In a press release on 30 July 2015, the Bavarian
data protection authority (DPA) announced that it had recently
fined both seller and purchaser for unlawfully transferring
customer data as part of an asset deal.
Customer data often have a significant economic value for
businesses, particularly because of the possibility to deliver
targeted advertising to customers. It frequently happens that a
company tries to sell these high-value assets to another company as
part of an asset deal. Similarly, insolvency administrators
typically seek to commercially exploit customer data, which often
constitute the only relevant value of the insolvent company.
Two companies had to learn from the German regulator that care
should be taken in this respect. According to the Bavarian DPA,
transferring customer email addresses requires prior customer
consent or, alternatively, customers must be informed of the intent
to carry out such a transaction beforehand to give them the
opportunity to object. Because the companies failed to take such
steps, the regulator alleged violations of Germany's data
protection law when the acquiring company subsequently used the
customer information for advertising purposes. While the total
amounts of the fines remain undisclosed, the regulator confirmed
they were both five figure sums and emphasised that the penalties
were significant and incontestable.
The regulator also made expressly clear that it intends to
increase the awareness of market players by continuing to take
action against privacy breaches of this kind by fining
transgressors. Further, the Bavarian DPA pointed out that it has
been made aware of various other similar cases where personally
identifiable customer data were sold in breach of data protection
Against this background, it is important to note that companies
and insolvency administrators must be aware that personal customer
data may not be treated and sold like any other commodity or asset.
Rather, this is only permitted in compliance with data protection
requirements. Both the acquiring company and the seller are
considered 'controller' in terms of European data
protection laws and may therefore be held liable for compliance.
The unauthorised transmission of personal data constitutes a legal
offence that is punishable with a fine of up to €300,000.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).