NAIH, Hungary’s Authority for Data Protection and Freedom of Information issued an opinion on the data protection aspects of asset transfers.
In the underlying case, a website operating company sold its webshop with all of its assets (domain name, trademarks, current stock) to another company with an essentially identical business profile. The transfer also covered the transfer of the database containing the customers’ personal data (name, date of birth, email address, address, postal address, phone number). Following the transaction, the relevant people would automatically become the customers of the buyer. NAIH provided its opinion on whether the consent of the customers was required for the seller to be able to transfer the database or if merely providing a notice of the transfer was sufficient.
Data transfer without consent
Under Hungarian law, if the personal data of the customer was recorded with his/her consent then the controller can process the data without further consent for the legitimate interests of the controller or third parties, provided that such necessity is proportionate to the restriction of privacy. In addition, pursuant to the EU Data Protection Directive, personal data can be processed if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection.
According to the NAIH, the parties shall handle the data protection aspects of an asset transfer as follows:
- Agreeing on the data processing tasks in the SPA. NAIH recognises asset transfers as legitimate, lawful business interests, where they are based on a sale and purchase agreement. However, the parties shall set out the data processing related tasks in the transaction agreement itself.
- Performing a balancing test. NAIH confirmed that the seller may transfer personal data without the customers’ consent but in call cases, it shall perform a balancing test. As part of the test, the seller should identify the legitimate interests, the customers’ interests and the applicable privacy rights. The results of the test shall identify whether it is allowed to transfer the data as part of the transaction without the consent from the customers.
- Disclosing the balancing test. The seller should notify the customers with a clearly and understandably worded notice of the balancing test’s results, i.e. why it believes that the result of the test proves that the legitimate interests are proportional to the restriction of privacy. The notice shall cover the significant circumstances of the transaction and the data transfer (particularly when and to whom the data will be transferred) as well.
- Customers’ right to object. The seller should provide the customers with an opportunity to object to the transfer of their personal data and to request its deletion.
- Permitted changes in the seller’s privacy terms. The buyer may process the personal data of the customers only in accordance with the seller’s privacy terms. Any modification in the data processing terms qualifies as new data processing and the buyer should obtain new consent from the customers. Data processors (adatfeldolgozó) may be replaced without the customers’ consent because the buyer remains liable for the conduct of data processors, and NAIH does not consider this to be a material change in the data processing terms. For example, the buyer can appoint another hosting service provider as a new data processor without obtaining new consent.
- Fulfilment of data retention requirements. The seller and the buyer should also agree on which party will be liable for the fulfilment of mandatory data retention requirements. For example, they need to identify who will be liable for the required 8 year retention of receipts for receipts issued prior to the transaction, and such company shall remain the controller for that particular scope and purpose. If the applicable law provides that the document retention obligations shall be fulfilled by the buyer, the seller should notify the customers of this.
The opinion is a remarkable milestone in Hungarian data protection law as it is the first time when NAIH addresses the data protection aspects of transactions in such a detailed manner. Whilst the opinion outlines a clear protocol to be followed by the parties, compliance with NAIH’s opinion requires smooth cooperation between the parties. SPAs should contain the detailed data protection tasks of the parties, the clear division of their liabilities, and the agreed wording of the customer notice. In addition, the parties should carefully assess the deadlines they apply, in order to find a balance between providing adequate time for the customers to object to the transfer of their data without jeopardising the completion of the transaction. It remains to be seen if it is necessary to apply NAIH’s opinion in the context of share transfers. The exact method of the customer notification is not detailed in the opinion either (e.g. whether it may be fulfilled via a website notification). Moreover, NAIH does not address if existing, general consents to data transfers for transactional purposes would be acceptable as consent to specific asset transfers.
Despite the lack of details on certain issues, NAIH already applied its newly introduced principles in a case where it declared that a database transfer without the notification of the individuals was in breach of the Data Protection Act; however, NAIH provided the buyer with an opportunity to rectify the situation by notifying the individuals in accordance with the process outlined above.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“EU Data Protection Directive”)
Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information (“Data Protection Act”)