The Bavarian Data Protection Authority (DPA) in Germany has fined two implicated companies – both seller and purchaser – for unlawfully transferring customer data as part of an asset deal. The DPA acknowledged that customer data are of great value for a company, in particular for the purposes of direct marketing, in connection with such an asset deal or if an insolvency administrator has to wind down the business. The DPA emphasized that customer data relating to individuals are personal data and therefore subject to the requirements of German data protection law; personal data may therefore not be treated or sold like any other commodity or asset. In the case at hand, the seller was running an online shop. In the course of the asset deal, the seller had transferred all of his assets, in particular the names and email addresses of his customers, to the purchaser without prior notice to the customers and without obtaining the customer’s consent. The purchaser used the email addresses for direct email marketing. The DPA stated that the transfer of the customer’s name and postal address in the course of an asset deal does not raise any issues from a German data privacy law perspective, as they fall under the special rules for “Group Data” (Sec. 28 para 3 sentence 2 BDSG). “Group Data” are defined as data about the data subject’s membership of this group, his/her occupation, name, title, academic degree, address and year of birth. Such “Group Data” can be processed and used for purposes of advertising where the processing or use is necessary, amongst others,
- for advertising offers from the controller which collected the data (i) from the data subject in the course of a contractual relationship with the data subject or (ii) from generally accessible sources such as the publicly available address directory,
- Assuming that the seller lawfully transferred the customer data, such as name and email address to the purchaser (e.g. because the customers consented or were properly notified and did not raise objections), then the purchaser must still consider whether it is permitted to actually use the customer data for direct marketing purposes. The German Unfair Competition Act establishes the rules for direct email marketing. In principle, the prior express (opt-in) consent of the customer is required for email marketing by the purchaser. Even if the seller had obtained the customer’s consent for direct email marketing purposes, such consent does typically not validly cover and permit direct email marketing by a third party (here the purchaser), especially because German courts require that such email marketing consent wordings are very specific. It would very likely not be sufficiently transparent to have an email marketing consent wording stating that the company and any subsequent purchaser are entitled to send marketing emails. Consequently, the purchaser needs to obtain its own consent from the customers for email marketing purposes. The purchaser must bear in mind that even the email to the customer requesting consent for email marketing purposes qualifies very likely as email marketing. Hence, the seller should also request the customer’s consent for email marketing by the purchaser when the seller obtains consent or at least notifies the customer of the intended data transfer.
- If the seller transfers data beyond the “Group Data”, such as telephone number, email address, payment or credit card details, or purchase history, then the privileges for the transfer of “Group Data” for advertising purposes no longer apply. The DPA states that this type of data transfer requires either the data subject’s consent or – at least – the prior notification of the data subject, which must include information on a right to object to the data transfer and no objections by the data subject. The latter would justify the data transfer based on the balancing of interest test. In the course of an informal conversation with the DPA, the DPA elaborated that the German data protection authorities could not reach a uniform opinion on the issue of data transfer in connection with an asset deal; some German data protection authorities require explicit consent of the data subject, and some German data protection authorities consider the right to object as sufficient.
————————  The related press release was published on July 30, 2015  There is an exception for existing business relationships: A business can send marketing emails to its customer if (i) the business has obtained from the customer the customer’s email address in connection with the sale of goods or services; (ii) the business uses the email address for direct advertising of its own similar goods or services; (iii) the customer has not objected to this use; and (iv) the customer has been clearly and unequivocally advised, when the email address is first collected as well as each time it is used, that the customer can object to such use at any time, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates. However, in the case at hand the purchaser did not yet have such an existing business relationship with the data subjects.