The Hungarian DPA recently released guidance on issues arising in the context of the sale of the assets of an online shop.  This is the first guidance from the DPA on the practical application of the “legitimate interest” test under Hungarian data protection laws and is relevant to M&A transactions involving online shops.

The sale of the assets of an online shop involves situations where domains, goods, trademarks and client databases as a whole are sold by one online shop operator to another, without the purchase / transfer of shares.   The transfer of client databases (including personal data) is ancillary that asset sale transaction. The DPA has taken the position that the transfer of the client database in such a transaction constitutes a personal data transfer under the provisions of the Information Act (the Hungarian implementation of Directive 95/46/EC) which must be legitimized by an appropriate legal basis for the data processing. However, the DPA underlined that the parties to the transaction do not necessarily need to rely upon the freely given, express advance consent of the data subject (under Section 5(1)(a) of the Information Act) provided that such transfer may be justified by other legal reasons - such as by the legitimate interest clause contained in the Hungarian Information Act or in Article 7(f) of the EU Directive (which is directly effective in Hungary) (see joined cases C-468/10. and C-469/10. of the CJEU).

The DPA described the “legitimate interest” (or balance of interests) test as having three prongs: (i) the identification of the legitimate interest of the controller; (ii) the identification of the legitimate interest or fundamental right of the data subject; and (iii) the requirement that those two weights be balanced against each other in order to determine if the “legitimate interest” may be relied on as the legal basis for data processing in the given situation. In that context, the DPA suggested considering the following key factors when applying the test:

  • The seller must provide clear and comprehensive information to the data subjects (i.e., the online shop’s customers) on the outcome of the test performed by the seller, explaining why it considers that its interests outweigh the restriction on the interests and rights of the data subjects.  The seller’s notice to the data subjects must include the details of the transfer, such as its date, the identity of the recipient of data, and the main details of the asset sale transaction;
  • Before the data is transferred to the new online shop operator, the seller (i.e., the data controller) must provide to the data subjects the effective possibility to object to the transfer of their personal data to the buyer;
  • The buyer must remain bound by the conditions under which the seller processed the personal data of the data subjects.  The data processing conditions may not change as a result of the data transfer to the new data controller.  However, this does not impact the right of the new controller to engage a new data processor (which, in any case, does not require the data subject’s consent).

The DPA also noted that certain processing activities (such as the retention of invoices) are based on the provisions of the accounting laws. If the seller and the buyer have agreed that the seller will retain the accounting documents, said data transfer is considered to be based on a legal provision (under Section 5(1)b) of the Information Act).  However, the DPA underlined that the notice to the data subjects also must include information about transfers of personal data the processing of which is based on a legal provision.