Use of customer data following an asset deal results in huge fines for seller and buyer

Dr. Thomas Jansen and Dr. Reka Hatala

The Bavarian Data Protection Authority imposed an extraordinarily high fine for violating the data protection laws in the course of a company acquisition.

According to the Authority´s press release dated 30 July 2015, both the seller and buyer in the acquisition were fined a five digit amount each for disclosing customer data during an asset deal.

Email addresses of customers of an online-shop were disclosed to the buyer without consent or even prior notification to the affected customers. Due to the fact that email addresses are personal data, said data transfer violated the legal regulations of the German Data Protection Act.

The Bavarian Data Protection Authority pointed out that the seller as well as the buyer must ensure compliance with all legal regulations with respect to data protection because they both qualify as data controllers.

In addition, transferring customer data without explicit consent may also violate the German Unfair Competition Act if the buyer uses the customer data for marketing purposes.

The inadmissible transfer and disclosure of personal data are administrative offences which – depending on the factual circumstances – can result in fines of up to a maximum of EUR 300,000. The president of the Bavarian Data Protection Authority emphasized that these types of privacy breaches relating to acquisitions will continue to be punished with financial penalties.