What does this cover?

The Bavarian Data Protection Office (BDPO) announced that it has imposed fines on the seller and buyer of a Bavarian company for violating the data protection laws during a company acquisition, with each party being fined a five digit sum for disclosing customer data during an asset deal.

Email addresses of customers of an online-shop were disclosed to the buyer without consent or prior notification to the affected customers. As the email addresses constituted personal data, the data transfer violated the legal regulations of the German Data Protection Act. The BDPO pointed out that the seller as well as the buyer must ensure compliance with all legal regulations with respect to data protection because they both qualify as data controllers. In addition, transferring customer data without explicit consent may also violate the German Unfair Competition Act if the buyer uses the customer data for marketing purposes.

More generally, the BDPO President said that in the course of asset deals customers’ personal data was often being sold in breach of privacy law. He stated the inadmissible transfer and disclosure of personal data are administrative offences which can result in fines of up to EUR 300,000.

 A copy of the Bavarian Data Protection Office announcement can be found here (German).

What action could be taken to manage risks that may arise from this development?

Where any customer data is involved in asset sales in Germany, companies (as buyer or seller) should ensure that appropriate steps are taken to ensure compliance with German data protection laws.