I. General Data Protection Requirements under the GDPR

The GDPR (General Data Protection Regulation), as EU law directly applicable in Germany, predominantly contains all relevant data protection requirements. In some cases, however, there are national opening clauses, such as in Article 88 GDPR for special provisions in connection with the personal data of employees, for example § 26 Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).
Pursuant to Article 6 (1) GDPR, any processing of personal data must be based on a permission to use (Erlaubnistatbestand) in order to be lawful. In this context, the term personal data is to be understood broadly and, according to Article 4 No. 1 GDPR, generally includes all information relating to a – at least identifiable – natural person. In this respect, the provisions of the GDPR do not apply if the reference to a person is removed by anonymization. This can be done, for example, by blackening the documents concerned. It must be taken into account that merely pseudonymizing the data is not sufficient. It is a mere pseudonymization if the reference to a person can be re-established through the use of further documents.
A processing according to Article 4 No. 2 GDPR is basically always present in the case of a procedure that is related to personal data – such as the collection, recording or storage of such data. In this respect, it is easy to imagine that data processing within the meaning of the GDPR exists in many situations. However, the GDPR provides for relatively far-reaching permissions to use in Article 6 (1) as a corrective. Consent (the acceptance of cookies in the example above) is a typical permission to use.
Such a type of justification is likely to be ruled out on a regular basis in the context of an asset deal or due diligence with regard to personal data (e.g. of employees). This may be because the planned transaction is still to be kept confidential and the (comprehensive) obtaining of consent would conflict with this, or because blanket consent in general terms and conditions or employment contracts is not compatible with the requirements for consent under the GDPR and is therefore likely to be invalid, so that other grounds for justification must exist in principle.
The processing just mentioned above is always carried out by one or more data controllers within the meaning of Article 4 No. 7 GDPR. The controller is usually the legal entity or natural person who decides on the purposes and means of data processing. This person is the addressee of the regulations to be observed.

II. Possibilities and Justification in Due Diligence

In the course of a due diligence, the buyer and seller must first examine the relationship (under data protection law) between them. Often, both will be so-called joint controllers within the meaning of Article 26 GDPR. This is always the case if at least two data controllers jointly decide on the purpose and means of data processing. In this context, the transfer of data in the course of due diligence already constitutes a processing operation under data protection law. The consequence of such cooperation is, on the one hand, that the joint controllers must conclude a written agreement on this topic, in which, in particular, the transparency of the processing vis-à-vis the data subjects must be regulated. Such an agreement can probably be concluded together with the Letter of Intent that regularly precedes a due diligence. On the other hand, joint controllers are jointly and severally liable for damages resulting from unlawful data processing.
The justification for processing personal data in a due diligence is often likely to be the protection of the legitimate interests of the responsible parties (Article 6 (1) subpara. 1 f) GDPR). However, it must be analyzed in each individual case which data is actually necessary and which data may only be provided in anonymized form. The effort required for such anonymization should not be underestimated.
Whether the persons affected by the data processing have to be informed about the data processing and the joint responsibility within the scope of a due diligence, as generally provided for by the GDPR, has not been clarified; however, it is sometimes argued that this may not be required.

III. Handling of Personal Data after Completion of an Asset Deal

As a rule, a company is sold either by way of an asset deal (sale of all assets and economic goods) or a share deal (sale of the shares in a company). The topics addressed below only relate to an asset deal, as the data controller remains the same person in the case of a share deal.
With regard to the handling of personal data after the execution of an asset deal, a distinction must be made in particular between two groups of persons typically affected.
Those affected by an asset deal are initially the employees of the company sold. An asset deal usually constitutes a transfer of business (Betriebsübergang) within the meaning of § 613a German Civil Code (Bürgerliches Gesetzbuch – BGB), in which the buyer generally assumes the obligations of the seller as employer. In this context, a transfer of employee data is likely to be necessary. However, the transfer of the business as such does not yet constitute a justification under data protection law for the transfer of the personal data. In fact, an element of permission can arise either from consent or a works agreement (Betriebsvereinbarung) pursuant to § 26 para. 2 BDSG. If neither consent nor a works agreement exists, the disclosure of personal data may also be justified pursuant § 26 para. 1 BDSG or Article 6 (1) subpara. 1 f) GDPR because the data processing is necessary. In order to check whether the processing of data is necessary, the interests of the data subjects must always be weighed against those of the person processing the data.
In addition to employee data, the seller’s customer data is also regularly at stake – this is often likely to be one of the main incentives for the transaction.
In the case of customer data, a distinction is generally made under data protection law between the data of customers with current contracts and data of old or existing customers. In principle, the transfer of customer data is likely to be justified in accordance with Article 6 (1) subpara. 1 b) GDPR for the purpose of fulfilling the contract if the customer is one with whom a continuing obligation exists that has not been terminated.
In other respects, justification is more difficult. Data from existing customers – i.e., those for whom the last “active” contractual relationship was 3 or more years ago – may generally only be disclosed in order to comply with statutory retention periods. In the case of existing customers whose last contractual relationship was less than 3 years ago, the transfer should be permissible pursuant to Art. 6 (1) subpara. 1 f) GDPR if the respective customers are notified in advance and are given the opportunity to object within a reasonable period of time (6 weeks should generally be appropriate).
In some cases, it is also argued that if the “entire” business is sold, such an option to object is not necessary.
However, it is still unclear which direction the courts will take with regard to data protection regulations in the case of an asset deal, so that in case of doubt, it is better to offer one too many options for consent or objection than too few.

IV. Consequences of Violations

Successfully asserting a claim for damages on the part of data subjects whose data has been processed unlawfully is often likely to be difficult, as the burden of proof of damage on the part of the aggrieved party is likely to be very difficult. The fact that the data protection regulations in the context of transaction business are not just blunt swords is shown by the fact that the respective supervisory authorities make use of the possibility to impose fines in the event of violations. This is clearly demonstrated by the example of the Bavarian State Data Protection Office, which imposed a five-digit fine on both the seller and the buyer in connection with an asset deal – despite the fact that the GDPR was not yet in force – because e-mail addresses of customers were not transferred in compliance with data protection law during the sale of an online store.

V. Conclusion

The issue of data protection is also present in transactions and, as the fines imposed show, is also highly relevant and explosive.
However, there are still no clear guidelines on how to deal with these regulations in corporate transactions. In this respect, it will probably always depend on the individual case and be necessary to examine precisely which personal data may be processed to what extent and in what manner in order not to be exposed to an excessive liability risk.