The local privacy regulator in the German state of Bavaria (BayLDA) has issued fines to two online retailers for the unlawful transfer or customer email addresses as part of the sales of each companies’ assets.

Such activities require either: the consent of the customer; or that the customer is informed with sufficient opportunity to object to the transfer of such data. Neither step was taken and so the BayLDA held that the acquiring company was in breach of German data protection law when the transferred data was used for advertising purposes.

A summary of the decision is available here.

What action could be taken to manage risks that may arise from this development?

Companies should ensure that where they acquire any customer data in asset sales that it has reviewed the seller’s privacy policy and confirmed the appropriate disclosures have been made to the relevant customers.