Whenever a company is sold, customer data—in nearly all cases—gets into the hands of a new owner. It is important to be cautious because customer data is personal data and hence falls under the provision of local data protection frameworks. While company accountants usually provide support during the process of a sale, their support is often limited to the financial aspect of the sale.
This article will shed some light on what to look out for when selling a company within the jurisdiction of the EU-GDPR. After all, supervising authorities have already issued 5-digit fines to corporate companies in 2015 due to illegal data transfers during asset deals. What a truly expensive sale!
What is the difference between a share deal and asset deal?
The legal obligations a seller and a buyer will have to abide by depends on the type of sale. In a share deal, a company’s shares are transferred from one shareholder to another. The legal entity, which is the company itself, remains unchanged. During an asset deal, certain (or all) belongings and liabilities are sold out to the buyer. Essentially, in a share deal the buyer is acquiring a share of a legal entity, while in an asset deal, the buyer could potentially transfer all acquired assets directly for use to another legal entity.
When does a data transfer occur during the sale of a company?
During a share deal, one might be selling a company but the entity itself is not affected in the way it conducts its business and will continue to operate just like before. Any changes in operations and contracts will be subject to new management. In other words, data is not being transferred out of one legal entity to another. Therefore, it is safe to assume that data is not being transferred to another party—and hence it is not subject to GDPR provisions related to data transfers.
Unfortunately, it is not always that easy. An asset deal constitutes a different privacy situation as opposed to a share deal. It is important to identify the assets which are being sold to another entity. As soon as an asset contains personal data as part of a sale, a data transfer in the classical sense of GDPR occurs. An example of such an asset could be a customer database. During a sale, the ownership situation of the asset that contains personal data (such as a customer database) would change and be transferred to a new legal entity.
For such data transfers, the consent of the customer concerned, or another legal basis, is required.
How to obtain consent for large amounts of personal data?
It seems to be nearly impossible to buy an asset containing large amounts of personal data, due to the need to acquire consent. Art. 6 GDPR (1) f. is often the second-best option to start determining a valid legal basis which will not lead to a fine. The outcome of such an approach is fundamentally open and depends on the specific data in question. This can be a challenge—especially with large databases—and is nearly always associated with huge legal costs.
The Bavarian Supervising Authority, in Germany, published an opinion which may just have the solution. According to the BayLDA’s point of view, companies will not be forced to obtain the consent of thousands, if not millions, of those affected subjects. Instead, the BayLDA suggests that it is completely satisfactory in the eyes of the data protection supervisory authority, if a so-called “objection solution” is applied.
To implement the “objection solution”, the Bavarian supervising authority recommends that, among others, companies must be aware of the following three main steps:
- All data subjects are informed of the upcoming transfer before, and in good time of, the personal data transfer to another legal entity. (This can be done easily by sending out a collective e-mail or letter).
- Data Controllers must grant all data subjects a right to object to the transmission of the data.
- As soon as a data subject objects to the data transfer, the controller must ensure that the subject is not part of the asset deal.
Be aware of Category 9 Data
The objection solution can only be applied to personal data which is not subject to Art. 9 GDPR. Such data can only be transferred by way of informed consent in accordance with Art. 9 s. 2 lit. a) and Art. 7 GDPR.
Selling a company is subject to many legal requirements, including data protection compliance. Therefore, it is recommended to determine the correct steps during a company’s sale, to ensure data protection compliance. It is clear, the first step must be a risk-reducing practice to establish the type of sale the company is involved in.