Privacy issues with an asset deal?

I often accompany startups in so-called asset deals. In principle, contracts are mentioned, for example, in which an online project, a computer game or other rights and content is sold to another party, without- only – the change of the shareholders of the corporation operating the project being changed. This is often the case, for example, when a limited liability company operates more than one project and therefore does not want to sell the entire corporation.

In addition to various aspects of company law as well as tax law, full compliance with copyright and trademark law is also required. The problems arising from data protection law are readily forgotten. This is the case, for example, if user data is also to be purchased, so that the purchaser does not just buy an empty shell. If the GTC was not carefully designed here in advance, this can also make an asset deal quite impossible. But even with good terms and conditions, there are some requirements to consider.

The Conference of Independent Federal and State Data Protection Supervisory Authorities has agreed on a catalog of case groups that must be considered in the context of the
balancing of interests pursuant to Art. 6 para. 1 set 1 lit. f i.V.m. Abs. 4 GDPR must be taken into account in an asset deal.

The case groups are:

1. customer data for current contracts
In this case, the transfer of the contract requires the customer’s consent under civil law. 2. existing customers without current contracts and last contractual relationship older than 3 years
Data of existing customers for whom the last active contractual relationship dates back more than 3 years are subject to a restriction on processing by an acquiring
body.

This data may be transmitted, but it may only be used due to legal retention periods.

3. data of customers with advanced contract initiation; Existing customers without current contracts and last contractual relationship less than 3 years

Data of such customers are available in accordance with Article 6(4) of the 1 set 1 lit. (f) to transmit the GDPR by means of the opt-out (opt-out model) with a sufficiently reasonable period of opposition. However, bank data are excluded from the transfer by means of a solution to the opposition and can only be transmitted with the express consent of the customer.

4. customer data in the case of outstanding claims
The transfer of outstanding claims against customers is governed by civil law in accordance with Sections 398 et seq. BGB and constitutes an assignment of claims. The assignor may transfer data in this context to the assignee – based on Art. 6 para. 1 set 1 lit. f) GDPR.

5. Customer data of a special category in accordance with Article 9(4) 1 GDPR
Such data may only be provided by means of informed consent in accordance with Article 9(3) of the 2 lit. (a) Article 7 GDPR.

Even if the decision was not co-sponsored by the Berlin Commissioner for Data Protection and Freedom of Information and the Saxon Data Protection Supervisor, the listing certainly makes sense in order to clarify in advance of negotiations what everything is thought of. must be carried out. In principle, the contractual details should only be worked out with experienced help. Game developers, software providers or other service providers are welcome to inquire with me without obligation via my contact form, so that we can elicit the costs for a consultation and the sensible course of action.