associations or competitors as mentioned above.
The above decision by the Bayrische Landesamt für Datenschutzaufsicht is not only important within the scope of mergers and acquisitions for the parties involved in such, but in particular also for insolvency administrators of insolvent companies. The customer data sold by the insolvent company is very often a major, if not the only utilizable asset of the company, which is why the insolvency administrator often has a very strong interest in selling that data as quickly as possible.
Contact Person: Vanessa Lichter, Rechtsanwältin