Germany's data protection authorities hand down a decision on M&A and GDPR

Germany

Decision of the DSK

In its recent decision, the DSK identifies the following case groups to provide guidance when dealing with data in the context of an asset deal:

  • Customer data for active contracts

    To execute the transfer of a contract, German civil law requires the consent of the contracting party. The DSK considers the data protection law consent for the transmission of data implicit in the civil law consent given for the transfer of the contract.

  • Existing customers without active contracts (i.e. last active contract more than three years ago)

    Customer data may be transmitted from contracts where the last active contractual relationship dates back to more than three years ago, but only for the purpose of adhering to mandatory legal retention periods.

  • Existing customers without active contracts (i.e. last active contract less than three years ago)

    If the contractual relationship with the customer dates back to less than three years, the data may be transferred with use of an opt-out mechanism. The DSK has suggested that a period of six weeks is reasonable for customers to object to the transfer. The mechanism should be easily accessible and simple, such as an online tick-the-box instrument.

    An exception applies to bank data, which can only be transferred with the express consent of the customer.

  • Future customers where contract negotiations are advanced

    In this scenario, the conditions are identical to existing customers without active contracts (last active contract less than three years ago).

  • Customers with outstanding claims

    Where outstanding claims are to be transferred, the transfer of associated customer data is generally permitted. This does not apply, however, if the assignment is excluded by an agreement with the customer.

  • Highly sensitive customer data

    Informed consent is always required for the transmission of highly sensitive data such as data concerning ethnicity, sexual orientation and political opinion. These "special categories of personal data" are listed in Article 9 (1) of the GDPR.

Evaluations and consequences

Despite the decision not having binding effect for courts as well as its controversy within the DSK, where it was rejected by Berlin and Saxony, overall the ruling has been welcomed by many in the legal and business communities as a significant step in the right direction. Despite the decision's minute disadvantages, it unquestionably provides guidance for the treatment of data in the practice of M&A transactions and asset deals.

Unfortunately, the ruling did not create case groups for suppliers' and employees' data. However, the rules given for customers are likely to be similar for suppliers. Furthermore, employee data can be transferred in the context of an asset deal within the scope of the obligation to inform pursuant to §613a (5) of the German Civil Code. Here too specific rules apply where highly sensitive employee data is concerned.

Typically, a pure share deal does not involve the transfer of customer, supplier or employee contracts, and thus the transfer of the corresponding data is not necessary.

From a practical point of view, however, guidance for the transmission of personal data in the lead-up to an asset or share deal is particularly necessary. A prospective buyer is regularly provided with data in the course of due diligence. At present, however, there has been no development in the decisions of authorities or courts in this area. As a result, CMS's previous statements continue to apply.

For more information on the impact of GDPR on asset deals and M&A transactions, feel free to contact one of the following local CMS experts: Dr. Axel FunkDr. Tobias Grau and Lena Stoll.