German data protection authorities get serious: fines of up to EUR 300,000 may be awarded for transfer of customer data in M&A asset deal transactions

Under German data protection laws, the transfer of customer personal data requires the customer’s approval. Furthermore, the purchaser of personal customer data must obtain customers’ explicit approval before using customer e-mail addresses and phone numbers for advertising messages.

In 2015, the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht) fined both seller and purchaser in an asset deal transaction for violations of the approval requirement. The seller had transferred personal customer data to the purchaser, and the purchaser in turn had used the information for advertising purposes. No approvals had been obtained.

According to the authorities, the transfer of mere customer names and mailing addresses (so-called “list data”) does not require prior customer approval, if the transfer is properly documented. However, the transfer of other personal data, such as phone numbers, e-mail addresses, and bank account and/or credit card information, requires the customer’s approval. At a minimum, affected customers have to be informed about the intended transfer in order to give them a right of objection.

While in a share deal, technically no data is transferred, as it stays with the target entity, asset deals are prone to violations of data protection laws. All customers have to be identified and their approval should be sought. At a minimum, they should be given the right to object to the transfer. The approval itself also has to meet specific requirements: inter alia, it has to be sought mentioning the transferee, so that a general blank approval to transfer data to third parties is not permissible.

In addition, one should be aware of a recently passed draft act to improve the civil enforcement of consumer data protection rules. Under the new law, consumer associations  will be entitled to sue companies for violations of consumer data protection rules. Further, the law sets a grace period for companies which have been transferring customer data from Germany to the U.S. under the recently invalidated Safe Harbor Rules. Consumer associations may bring actions against such companies after September 30, 2016. Finally, under the new legislation, consumers or third parties may only be held to communicating via e-mail (so-called “text form”), abolishing the commonly used “written form” requirement. Accordingly, companies should review and potentially amend their consumer agreements and terms and conditions until September 30, 2016 in order to comply with the new rules.