DSK: New reso­lu­ti­on on the sale of cus­to­mer data as an asset deal

At an inte­rim con­fe­rence on Sep­tem­ber 11, 2024, the Ger­man Data Pro­tec­tion Con­fe­rence (DSK) pas­sed reso­lu­ti­ons on asset deals, pati­ent records and rese­arch data, among other things (press release).

In the asset deal, DSK is thus repla­cing its pre­vious reso­lu­ti­on of May 24, 2019 by a new ver­si­on that is more differentiated:

The DSK is repla­cing its decis­i­on of 24 May 2019 on the “asset deal” with a new, more dif­fe­ren­tia­ted decis­i­on in order to har­mo­ni­ze the appli­ca­ti­on of the GDPR to a grea­ter ext­ent and pro­vi­de the com­pa­nies con­cer­ned with a clear frame­work for action. […] Assets may also include data on cus­to­mers, sup­pliers or employees. […] In its decis­i­on, the DSK has deter­mi­ned in detail the con­di­ti­ons under which such data may be trans­fer­red to a successor.

The neue Beschluss „Über­mitt­lun­gen per­so­nen­be­zo­ge­ner Daten an die Erwer­be­rin oder den Erwer­ber eines Unter­neh­mens im Rah­men eines Asset-Deals“ vom 11. Sep­tem­ber 2024 sta­tes, among other things, that

  • the trans­fer of data as part of a share deal is unpro­ble­ma­tic, sub­ject to due diligence,
  • the trans­fer of per­so­nal data (cus­to­mers, employees, etc.) gene­ral­ly inad­mis­si­ble at the time of con­tract nego­tia­ti­ons sub­ject to effec­ti­ve and, in par­ti­cu­lar, vol­un­t­a­ry con­sent and a legi­ti­ma­te inte­rest in the indi­vi­du­al case. This is par­ti­cu­lar­ly the case for main con­trac­tu­al part­ners or employees with manage­ment roles;
  • for the trans­mis­si­on of Cus­to­mer data must be distinguished: 
    • If the cus­to­mer rela­ti­on­ship is at the stage of con­cre­te Con­tract initia­ti­ona trans­fer based on a legi­ti­ma­te inte­rest is gene­ral­ly pos­si­ble, wher­eby an objec­tion solu­ti­on with an appro­pria­te time limit is required;
    • for a trans­fer­red ongo­ing con­trac­tu­al rela­ti­on­ship (inclu­ding in the case of ongo­ing war­ran­ty peri­ods), the per­mis­si­bi­li­ty is based on the ful­fill­ment of the con­tract (Art. 6 para. 1 lit. b GDPR; unless spe­cial cate­go­ries of data are invol­ved). If, on the other hand, the purcha­ser only assu­mes the per­for­mance risk, not the con­tract, the legi­ti­ma­te inte­rest would again have to be reli­ed upon. In this case, bank data may only be trans­fer­red with consent.
    • in the case of a ter­mi­na­ted con­trac­tu­al rela­ti­on­ship cus­to­mer data may only be trans­mit­ted to ful­fill a legal archi­ving obligation.
    • At the Assign­ment of receiv­a­bles the trans­fer is gene­ral­ly based on the legi­ti­ma­te interest.
    • At the Adver­ti­sing by the acqui­rer is the same as for the seller.
    • A trans­mis­si­on spe­cial cate­go­ries of data requi­res consent.
    • For the trans­mis­si­on of busi­ness Cont­act details of sup­pliers the legi­ti­ma­te inte­rest gene­ral­ly applies;
  • at Employee data
    • In the event of a busi­ness take­over (in Switz­er­land: Art. 333 OR), the trans­fer is based on the Per­for­mance of the con­tract or legi­ti­ma­te inte­rest. The same applies to spe­cial cate­go­ries of data based on Sec­tion 26 (3) BDSG;
    • is in the Stage of the nego­tia­ti­on of the asset deal that a trans­fer is gene­ral­ly inad­mis­si­ble, sub­ject to excep­tio­nal vol­un­t­a­ry consent;
    • employees must com­ply with a spe­cial pro­vi­si­on of the Ger­man Civil Code on the trans­fer of busi­ness informs be
    • Out­side of a busi­ness take­over, a trans­fer gene­ral­ly requi­res a Con­sent;
  • The sel­ler and purcha­ser are each respon­si­ble for their pro­ce­s­sing. One joint respon­si­bi­li­ty DSK obvious­ly does not see this as a mat­ter of principle;
  • a dis­po­sal of Cus­to­mer data as the only asset – i.e. out­side of a trans­fer of con­tracts or receiv­a­bles – is gene­ral­ly only per­mit­ted with con­sent. An excep­ti­on only applies to com­pa­nies with fewer than 50 employees and a tur­no­ver of no more than EUR 10M if the sel­ler cea­ses its eco­no­mic acti­vi­ty and trans­fers the busi­ness to a purcha­ser in the same eco­no­mic sec­tor; in this case, an objec­tion solu­ti­on is suf­fi­ci­ent as an excep­ti­on for a one-off trans­fer of postal addresses.

The decis­i­on may be more dif­fe­ren­tia­ted, but this is pre­cis­e­ly why it brea­thes the govern­ment-like spi­rit of the GDPR as under­s­tood in Ger­ma­ny. In Switz­er­land, it is gene­ral­ly assu­med that an assign­ment of claims is gene­ral­ly per­mis­si­ble wit­hout the con­sent or even infor­ma­ti­on of the debtor, that this assess­ment can­not be wit­hout con­se­quen­ces for data pro­tec­tion law, that in the case of a trans­fer with the ces­sa­ti­on of the seller’s own busi­ness acti­vi­ties to the ext­ent of the sale, only a chan­ge of con­trol­ler takes place, and that the­r­e­fo­re no con­sent is requi­red for the dis­clo­sure (but infor­ma­ti­on is requi­red in due cour­se). In this case, it is not even cer­tain that justi­fi­ca­ti­on is requi­red at all, espe­ci­al­ly sin­ce it is gene­ral­ly known that con­tracts, receiv­a­bles and data can be sold under cer­tain circumstances.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be