Where in the course of a merger and acquisition the Data Controller needs to share personal data, often obtaining the consent of individuals is impractical. If individuals’ personal data has been collected, without consent being given to the disclosure of such data in the course of a corporate transaction, then the data controller has to rely on the “legitimate interests” exemption.
The “legitimate interest” exemption under the Data Protection Directive 95/46/EC and applicable member state law is often used to justify sharing of personal data. It is, however, a narrowly defined exemption from the requirement to obtain informed consent.
For example, whilst in the course of a corporate transaction personal data may need to be shared with third parties, then just because this is convenient, does not necessarily make it legitimate.
However recently the Hungarian Data Protection Authority (DPA) was required to provide guidance on the practical application of the “legitimate interests” exemption under Hungarian law and whilst the guidance provided is relevant to M&A transactions involving online shops, the guidance is of value in general.
In this particular instance the sale of assets of an online business involved the transfer of the vendor’s database in circumstances where there was no guarantee that all individuals on the database had necessarily consented to a transfer in the course of a sale.
The DPA guidance describes the “legitimate interests” exemption as having “three prongs”, namely:
- the identification of the data controller
- the recognition of the fundamental rights of each data subject
- the requirement to balance the legitimate interests of the data controller with the fundamental rights of each data subject
before sharing or transferring each data subject’s personal information.
Of more importance is the fact that the guidance from the DPA indicated that no transfer of the personal data of individuals could be made without them having been notified in advance by the data controller.