AI-Generated
Written by Tim Carapiet-Petit, Thédoor Melchers en Esra Koopman
Personal data is often a crucial concern in M&A transactions. In some companies, this is limited to the data of employees and a few customers, while in others, customer data accounts for most of the value. Personal data is transferred in various situations, often without the personal data provider (the “Data Subject” in the terminology of the General Data Protection Regulation (GDPR)) being consciously informed in advance.
Shares Transaction
When selling the shares in a company and the associated company that holds all those personal data, this usually goes well: the entrepreneur (the “controller”) does not change, only the shares change hands. We will not discuss the exchange of personal data during the due diligence phase of an acquisition process further in this blog.
Asset-Passiva Transaction
When selling a company via an asset-liability transaction, personal data such as customer data, employee information and user data are often sold as separate assets[1]. This can be attractive to the buyer, but the AVG imposes strict requirements on how such data may be handled. A company may not ‘sell’ personal data without a valid legal basis.
GDPR
The GDPR provides a limited list of legal bases for ‘selling’ personal data. Two of these are relevant to M&A transactions: (i) explicit consent of the data subject, or (ii) the legitimate interest of the entrepreneur, which outweighs the data subject's right to privacy[2].
(i) Explicit consent of the data subject, is ideally obtained before any acquisition takes place. This can be done, for example, at the moment the personal data is collected, such as when a customer enters his data on the website when applying for a product. At that point, the privacy policy should state in clear language that the company also collects the personal data in order to transfer it when the company is sold. If explicit consent is obtained from the data subject in this way, the processing (in this case, the transfer of the personal data) is in line with the original purpose for which the data was collected (provided, of course, that the new owner will not use the data in a different way than originally intended). Note that consent can be withdrawn by the data subject at any time.
(ii) The legitimate interest of the entrepreneur may serve as a basis for the transfer of personal data in an acquisition. The company as a whole is transferred and continued by another entrepreneur (data controller). For the data subject, nothing actually changes in the services provided, except the name of the service provider. As mentioned earlier, this only applies if the new owner does not use the personal data for other purposes.
In both cases, however, the customer must be informed of the transfer of the business. If “consent of the data subject” serves as the basis under the AVG, at that moment, that consent to the transfer of the personal data can (still) be withdrawn by the data subject. For the basis “legitimate interest of the entrepreneur” this does not apply, the communication to the customer of that new owner of the company then also concerns a communication of contract takeover. A contracting party (the customer/affected party) may oppose this contract takeover, which means that the transfer of the contract and thus the personal data does not go ahead.
Bankruptcy
A similar situation arises when the company goes bankrupt, and the trustee in bankruptcy wishes to transfer the personal data in order to realise proceeds for the estate. If the personal data are transferred as part of the larger company and these activities are continued (read: does the new controller's processing fit within the purpose for which the personal data were originally provided), there does not seem to be much objection to this transfer in principle.
Separately active
It becomes different when personal data is transferred independently as separate assets. An example is the sale of a membership database to a sponsor (see KNLTB v Authority Persoonsgegevens (AP)). Court of Justice case law shows that it is in principle possible to transfer personal data for commercial purposes. In the KNLTB case, the AP had nevertheless disapproved such transfers each time and imposed a substantial fine in certain cases. The ECJ has now taken the AP to task for this, stating that the possibility of transferring personal data for commercial reasons cannot be excluded a priori on the basis of the interest of the entrepreneur[3].
So while this possibility exists in theory, the question remains to what extent the personal data was originally provided to be sold, and then to be used for marketing purposes. When I became a member of the tennis club and thus an automatic member of the KNLTB, I was unaware that my data would be shared with external commercial parties and I would be harassed with advertisements. This illustrates that it depends on the type of data, the parties to whom it is transferred, the motives and the information initially provided to customers.
Conclusion
While it is possible to transfer personal data in an M&A transaction - but also beyond that, it requires careful alignment with privacy rules and often good legal advice to stay compliant and minimise risks. Feel free to leave your personal data on our website for that purpose.
[1] This is not quite legally correct, as such data is not an “asset” and the company does not own it. Nevertheless, this data is “transferred” to the buyer, usually in physical form by providing the excel or CRM system.
[2] The AVG contains more relevant requirements not further discussed in this blog, such as proportionality, data minimisation and subsidiarity of how personal data is collected or transferred.
[3] ECLI:EU:C:2024:857 Court of Justice of 4 October 2024 answering preliminary questions in Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond tegen Autoriteit Persoonsgegevens
