Five years after its last resolution on data protection in asset deals, the Conference of Independent Data Protection Authorities of the Federal Government and the Länder (DSK) has updated its assessment and, on 11 September 2024, published its resolution on "Transfers of personal data to the acquirer of a company within the framework of an asset deal." While the DSK primarily addresses sole proprietors selling their businesses, the principles established here also apply to asset deals involving corporations.
1. More Scope, More Content – The Resolution in Detail
The new resolution has been significantly expanded and now covers additional scenarios that were not addressed in the 2019 resolution. In addition to customer, supplier, and employee data, the DSK establishes general rules for the transfer and accessibility of personal data in asset deals, including during the due diligence phase:
1.1 Due Diligence Phase
According to the DSK, the transfer of personal data during the due diligence phase generally requires the consent of the individuals concerned. Only in exceptional cases should the buyer and seller be able to base the disclosure of personal data on their legitimate interest (Article 6(1)(f) GDPR).
The more significant the individuals are to the transaction (e.g., key personnel or primary contract partners), and the further advanced the negotiations are at the time of disclosure, the more likely it is that data processing without consent will be permissible.
1.2 Customer Data
In terms of customer data, the DSK distinguishes between various stages of the contractual relationship between customers and the seller. Generally, the legality of data transfer under data protection law follows the legality of assuming or entering into a contractual obligation under civil law.
- Active Contracts and Pre-contractual Situations
When the buyer assumes the seller’s position under civil law, the associated transfer of data is typically justified either by the performance of a contract with the individual (including the pre-contractual stage) (Article 6(1)(b) GDPR) or, in cases of performance assumption only, by the legitimate interest (Article 6(1)(f) GDPR). If the buyer also assumes the seller's outstanding claims against customers, the buyer can receive the necessary data for the assignment or debt collection based on their legitimate interest, without needing the customers' consent. However, caution is advised if special categories of personal data are involved, such as data related to physicians, tax advisors, or attorneys (see below).
- Sale of Customer Data as the Sole Asset
The sale of customer data as the sole asset—except in the case of micro-enterprises (see below)—should only be possible with the individuals’ consent (Article 6(1)(a) GDPR).
- Transfer for Record-keeping Obligations
For the transfer of personal data for record-keeping purposes, the DSK prefers its so-called "two-cabinet solution," which separates data that must be retained from active customer data. For the latter, the previously outlined principles apply. The buyer may only process the seller’s data for record-keeping purposes as a data processor under a processing agreement (Article 28(3) GDPR).
- Marketing
When marketing to customers acquired as part of an asset deal, the buyer must observe the restrictions on direct marketing (§ 7 UWG – German Act Against Unfair Competition). The buyer cannot simply adopt the marketing consents that customers may have given to the seller. Instead, the buyer must independently ensure the necessary conditions for directly contacting customers via email, phone, or text message.
- Particularly Sensitive Data
For special categories of personal data, such as health data, religious affiliation, or biometric data, as well as bank data, the DSK sees no room for transfer between seller and buyer without the individuals' explicit consent. In practice, bank data rarely plays a major role, as direct debit authorizations and SEPA mandates usually need to be reissued anyway. However, special categories of personal data must be carefully examined to determine if and to what extent they are necessary and whether the buyer has appropriately categorized this data in the past.
1.3 Supplier Data and Other Contract Partners
Regarding suppliers and other contractual partners, a legitimate interest (Article 6(1)(f) GDPR) generally exists for transferring personal data—if such data exists at all—within the scope of the asset deal. However, the principle of necessity also applies in this context.
1.4 Employee Data
The transfer of employee data due to a business transfer or partial transfer within an asset deal is generally permissible, provided the affected employees have not objected to the transfer. However, this does not apply during the negotiation phase—here, the principles of due diligence must be followed (see above).
If there is no business transfer, a separate agreement is required, and the DSK assumes that employee data may only be transferred with their consent in these cases. However, a contractual arrangement that makes separate consent unnecessary is often feasible.
1.5 Micro-enterprises
The DSK has created a special provision for micro-enterprises: in such cases, the sale of a customer database without additional assets or ongoing contractual relationships is exceptionally permitted based on the legitimate interest of both the seller and buyer. However, this should only be possible when the business is closing and the companies are in the same industry. In these instances, it is sufficient to give the affected individuals a six-week period to object to the data transfer. In all other cases, consent is required.
1.6 General Requirements
The seller is primarily responsible for the transfer of personal data within the framework of an asset deal. Consequently, they are the first point of contact for supervisory authorities and affected individuals if data protection requirements are not met. Once the data has been transferred to the buyer, the buyer must, of course, fulfill their own responsibilities as a data controller.
2. What Is Not or Insufficiently Addressed
The DSK's resolution enables companies to conduct asset deals in compliance with data protection laws, provided they adhere to the DSK's legal interpretation. However, some practical challenges are not sufficiently addressed:
- Informing affected individuals about the initial collection of their data by the buyer must occur within one month. In practice, this can be difficult to implement, as databases are not always integrated into the buyer’s system landscape quickly enough.
- The seller must inform the affected individuals about the change of purpose associated with the data transfer. The transfer constitutes a new purpose for data processing, and the buyer is often unknown to the affected individuals as a recipient. This presents a challenge, particularly when the transaction has not yet been made public.
- The DSK does not differentiate between the various stages of a transaction (outside of the due diligence phase and the closing of the asset deal), although different requirements for data transfer exist at these stages.
3. Significance of DSK Resolutions
It is important to note that DSK resolutions are not legally binding. Rather, they represent recommendations or guidelines developed by the federal and state data protection authorities to ensure a uniform interpretation and application of data protection regulations. Companies that follow these resolutions can generally assume that they are acting in line with the expectations of the data protection authorities. Ultimately, however, it is the courts that have the final say on the interpretation and application of the GDPR and other data protection laws.
4. Conclusion
In the context of asset deals, particularly regarding data protection and the extensive rights of individuals, companies are increasingly required to identify potential risks early on. Through careful transaction planning, many data protection pitfalls can be avoided.