Customer data often has a considerable economic value for companies, especially because of the possibility of personalised advertising. If a company ceases operations, it often tries to sell valuable economic goods ("assets") to another company in return for payment by way of a so-called asset deal. Similarly, insolvency administrators of an insolvent company try to sell the customer data, which often still represents the only relevant value, in the best possible way.
However, two companies from Bavaria had to learn that caution is required. The Bavarian State Office for Data Protection Supervision (BayLDA ) recently imposed fines in the five-digit range on both the selling and the acquiring company in the case of a transfer of email addresses of customers of an online shop in the course of an asset deal, which was illegal under data protection law. "In asset deals, personal customer data is sometimes sold in breach of data protection law. In order to increase the sensitivity of companies, we will also punish violations with fines in other appropriate cases of this kind," said Thomas Kranig, President of the BayLDA.
If the customer is a natural person, one is dealing with "personal data", which may only be transmitted in accordance with data protection law.
The transmission of names and postal addresses of customers is relatively unproblematic from a data protection point of view. According to the will of the legislator, this so-called list data may in principle be transmitted for advertising purposes even without the prior consent of the person concerned, provided that the selling company documents the transmission. However, companies often possess much more data about their customers, such as telephone numbers, e-mail addresses, account and/or credit card data, and also frequently "purchase histories", i.e. information about the purchases made by customers. In practice, it can be observed that in the course of asset deals, such data also frequently change "owners". However, this is only permissible if the customers concerned have consented to the transfer of such data or have at least - already in advance - been made aware of the planned transfer, have been granted a right to object and have not objected.
"Companies and insolvency administrators must be aware that personal customer data may not be sold like any other commodity. Rather, this is only permitted in compliance with the requirements of data protection law," said the President of the BayLDA, Thomas Kranig.
Obviously, this is repeatedly violated in practice when companies are sold in the form of asset deals. This is evidenced by the complaints regularly received by the BayLDA from affected persons who, for example, have received e-mail advertising from a company previously unknown to them. In the complaint procedure, it often emerges in such cases that the advertising company acquired the customer data in the course of an asset deal.
For e-mail addresses and telephone numbers, there is the additional problem that the acquirer is not allowed to use this data for advertising purposes according to § 7 para. 2 no. 2 and no. 3 of the Unfair Competition Act (UWG) if - as is usually the case - he does not have the explicit advertising consent of the respective customer. Even the granting of a right of objection before the data transfer does not help to overcome this hurdle. If the acquirer uses the telephone number or e-mail address for advertising purposes without consent, he therefore violates both the UWG and the Federal Data Protection Act.
For the unlawful transfer of customer data, both the seller and the acquirer, as so-called "responsible entities", bear the responsibility under data protection law. The transferor "transfers" the data, while the acquirer "collects" the data. The unlawful transmission as well as the unlawful collection of personal data constitute administrative offences that can be punished with fines of up to € 300,000 depending on the facts of the case.
Source: Press release of the Bavarian State Office for Data Protection Supervision(BayLDA)
Goldberg Attorneys at Law 2015
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
E-mail: info@goldberg.de
