The German Data Protection Conference (DSK) on September 11, 2024 published guidance on asset deals (the Guidelines) that distinguishes between various stages of a sale process and the relevant personal data that can be shared at each stage, including concerns about sharing individual data sets during negotiations, subject to specific exemptions. The Guidelines replace similar 2019 guidance and provide more detail for sellers and buyers in asset deals.
The DSK is a body that deliberates and issues guidelines on current issues of data privacy in Germany. Its guidelines are legally nonbinding, but often followed—even by data protection regulators outside of Germany and sometimes the courts. The DSK is a coordinating body for matters that concern several Data Protection Authorities, including the German Federal Data Protection Office.
Due to the unique situation in Germany, data privacy enforcement falls under the jurisdiction of the German states, with some exceptions. Germany is the only country in the European Union that has data protection authorities in each state.
Important Quotes from the Guidelines Affecting Asset Deals
While it should be no surprise to the involved parties that transactions in the European Union/European Economic Area must follow the principles of the General Data Protection Regulation (GDPR) and national data protection law, the DSK’s clarifications for the stages of contract negotiations and the closing of an asset deal in the Guidelines are beneficial and should be considered by the parties involved. Violations of the GDPR rules could lead to significant fines and court challenges by the affected individuals.
The following key excerpts, translated by the authors of this LawFlash, provide important clarifications regarding the handling of personal data during the different stages of contract negotiations and asset deals, as outlined in the Guidelines:
- “At the time of the contract negotiations between the sellers and potential buyers—i.e., before the closing of an asset deal—the transfer of personal data is generally not permitted. This rule applies in particular to [personal] data from customers, suppliers and employees. However, the transfer of this data to the potential buyer is permitted based on the voluntarily given consent of the individual(s) affected by the transfer in individual cases.”
- Exception: “In the context of advanced takeover negotiations, a legitimate interest may in individual cases justify the transfer of data of particularly significant persons from the aforementioned groups in accordance with Art. 6 (1) subpara. 1 lit. f of the GDPR. For example, these may be main contractual partners, personnel with management responsibility and/or key competencies for the business.”
- “Special categories of customer data, such as health data, can only be transferred from the seller to the buyer with the informed and explicit consent of the customer in accordance with Art. 9 (2) (a), Art. 7 GDPR.”
- “At the stage of mere contract negotiations between sellers and potential buyers—i.e., before the conclusion of a contract for the transfer of an undertaking and/or part of an undertaking in accordance with Section 613a German Civil Code—the transfer of employee data is generally not permitted. In individual cases, a transfer may be permitted based on the consents of the employees. In the employment relationship, the dependency of employees must always be considered when assessing the voluntary nature of the data transfer [for the consent]. In exceptional cases, an individual consent may be deemed voluntary if the seller and its employees have the same interests. In this case, consent must generally be given in writing or electronically, see Section 26 (2) German Federal Data Protection Act.”
- “If the transferor intends to transfer data of former customers without ongoing contractual relationships (legacy data) to the transferee in order to comply with statutory retention periods, a data processing agreement pursuant to Article 28 (3) GDPR is required.”
- “Insofar as no countervailing interests worthy of protection can be identified, current personal data of suppliers or their employees that is relevant to the purchaser may be transferred from the seller to the purchaser in accordance with Article 6 (1) subpara 1 lit f of the GDPR.”
- Closing: “If there is an asset deal that does not constitute a transfer of an undertaking or part of an undertaking pursuant to Section 613a of the German Civil Code, individual agreements between the seller, the buyer and the employees are required for the transfer of employee data. In these cases, the same rule applies that a transfer of employee data will generally only be possible with the voluntary and thus legally effective consent of the employees concerned.”
- “A transfer of customer data as a separate asset in the context of a sale (sale of customer databases) is generally only possible with the prior consent of the affected customers. Only in the case of microenterprises (fewer than 10 employees) or small businesses (fewer than 50 employees and an annual turnover not exceeding €10 million) transferring their customers' data to a microenterprise or small business in the same industry due to the termination of their own economic activity, the one-time transfer of only postal addresses is allowed by means of an opt-out solution. In this case, the affected customers will be informed by the seller about the transfer of their postal addresses and that they can object to it by informing the seller within a reasonable period (usually 4–6 weeks). If no objection is raised, the transfer of the postal addresses as the only asset may be based on Article 6(1) subpara. 1 lit f GDPR as an exception.”
- “The seller is always responsible under data protection law for the transfer of personal data to the buyer. In particular, . . . the seller must ensure an adequate level of protection in accordance with Article 32 of the GDPR when transferring the data to the buyer.”