15.09.2015

Bavarian State Office for Date Protection imposes fine for a data protection breach within the scope of the purchase of a company

The issuing of the fine resulted from a common set of circumstances – within the scope of an “asset deal” a company operating an online shop is sold to another company (sub-case of the company purchase within the scope of which all assets are transferred under the terms of singular succession). A key asset of the company sold was its customer data base. None of the participants involved in the purchase of the company had borne in mind that data protection laws could make the transfer of the personal data contained on the database problematic. The Bavarian State Office for Data Protection (Bayerisches Landesamt für Datenschutzaufsicht, BayLDA) criticized the fact that the transfer of the customer data base to the purchaser had taken place without the required legitimation required under data protection law. The data concerned were clearly not list data as defined by Section 28 Para. 3 Clause 2 of the German Federal Data Protection Act (Bundesdatenschutzgesetz), which may also be passed on and used by the recipient without the prior consent of the individual concerned (as a possible basis for legitimation). The supervisory authority issued the following statement, which refers specifically and unambiguously to this issue: Companies and insolvency administrators must be aware that personal customer data cannot be sold in the same way as any other product. Such a sale is, rather more, only permitted within the scope of data protection law regulations.

Conclusion: The illegal handing over of customer data is a problem for both the vendors and the purchasers of companies since the vendor is “transferring” and the purchaser is “gathering” it without the required legitimation. Privacy breaches of this kind can represent a regulatory offence which can be subject to fines of up to EUR 300 000.