At an interim conference on September 11, 2024, the German Data Protection Conference (DSK) passed resolutions on asset deals, patient records and research data, among other things (press release).
In the asset deal, DSK is thus replacing its previous resolution of May 24, 2019 by a new version that is more differentiated:
The DSK is replacing its decision of 24 May 2019 on the “asset deal” with a new, more differentiated decision in order to harmonize the application of the GDPR to a greater extent and provide the companies concerned with a clear framework for action. […] Assets may also include data on customers, suppliers or employees. […] In its decision, the DSK has determined in detail the conditions under which such data may be transferred to a successor.
The neue Beschluss „Übermittlungen personenbezogener Daten an die Erwerberin oder den Erwerber eines Unternehmens im Rahmen eines Asset-Deals“ vom 11. September 2024 states, among other things, that
- the transfer of data as part of a share deal is unproblematic, subject to due diligence,
- the transfer of personal data (customers, employees, etc.) generally inadmissible at the time of contract negotiations subject to effective and, in particular, voluntary consent and a legitimate interest in the individual case. This is particularly the case for main contractual partners or employees with management roles;
- for the transmission of Customer data must be distinguished:
- If the customer relationship is at the stage of concrete Contract initiationa transfer based on a legitimate interest is generally possible, whereby an objection solution with an appropriate time limit is required;
- for a transferred ongoing contractual relationship (including in the case of ongoing warranty periods), the permissibility is based on the fulfillment of the contract (Art. 6 para. 1 lit. b GDPR; unless special categories of data are involved). If, on the other hand, the purchaser only assumes the performance risk, not the contract, the legitimate interest would again have to be relied upon. In this case, bank data may only be transferred with consent.
- in the case of a terminated contractual relationship customer data may only be transmitted to fulfill a legal archiving obligation.
- At the Assignment of receivables the transfer is generally based on the legitimate interest.
- At the Advertising by the acquirer is the same as for the seller.
- A transmission special categories of data requires consent.
- For the transmission of business Contact details of suppliers the legitimate interest generally applies;
- at Employee data
- In the event of a business takeover (in Switzerland: Art. 333 OR), the transfer is based on the Performance of the contract or legitimate interest. The same applies to special categories of data based on Section 26 (3) BDSG;
- is in the Stage of the negotiation of the asset deal that a transfer is generally inadmissible, subject to exceptional voluntary consent;
- employees must comply with a special provision of the German Civil Code on the transfer of business informs be
- Outside of a business takeover, a transfer generally requires a Consent;
- The seller and purchaser are each responsible for their processing. One joint responsibility DSK obviously does not see this as a matter of principle;
- a disposal of Customer data as the only asset – i.e. outside of a transfer of contracts or receivables – is generally only permitted with consent. An exception only applies to companies with fewer than 50 employees and a turnover of no more than EUR 10M if the seller ceases its economic activity and transfers the business to a purchaser in the same economic sector; in this case, an objection solution is sufficient as an exception for a one-off transfer of postal addresses.
The decision may be more differentiated, but this is precisely why it breathes the government-like spirit of the GDPR as understood in Germany. In Switzerland, it is generally assumed that an assignment of claims is generally permissible without the consent or even information of the debtor, that this assessment cannot be without consequences for data protection law, that in the case of a transfer with the cessation of the seller’s own business activities to the extent of the sale, only a change of controller takes place, and that therefore no consent is required for the disclosure (but information is required in due course). In this case, it is not even certain that justification is required at all, especially since it is generally known that contracts, receivables and data can be sold under certain circumstances.