Germany Fines Two Companies for Unlawful Transfer of Customer Data as Part of an Asset Deal

The Bavarian Data Protection Authority (DPA) in Germany has fined[1] two implicated companies – both seller and purchaser – for unlawfully transferring customer data as part of an asset deal. The DPA acknowledged that customer data are of great value for a company, in particular for the purposes of direct marketing, in connection with such an asset deal or if an insolvency administrator has to wind down the business. The DPA emphasized that customer data relating to individuals are personal data and therefore subject to the requirements of German data protection law; personal data may therefore not be treated or sold like any other commodity or asset. In the case at hand, the seller was running an online shop. In the course of the asset deal, the seller had transferred all of his assets, in particular the names and email addresses of his customers, to the purchaser without prior notice to the customers and without obtaining the customer’s consent. The purchaser used the email addresses for direct email marketing. The DPA stated that the transfer of the customer’s name and postal address in the course of an asset deal does not raise any issues from a German data privacy law perspective, as they fall under the special rules for “Group Data” (Sec. 28 para 3 sentence 2 BDSG). “Group Data” are defined as data about the data subject’s membership of this group, his/her occupation, name, title, academic degree, address and year of birth. Such “Group Data” can be processed and used for purposes of advertising where the processing or use is necessary, amongst others,

1. for advertising offers from the controller which collected the data (i) from the data subject in the course of a contractual relationship with the data subject or (ii) from generally accessible sources such as the publicly available address directory,
2. for purposes of advertising in view of the data subject’s occupation and under his/her work address, or (3) for purposes of advertising third party offers if the data subject when addressed for purposes of advertising can unambiguously recognize the controller who is responsible for the use of the data for marketing purposes. That “Group Data” can also be transferred for advertising purposes, without the data subject’s consent, as long as two condition are met: One, that the transferring entity and the recipient store the “Group Data” together with the information on the origin and the recipient of the data for two years. Two, upon data subject’s requests, the data subject is informed about the origin and the recipient. The recipient can then use the “Group Data” for its own advertising purposes, provided that the advertising identifies the entity that originally collected the “Group Data”. From a disclosure perspective, the DPA considers it sufficient if such a transfer of “Group Data” for advertising purposes in connection with an asset deal is disclosed to the data subject in the general data privacy policy, that means, the recipient must not be disclosed by name but described as a category of recipients (e.g. purchaser of the business as a whole or partly). However, since “Group Data” do not include the telephone number or the email address of the data subject, any advertising must in this case be done via postal mail. It must also be considered, that despite the detailed rules on the processing and usage, including transfer, of “Group Data” for advertising purposes, if this processing activity conflicts with the legitimate interests of the data subject, the processing activity would nevertheless be impermissible.In any event, the German data protection authorities take the position that the data subject must be informed prior to any data transfers in connection with an asset deal about the specific data transfer, including the identity of the recipient. Those data protection authorities that require explicit consent require the disclosure of the name of the recipient a prerequisite of a valid consent. Those data protection authorities that deem a right to object as sufficient require that the data subject must know the identity of the recipient in order to come to the conclusion that the data subject does not have an overriding legitimate interest, Sec. 28 para 1 sentence 1 No. 2 BDSG, against the data transfer if he/she did not object.The DPA held both, seller and purchaser, responsible for the illegal data transfer: The seller illegally transferred the data, and the purchaser illegally collected the data (from the seller). In addition, the purchaser violated the Unfair Competition Act because he used the data for unsolicited marketing emails. Fines for illegal data transfer and data collection can be up to EUR 300,000. In this case, the DPA did not specify the exact amount of fines imposed against the seller and the purchaser, but stated that it was a five-digit amount. Also, the purchaser was order to delete the customer data illegally received from the seller.
3. Assuming that the seller lawfully transferred the customer data, such as name and email address to the purchaser (e.g. because the customers consented or were properly notified and did not raise objections), then the purchaser must still consider whether it is permitted to actually use the customer data for direct marketing purposes. The German Unfair Competition Act establishes the rules for direct email marketing. In principle, the prior express (opt-in) consent of the customer is required for email marketing by the purchaser. Even if the seller had obtained the customer’s consent for direct email marketing purposes, such consent does typically not validly cover and permit direct email marketing by a third party (here the purchaser), especially because German courts require that such email marketing consent wordings are very specific. It would very likely not be sufficiently transparent to have an email marketing consent wording stating that the company and any subsequent purchaser are entitled to send marketing emails. Consequently, the purchaser needs to obtain its own consent from the customers for email marketing purposes. The purchaser must bear in mind that even the email to the customer requesting consent for email marketing purposes qualifies very likely as email marketing. Hence, the seller should also request the customer’s consent for email marketing[2] by the purchaser when the seller obtains consent or at least notifies the customer of the intended data transfer.
4. If the seller transfers data beyond the “Group Data”, such as telephone number, email address, payment or credit card details, or purchase history, then the privileges for the transfer of “Group Data” for advertising purposes no longer apply. The DPA states that this type of data transfer requires either the data subject’s consent or – at least – the prior notification of the data subject, which must include information on a right to object to the data transfer and no objections by the data subject. The latter would justify the data transfer based on the balancing of interest test. In the course of an informal conversation with the DPA, the DPA elaborated that the German data protection authorities could not reach a uniform opinion on the issue of data transfer in connection with an asset deal; some German data protection authorities require explicit consent of the data subject, and some German data protection authorities consider the right to object as sufficient.

———————— [1] The related press release was published on July 30, 2015 [2] There is an exception for existing business relationships: A business can send marketing emails to its customer if (i) the business has obtained from the customer the customer’s email address in connection with the sale of goods or services; (ii) the business uses the email address for direct advertising of its own similar goods or services; (iii) the customer has not objected to this use; and (iv) the customer has been clearly and unequivocally advised, when the email address is first collected as well as each time it is used, that the customer can object to such use at any time, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates. However, in the case at hand the purchaser did not yet have such an existing business relationship with the data subjects.