There are basically two options available to buyers when acquiring companies: the asset deal and the share deal. This distinction is particularly important for the acquisition of digital companies such as Amazon stores or SaaS services. In an asset deal, individual assets and obligations of the company are acquired, whereas in a share deal, the company shares themselves change hands. This differentiation has far-reaching consequences under data protection law, which both founders and potential investors must take into account. The asset deal requires careful examination and handling of personal data, as these must be transferred individually. In a share deal, on the other hand, the legal entity remains unchanged, which simplifies the data protection situation.
New DSK resolution: Data protection guidelines for asset deals
On September 11, 2024, the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) adopted a landmark resolution on the transfer of personal data in the context of asset deals. This resolution provides detailed guidance for the data protection-compliant implementation of company takeovers and replaces the previous version of May 24, 2019. The new resolution responds to the increasing importance of digital business models and the associated data protection challenges. In particular, it takes into account the special features of online services, e-commerce platforms and SaaS offerings. A thorough understanding of these regulations is essential for founders and investors in these areas in order to minimize legal risks and maintain user trust.
Key aspects of the decision:
1. due diligence phase: The transfer of personal data prior to the conclusion of a contract is generally not permitted. This regulation is intended to ensure the protection of sensitive information at an early stage of the sales process. Exceptions only exist in the case of voluntary consent or legitimate interest for data of particularly prominent persons. For digital companies, this means that they must handle customer data with particular care when screening potential buyers. 2. customer data: For ongoing contracts, data transfer is usually permitted. This is particularly relevant for SaaS providers or operators of online stores, who often maintain long-term customer relationships. An order processing contract is required for terminated contracts. Use for advertising purposes is subject to strict regulations, particularly in the case of electronic communication. These provisions are intended to ensure that customer data is not misused and that the privacy of users remains protected. 3. employee data: Transfer is generally permitted in the case of transfers of undertakings in accordance with Section 613a BGB. This regulation is particularly important for growing start-ups that may wish to transfer their entire team as part of an exit. In other cases, individual agreements or consents are required. The protection of employee rights and their personal data is paramount here. 4. special categories of data: Explicit consent is always required for sensitive data such as health information. This provision is particularly relevant for e-health start-ups or other digital companies that work with sensitive health data. The protection of this particularly sensitive information is a top priority. 5 Responsibilities: The transferor is responsible for the data transfer, the transferee for the subsequent processing. This clear assignment of responsibilities is intended to create legal certainty and avoid potential conflicts. For digital companies, this means that they must define clear processes and responsibilities for both the sale and the purchase.
Practical innovations:
The new DSK resolution brings with it some important changes compared to previous opinions. One major change is the more detailed regulation of various scenarios, which offers companies more clarity and certainty in their actions. When transferring data of former customers to fulfill legal retention periods, a strict separation from active customer data is now explicitly required, which is referred to as a “two-cabinet solution”. This regulation is particularly relevant for digital companies that often manage large volumes of historical customer data. For micro-enterprises with fewer than 10 employees and small enterprises with fewer than 50 employees and an annual turnover of no more than 10 million euros, special regulations have been introduced that allow customer data to be transferred as a single asset under certain circumstances. This can be particularly important for small online stores or digital service providers. The use of transferred data for advertising purposes has been clarified, particularly with regard to electronic communication and compliance with the UWG. This is particularly important for e-commerce companies and digital marketing agencies. In addition, specific rules have been introduced for the transfer of bank data, which is now possible in certain cases without explicit consent. The resolution now also contains regulations on the transfer of data from suppliers and their employees, which was not explicitly addressed in previous versions.
Legal implications for company founders and investors:
For founders and potential buyers of digital companies such as Amazon stores or SaaS services, the DSK decision has significant legal consequences. It is imperative that data protection is integrated into the acquisition process from the outset. This means that data protection aspects must already be taken into account in the planning phase of an exit or takeover. Strict compliance with these requirements is essential, especially for digital business models whose value is often largely based on customer data and relationships. Early involvement of data protection experts and specialized lawyers is strongly recommended in order to minimize potential risks and ensure a legally compliant transition. Founders should already consider the possibility of a future exit when developing their business models and design their data protection practices accordingly. Investors must pay particular attention to the data protection practices of the target company during due diligence in order to identify potential risks and liabilities.
Conclusion:
The new DSK resolution creates more clarity for companies in asset deals, but also places higher demands on data protection. It is essential for founders and investors in the digital sector to carefully examine these new regulations and adapt their processes accordingly. This is the only way they can act compliantly and avoid potential sanctions. Implementing the new requirements may seem complex at first, but in the long term it offers more legal certainty and can strengthen the trust of customers and business partners – a competitive advantage in the digital economy that should not be underestimated. Companies should see the implementation of these regulations as an opportunity to optimize their data protection practices and position themselves as trustworthy players in the digital market. Ultimately, a proactive approach to data protection can not only minimize legal risks, but also contribute to value creation by strengthening user trust and increasing the attractiveness of the company for potential investors or buyers.
