Data Protection Report - Norton Rose Fulbright

The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, the transfer of marketing permissions which – as these are generally on an opt-in consent basis in Germany – means a buyer cannot rely on the seller’s marketing consents in an asset sale. Therefore, the position in Germany remains that it is highly advisable to structure M&A deals as share deals when selling the target together with customer data databases relating to individuals.

The German Data Protection Authorities (DPAs) allow the transfer of customer personal data under the grounds of legitimate interests in an asset deal only when the last customer contract terminated less than three years ago. Prospective customers’ personal data, and personal data relating to customers whose contracts terminated more than three years ago, cannot be transferred without the data subject’s consent.

The Guidance

The guidance addresses the following scenarios:

  • On-going customer contract: under German civil law, the transfer of an ongoing contract under a novation generally requires each party’s consent. The guidance states that this consent would also extend to a transfer of related personal data;
  • Existing customers: personal data of existing customers can be transferred under the grounds of legitimate interests when an opt-out option is given within six weeks of the transfer. This is limited to customers whose contract terminated no longer than three years before the transfer, or where parties have already entered into commercial negotiations (the DPAs refer to an “advanced discussion of a contract” (fortgeschrittene Vertragsanbahnung) where it is quite unclear what this is actually referring to);
  • Older customer data: where the customers’ contracts terminated more than three years ago, the grounds of legitimate interests do not allow transferring the personal data for on-going use other than for record keeping purposes;
  • Assignment of claims: where payment claims against a customer are legally assigned under German civil law, the assignor can also transfer the customers’ personal data to the assignee (but only if the assignment was not excluded in the contract); and
  • No sensitive data: unsurprisingly, any transfer of special categories of personal data requires consent.

Our take

These rules make the transfer of customer personal data in an asset sale very difficult. Existing databases have to be analysed and split to ensure a compliant transfer. Therefore, with large or strategically valuable customer databases, it is highly advisable  to structure the transaction through a share sale (usually achieved through corporate restructuring and hive downs to a new company which owns the target assets, including customer contracts and databases).

Finally, it is interesting to note that this quite conservative guidance (compared with the application of the grounds of legitimate interests in some other EU member states) is not shared by all German DPAs – out of the sixteen, the Berlin and Saxony authorities did not endorse the guidance (probably as they would have an even more conservative position and would always require consent).