Home Knowledge Mergers & Acquisitions – Data Protection Clampdown?

Mergers & Acquisitions – Data Protection Clampdown?

September 8, 2015
Partner
Leo Moore

 

A German data protection authority has fined both parties in an M&A deal for breach of data protection law. 

The Data Protection Authority of Bavaria has imposed five figure fines on the seller and purchaser for the unlawful transfer of customers’ email addresses held by an online store as part of an asset acquisition process.

The German Authority acknowledged the significant value that customer data can have to companies, and that both companies and insolvency practitioners may seek to realise the economic value in such data.  However, the transfer of email addresses, phone numbers and credit card details requires either the prior consent of the relevant customer or notification of the intended transfer to the customer thereby allowing them an opportunity to object.

The German Authority pointed out that as both parties in this case qualified as data controller, both had an obligation to ensure compliance with data protection requirements.

In the Irish context, the Data Protection Commissioner has provided guidance to the effect that any personal data must generally be anonymised prior to disclosure to a prospective buyer as in most cases there is no basis under Irish data protection law for the release of such information at due diligence or pre-completion stage.  Following the sale of a business, where personal data continues to be processed by the new owner, the purchaser should ensure that previously obtained customer consents allow for the transfer and such continued processing.

The decision highlights the importance of data protection in the M&A context.  The German Authority stated that as a result, it will pay closer attention to compliance in respect of M&A deals and will monitor and fine companies accordingly in the future.  It will be interesting to see if the Data Protection Commissioner and other EU regulators follow suit.  Companies should carefully analyse the data which they hold in order to determine what data can be transferred and what measures must be taken in order to legitamise such a transfer.

Contributed by: John Magee

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Partner
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all