Privacy & Cybersecurity Law Blog

On July 30, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on both the seller and purchaser in an asset deal for unlawfully transferring customer personal data as part of the deal.

In the press release, the DPA stated that customer data often have significant economic value to businesses, particularly with respect to delivering personalized advertising. If a company terminates its business, it may sell its valuable economic assets, including customer data, to another company as part of an asset deal. In addition, insolvency administrators may try to sell the customer data maintained by the business during the insolvency process.

According to the press release, the Bavarian DPA fined both the seller and the purchaser for unlawfully transferring email addresses of customers of an online shop. The exact fines were not announced, but the press release mentions that they were fined upwards of five figures.

The DPA also stated that transferring customer email addresses, phone numbers, credit card information and purchase history requires prior customer consent or, alternatively, customers must be given prior notice about the intent to transfer such personal data so they have an opportunity to object to the transfer.

Since the seller and the purchaser failed to obtain customer consent or give the customers an opportunity to object, the DPA found both companies in violation of German data protection law. The DPA also pointed out that both seller and purchaser are “data controllers” and thus have broader responsibilities than data processors under German data protection law.

In addition, the DPA stated that it will act similarly in future cases and will fine companies that sell customer data in a non-compliant manner during asset deals.