Asset Deal Data Protection DSK Resolution | IT-Medienrecht

Learn how DSK's new resolution impacts data protection in asset deals vs. share deals. Protect your company during acquisitions. All infos.

New DSK Resolution: Data Protection Guidelines for Asset Deals

When acquiring companies, buyers generally have two options: the asset deal and the share deal. This distinction is particularly important for digital companies, such as Amazon stores or SaaS services. In an asset deal, individual assets and obligations are acquired, while in a share deal, the company shares themselves change hands.

This differentiation has far-reaching consequences under data protection law, which both founders and potential investors must consider. An asset deal requires careful examination and handling of personal data, as these must be transferred individually. In contrast, with a share deal, the legal entity remains unchanged, simplifying the data protection situation.

DSK Resolution on Data Transfer in Asset Deals

On September 11, 2024, the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) adopted a landmark resolution concerning the transfer of personal data in asset deals. This resolution offers detailed guidance for the data protection-compliant implementation of company takeovers, replacing the previous version from May 24, 2019.

The new resolution addresses the growing importance of digital business models and their associated data protection challenges. It specifically considers the unique characteristics of online services, e-commerce platforms, and SaaS offerings. A thorough understanding of these regulations is crucial for founders and investors in these sectors to minimize legal risks and maintain user trust.

Key Aspects of the DSK Decision

The DSK resolution outlines several critical areas for data protection compliance in asset deals:

  1. Due Diligence Phase

    The transfer of personal data prior to contract conclusion is generally prohibited during the due diligence phase. This rule aims to protect sensitive information early in the sales process. Exceptions apply only with voluntary consent or a legitimate interest for data of particularly prominent individuals.

    For digital companies, this means handling customer data with extreme care when screening potential buyers.

  2. Customer Data

    Data transfer is generally permitted for ongoing contracts. This is especially relevant for SaaS providers and online store operators who often maintain long-term customer relationships. For terminated contracts, an order processing agreement is required.

    Using data for advertising purposes is subject to strict regulations, particularly for electronic communication. These provisions ensure that customer data is not misused and user privacy is protected.

  3. Employee Data

    In cases of transfers of undertakings under Section 613a BGB, data transfer is generally permitted. This is crucial for growing startups looking to transfer their entire team as part of an exit or takeover. In other scenarios, individual agreements or consents are necessary.

    The protection of employee rights and their personal data remains paramount.

  4. Special Categories of Data

    Explicit consent is always required for sensitive data, such as health information. This provision significantly impacts e-health startups and other digital companies dealing with sensitive health data.

    Protecting this particularly sensitive information is a top priority.

  5. Responsibilities

    The transferor is responsible for the data transfer, while the transferee is responsible for subsequent processing. This clear allocation of responsibilities enhances legal certainty and helps prevent potential conflicts.

    Digital companies must establish clear processes and define responsibilities for both the sale and the purchase.

Practical Innovations of the New Resolution

The new DSK resolution introduces significant changes compared to previous guidelines. A major innovation is the more detailed regulation of various scenarios, providing companies with greater clarity and certainty in their operations.

For example, when transferring former customer data to fulfill legal retention periods, a strict separation from active customer data – referred to as a "two-cabinet solution" – is now explicitly required. This is highly relevant for digital companies that often manage large volumes of historical customer data.

Special regulations have been implemented for micro-enterprises (fewer than 10 employees) and small enterprises (fewer than 50 employees and an annual turnover of no more than 10 million euros). These allow customer data to be transferred as a single asset under specific circumstances, benefiting small online stores and digital service providers.

The use of transferred data for advertising has been clarified, especially concerning electronic communication and compliance with the German Unfair Competition Act (UWG). This is critical for e-commerce companies and digital marketing agencies. Additionally, specific rules permit the transfer of bank data in certain cases without explicit consent.

The resolution also includes regulations for transferring data from suppliers and their employees, which was not explicitly addressed in previous versions.

Legal Implications for Company Founders and Investors

For founders and potential buyers of digital companies like Amazon stores or SaaS services, the DSK decision carries significant legal implications. It is imperative to integrate data protection into the acquisition process from the outset. This means considering data protection aspects even during the planning phase of an exit or takeover.

Strict compliance with these requirements is essential, especially for digital business models whose value often relies heavily on customer data and relationships. Early engagement of data protection experts and specialized lawyers is strongly recommended to minimize potential risks and ensure a legally compliant transition.

Founders should already consider the possibility of a future exit when developing their business models and design their data protection practices accordingly. Investors, during due diligence, must pay particular attention to the target company's data protection practices to identify potential risks and liabilities.

Conclusion

The new DSK resolution brings greater clarity for companies involved in asset deals but also imposes higher demands on data protection. For founders and investors in the digital sector, it is crucial to carefully examine these new regulations and adapt their processes accordingly. This proactive approach ensures compliance and helps avoid potential sanctions.

While implementing these new requirements may seem complex initially, it offers long-term legal certainty and strengthens the trust of customers and business partners. This constitutes a competitive advantage in the digital economy that should not be underestimated. Companies should view the implementation of these regulations as an opportunity to optimize their data protection practices and position themselves as trustworthy players in the digital market. Ultimately, a proactive stance on data protection not only minimizes legal risks but also contributes to value creation by enhancing user trust and increasing the company's attractiveness for potential investors or buyers.