Customer personal data is one of the most valued assets in corporate asset purchase transactions, not least because it effectively places the purchaser “in the shoes” of the seller and gives it immediate contacts with whom it can begin doing business upon acquisition.
But Data Protection Act 1998 (DPA) compliance is not to be shirked at and is more than a tick box exercise in these situations, particularly since the Information Commissioner’s Office can fine non-compliant organisations up to £500,000 – which represents a significant cut of the value of any asset purchase transaction.
A German data protection authority has recently fined both the seller and purchaser in a corporate deal five-figure sums for failure to comply with data protection laws when transferring customer personal data as part of the deal. The DPA is based on the same EU law as the German statute, so similar principles apply in the UK.
However, putting DPA compliance on the table early on the in dealmaking process and demarcating responsibilities will ensure that everything goes smoothly from a compliance perspective.
A case in point: what happened in Germany?
The seller and purchaser failed to notify the customers concerned that their personal data, consisting principally of e-mail addresses, would be transferred as part of the deal.
While the level of fine was not disclosed, the German data protection authority confirmed that both the seller and the purchaser were each required to pay sums into five figures.
What does the law say about data protection in corporate deals?
The DPA regards both the seller and the purchaser in a corporate transaction as “data controllers”. As data controllers, the seller and purchaser are required to use customer personal data fairly. In asset purchase scenarios, fair use requires:
- the seller notifying its customers that the business is to be sold to the purchaser, as part of which their personal data will be transferred to the purchaser. The notification must include an opt out for customers (which may be time restricted), allowing them to object to their personal data being transferred to the purchaser. All such objections must be respected; and
- once the deal has been done and the customer personal data transferred, the purchaser must contact the transferred customers, confirm that the transfer has taken place and provide them with a data protection statement, setting out the purposes for which the purchaser will use their personal data, amongst other things.
How do we reduce the risk of non-compliance?
As a seller, prior to engaging in detailed discussions with prospective purchasers you should undertake an audit of your DPA compliance to determine if your house is in order. It goes without saying that the more compliant you are, the higher the value of your customer personal data to the purchaser.
If you are a purchaser, undertake detailed data protection due diligence into the target company to ensure that you are not buying “dirty”, non-compliant personal data. If needs be, put in place relevant and appropriate warranties and indemnities into the asset purchase agreement to protect your position.
How we can help
To discuss any of the issues raised in this article or find out more about the DPA could affect you, please get in touch