National Insights: Data Protection Challenges In Asset Deals – A Professional Perspective

Dec 18, 2024

On 11 September 2024, the German Data Protection Conference (DSK)[1] adopted a groundbreaking resolution on the processing of personal data in asset deals[2]. This article aims to provide an understanding of the main challenges under data protection law when transferring data in the context of company disposals.

Asset deals compared to share deals

An asset deal involves the transfer of individual assets, such as customer bases, machines or trademark rights. Unlike a share deal, in which the company shares are transferred, there is often also a change of Controller under data protection law. This leads to specific requirements with regard to data transfer, which are set out in detail in the DSK’s decision.

Legal bases and data transfer scenarios

The DSK resolution divides the transfer of data in asset deals into different scenarios:

  1. Pre-contractual phase (due diligence)
    • The transfer of personal data is generally not permitted unless the data subject has given their express consent or a legitimate interest can be demonstrated in accordance with Art. 6 para. 1 lit. f GDPR.
  2. Customer data
    • Ongoing contractual relationships: The transfer of this data is possible on the basis of Art. 6 para. 1 lit. b GDPR if it is necessary for the fulfilment of the contract.
    • Terminated contractual relationships:  Data that is only archived may only be passed on within the framework of a data processing agreement (Art. 28 GDPR).
    • Special categories of personal data (e.g. health data) always require explicit consent in accordance with Art. 9 para. 2 lit. a GDPR.
  3. Employee data
    • In the event of a transfer of business, the transfer of personal data is permitted in accordance with Art. 6 para. 1 lit. b GDPR if this is necessary for the fulfilment of the employment contract.
    • Pre-contractual disclosure is only possible with consent.
  4. Supplier data
    • The transfer is generally permitted, provided that there are no overriding legitimate interests of the data subjects (Art. 6 (f) GDPR).

Important data protection requirements

Both the transferor and the transferee are obliged to inform the data subjects in good time about the processing of their data in accordance with Art. 14 GDPR. Care must be taken to ensure that the information is formulated clearly and comprehensibly. The deadline for fulfilling this obligation is usually one month. Archive data must not be mixed with active customer data in order to avoid confusion and data breaches. This can be achieved, for example, through the so-called “two-cabinet solution”, which ensures a clear separation between archived and active data. At the same time, technical and organisational measures (TOMs) must be implemented in accordance with Art. 32 GDPR to ensure the security of data transmission and processing. These include the use of encryption technologies, access management and regular security exercises to identify and eliminate potential vulnerabilities at an early stage.

Explicit consent is of central importance when processing sensitive data. It provides a clear legal basis to ensure that data subjects give their consent to processing. For other categories of data, companies should always ensure that data subjects are given the opportunity to object. This allows data subjects to retain control over their personal data and exercise their rights.

Practical implementation for Data Protection Officers

The practical implementation of data protection requirements in asset deals requires a structured approach and close coordination between the parties involved. Data Protection Officers should already be involved in the planning phase in order to identify and minimise potential risks at an early stage.

A comprehensive risk assessment is a crucial first step. In particular, the categories of data affected, the planned processing operations and compliance with legal requirements should be analysed. Data Protection Officers should ensure that the transferor and transferee have clear contractual arrangements in place, particularly in the form of data processing agreements (DPAs) in accordance with Art. 28 GDPR.

Furthermore, it is essential that the data subjects are informed in a timely and comprehensive manner. The obligation to provide information in accordance with Art. 14 GDPR must not only be formally fulfilled, but must also be designed in such a way that the data subjects can understand the processing of their data.

Another central point is the monitoring of technical and organisational measures (security of processing). This is not only about the security of data transmission, but also about ensuring an appropriate level of data protection at all times. Regular audits and checks are necessary to ensure that both parties fulfil their obligations.

Finally, the entire process should be documented. Complete documentation is not only important from a legal perspective, but also provides the basis for optimising future projects. Data Protection Officers should ensure that all relevant steps, decisions and measures are recorded in a comprehensible manner.

Conclusion

The data protection-compliant implementation of an asset deal requires detailed planning and close cooperation between sellers, buyers and Data Protection Officers. The DSK resolution provides valuable guidance in this regard and emphasises the importance of legally compliant data transfer.

Source: Resolution of the Data Protection Conference of 11/09/2024 (https://www.datenschutzkonferenz-online.de/media/dskb/dskb_20240911_assetdeals.pdf ) .

[1] The Data Protection Conference (DSK) consists of the independent data protection authorities of the federal and state governments. It has the task of safeguarding and protecting fundamental data protection rights, achieving uniform application of European and national data protection law and jointly advocating its further development. This is done in particular through resolutions, decisions, guidance, standardization, statements, press releases and specifications.

[2] https://datenschutzkonferenz-online.de/media/dskb/2024-09-11_Beschluss%20DSK_%20Asset_Deals.pdf

Author: Regina Mühlich, Managing Director of AdOrga Solutions GmbH, Data Protection and Compliance Expert; Member of the Board of the Professional Association of Data Protection Officers in Germany (BvD) e.V.

Recent news

EFDPO Session at Privacy Days Prague 2025

EFDPO Session at Privacy Days Prague 2025

We would like to invite you to the 9th year of the traditional privacy conference organized by the Czech Data Protection Association. The conference is divided into two days, the first day will be held only in English (EFDPO session).

read more