In a press release on 30 July 2015, the Bavarian data protection authority (DPA) announced that it had recently fined both seller and purchaser for unlawfully transferring customer data as part of an asset deal.
Customer data often have a significant economic value for businesses, particularly because of the possibility to deliver targeted advertising to customers. It frequently happens that a company tries to sell these high-value assets to another company as part of an asset deal. Similarly, insolvency administrators typically seek to commercially exploit customer data, which often constitute the only relevant value of the insolvent company.
Two companies had to learn from the German regulator that care should be taken in this respect. According to the Bavarian DPA, transferring customer email addresses requires prior customer consent or, alternatively, customers must be informed of the intent to carry out such a transaction beforehand to give them the opportunity to object. Because the companies failed to take such steps, the regulator alleged violations of Germany’s data protection law when the acquiring company subsequently used the customer information for advertising purposes. While the total amounts of the fines remain undisclosed, the regulator confirmed they were both five figure sums and emphasised that the penalties were significant and incontestable.
The regulator also made expressly clear that it intends to increase the awareness of market players by continuing to take action against privacy breaches of this kind by fining transgressors. Further, the Bavarian DPA pointed out that it has been made aware of various other similar cases where personally identifiable customer data were sold in breach of data protection law.
Against this background, it is important to note that companies and insolvency administrators must be aware that personal customer data may not be treated and sold like any other commodity or asset. Rather, this is only permitted in compliance with data protection requirements. Both the acquiring company and the seller are considered ‘controller’ in terms of European data protection laws and may therefore be held liable for compliance. The unauthorised transmission of personal data constitutes a legal offence that is punishable with a fine of up to €300,000.