Fines Issued for Transfer of Customer Data in an M&A Asset Deal

August.27.2015

Recent enforcement actions by the Bavarian Data Protection Authority (DPA) Bayerisches Landesamt für Datenschutzaufsicht highlight the importance of severe restrictions placed on the transfer of such data, even in the context of a merger/acquisition deal scenario. Specifically, on July 30, 2015 the Bavarian DPA announced that it has fined two companies, both the seller and the acquirer, in an asset deal with a five figure EUR sum for transferring customer e-mail-addresses collected during operating an online shop in violation of the German Federal Data Protection Act. Clients should expect to see more of these actions in the future, given the Bavarian DPA's announcement that it will pay increased attention to data protection compliance in asset deals and shall accordingly monitor and fine the companies breaching the legal requirements with more persistence.

Following this decision, it is important that data privacy law should be a focus of the legal assessment during an asset deal. Not only is this advisable because of the risk of fines but such breaches could potentially also constitute a crime under the German Federal Data Protection Act, and if customer data relating to natural persons is the main asset of the company, lead to a significant financial risk for the buyer.

Background

Customer data often constitute an important asset for a company, a well-established customer data base is a prerequisite for essential advertising activities of a company. A due diligence assessment accompanying the asset deal should consider the importance of data protection compliance when a company transfers these assets.

From a data protection perspective, the transfer and use of data acquired an in Asset Deal is only allowed if certain requirements are met. According to the Federal Data Protection Act (Bundesdatenschutzgesetz (BDSG)), any information concerning the personal or material circumstances of an identified or identifiable natural person (personal data) may only be transferred in compliance with the further requirements of the BDSG. Thus, a case-by-case assessment must determine which types of data might be transferred to the acquiring company and under what conditions and for what purposes this data might be further used.

When it comes to personal data such as customer names and addresses, while valuable for the identification of a person, in an asset deal those data may often be transferred separately.

The Bavarian DPA points out that companies, however, often hold much more customer data, especially when maintaining an online store. This may include customers' telephone numbers, e-mail-addresses, bank account and credit card details and information on what transactions the customers has entered into with the company.

In an asset deal, the data is often transferred without obtaining the necessary prior consent of the customer or at least informing the customer of a possible future transfer and granting the customer a possibility to object to such transfer of the data.

In addition, for e-mail-addresses and telephone numbers which might be used for advertising purposes, the Act against Unfair and Deceptive Trade Practices (Gesetz gegen den unlauteren Wettbewerb (UWG)) applies, which often prohibits the use of such data for e-mail or telephone marketing without the express consent of the customer.

According to the Bavarian DPA, both the rules of data privacy law and the unfair and deceptive trade practices law, are often neglected in asset deals. Such behavior is frequently discovered by a supervisory authority on the occasion when people complain about advertising e-mails they have received from a company unknown to them and where they have not consented to such transfer.  

According to the BDSG, a seller transferring customer data as well as an acquirer collecting such data from the seller is considered a data controller who is responsible for data protection compliance. Non-compliant transfer and collection of personal data constitute an administrative offence which might be fined with a sum of up to EUR 300,000. Additionally, these transfers can constitute a criminal offense if the transfer was done with the intent to enrich oneself or another person. Further, the marketing of customers in violation of the UWG can lead to interim injunctions filed by, for example, competitors or consumer protection agencies and can lead to significant costs and business interruptions particularly if cease and desist letters were signed which are most often safeguarded by contractual penalty undertakings.

Outlook

In an asset deal, a precise analysis with regard to the transfer of different types of customer data is indispensable for each step of the acquisition process. Incompliance will be more rigorously fined by the competent authorities. Companies should carefully check which data they can sell/purchase and/or what other measures have to be taken to justify such transfer of data.

The following due diligence steps may help to better evaluate the risks associated with an intended transfer of customer data:

  • What kind of data shall be transferred and what laws govern the permissibility of the transfer?
  • If the company obtained customer consents for the use, does the wording permit a transfer of data?
  • Do the privacy policies give proper disclosure on an intended data transfer?

For more information about these developments, please contact Dr. Christian Schröder, Orrick's head of IP/IT & Data Privacy Practice Group in Germany, at +49 211 3678 7249 or [email protected].