Two cabinets are required—the transfer of customer data in compliance with data protection laws when buying or selling business operations as an asset deal
An asset deal is often chosen instead of acquiring shares in a company when the buyer does not wish to assume the company’s debts and risks, or when other factors (such as the business being a retail operation or the intention to acquire only a portion of the business) support such an asset deal. The primary focus is then on the purchase of assets, intellectual property rights, the transfer of employees, and, in particular, the transfer of customer relationships. Especially for companies in the service sector, law firms, and medical practices, customers or patients often represent the primary value of the business.
In transaction practice, we have observed that when buying or selling customer and patient data, it is often overlooked that this data is protected by the General Data Protection Regulation (GDPR). Therefore, before transferring personal data—which always includes all data pertaining to natural persons in the customer/patient database—the customer’s or patient’s consent to the disclosure of their data must be obtained.
Why must customers/patients consent before their personal data is transferred?
According to Article 6(1)(a) of the GDPR, the processing of personal data is lawful with the prior consent of the data subject. Conversely, this means that the transfer of personal data to the buyer without the prior consent of the customers or patients is unlawful.
Additionally, pursuant to Article 9(2)(a) of the GDPR, the patient must expressly give their prior consent to the processing of their data for one or more specified purposes. Before their data is transferred to the buyer, patients must therefore be contacted in writing by the seller, who must specify the purpose—namely, the transfer of their data to the buyer—and the seller requires specific confirmation from the patient consenting to the transfer of their data.
Why shouldn’t I simply ignore the GDPR prohibition and unlawfully disclose customer/patient data?
A substantial fine is imposed for violations.
As early as 2015, for example, the Bavarian State Office for Data Protection and Freedom of Information imposed a total six-figure fine for unauthorized data transfer as part of an asset deal. This occurred before the GDPR came into effect, which establishes stricter rules than the previously applicable Federal Data Protection Act and allows for significantly higher fines than was the case in 2015.
Am I inevitably stuck with the data if my clients/patients do not respond to my information letter?
No, there is the “two-cabinet solution” for this.
Customer or patient data is divided into two categories: data from individuals who have not consented to the transfer, and data from individuals who have consented to the transfer.
Cabinet No. 1 stores all data from individuals who have not expressly consented to the transfer to the buyer. The cabinet is “locked”—or, in the case of digital storage, password-protected—and the buyer may only “unlock” the cabinet and retrieve a person’s data once they have received that person’s consent.
Cabinet No. 2 contains all data from individuals who have already given their consent to the data transfer. Data from individuals in Cabinet No. 1 is transferred to Cabinet No. 2 as soon as the consent of the data subject has been obtained.
This works with paper files in a doctor’s office that hasn’t been digitized yet, but also with modern digital databases on servers.
But I read online that I can choose the “opt-out” option…
That is incorrect. In asset deals, the so-called opt-out solution may no longer be used according to the resolution of the Conference of Independent Data Protection Supervisory Authorities of the Federal Government and the States (DSK) – dated September 11, 2024, the so-called “opt-out solution” may no longer be used (exceptions apply in individual cases involving the pure assumption of contractual claims from customers —here a balancing of interests must be performed, according to which an opt-out solution is possible in individual cases), since the opt-out solution is no longer presented in the resolution as a possible and permissible approach in asset deals—unlike in previous years. The DSK brings together all data protection authorities in the Federal Republic of Germany to coordinate how they uniformly handle certain legal issues. It can therefore be assumed that the data protection authorities will no longer recognize the opt-out solution—which was considered permissible until the new resolution—as lawful.
With regard to patient data, the opt-out solution was already inadmissible prior to the DSK’s recent decision in 2024, as the opt-out solution previously deemed admissible by the DSK was based on Art. 6(1)(f) GDPR, which cannot be invoked as a justification for patient data or other health data.
For other personal customer data, prior to September 11, 2024, active customers could be informed about the data transfer to the buyer and given the opportunity to object within a reasonable period. If no objection was received within the deadline, the customer data could be transferred. However, since September 11, 2024, this approach to the transfer of personal customer data is no longer permissible according to the DSK’s clear guidance.
Nevertheless, we still see numerous asset deal agreements in which this opt-out solution is currently being implemented. Anyone who continues to use such an opt-out solution runs a significant risk of being penalized by the authorities with a substantial fine in the event of customer complaints, whether as a seller or a buyer. Such contractual structures should therefore be avoided at all costs.
We would be happy to advise you on how to implement the “two-cabinet” solution in an asset deal in a manner that complies with the law.