matchingplatform.be
With the expertise of Unizo
en nl fr
Log in
Person writing bucket list on book rlw uc03gwc 2dac54adf65d5dc242a5d9b51ea7fbda 2000

GDPR in the Transfer of a Business

Transferring a business often involves handling personal data, which must comply with GDPR. New owners become "data controllers" and must ensure continued compliance. Informing stakeholders and evaluating existing data practices is essential to avoid legal issues. Proper data management, including due diligence and communication, is key to a smooth transfer.

When transferring a business, a considerable amount of personal data is often involved. This data can relate to customers, suppliers, employees, and other parties such as bankers, insurers, tenants, or landlords of the business.

The question arises whether explicit consent from customers is required when transferring a business's assets. Customers typically receive the same service from the new operator and are usually informed through a simple letter or email, merely for notification. Customers will generally notice the transfer by the change in the VAT number, although the name, business address, and contact person may remain the same.

Checklist GDPR
Photographer: Glenn Carstens-Peters | Source: UnsplashPhotographer: Glenn Carstens-Peters | Source: Unsplash

Tracking Data with GDPR

Since the introduction of GDPR, there’s been much more focus on data tracking, and the general rules remain applicable when transferring a business. Customers of a business have the right to access, correct, and delete their personal data, regardless of a transfer.

The new owner steps into the shoes of the former owner and becomes the new "data controller" in GDPR terms.

According to the most common interpretation in the acquisition market, it's sufficient that both the old and new operators ensure the legal processing of personal data based on original consent, the execution of an agreement, or a legitimate interest. Therefore, new explicit consent from customers (or other stakeholders) regarding the transfer of a business seems unnecessary.

However, there are two nuances:

  1. During the acquisition process, due diligence should investigate whether all data were correctly collected and processed by the seller. If so, no consent from those involved is needed. If not, you’ll need to ask for consent to further process the data.
  2. Even if all data were correctly collected and processed by the seller, you must inform those involved that their data are now being processed by another controller. It’s best to write to them by email, indicating that you will process their data in the exact same manner as the old data controller.

Preparing for a Company Sale: GDPR as a Key Focus

The implementation of GDPR likely hasn't gone unnoticed by anyone. That its scope also has implications when preparing to sell your company is less known.
What should you consider when providing potential buyers with information about your company? What will the buyer particularly focus on during due diligence, and how should you best prepare?

Importance of GDPR

Processing of Personal Data
The GDPR contains rules for any 'processing' of 'personal data'. All data concerning B2C clients are, of course, 'personal data'. However, this also applies to all information about employees and contact persons at suppliers and B2B clients. 'Processing' includes any use of personal data: from collection to deletion and from mere transfer to access.
Transfer of and access to personal data of employees and (contact persons at) clients and suppliers to potential buyers and their advisors as part of a company sale must therefore comply with all GDPR rules. In addition, it's crucial for the buyer to assess how 'GDPR-compliant' you are. Only then can they be sure that they can continue using the personal data acquired in the transaction in the future. Non-compliance will also impact the acquisition price, as the buyer will want to build in a safety margin for the measures they themselves will have to take and for any potential fines.

Share Deal or Asset Deal
Unlike a share deal, where only the shareholding changes, an asset deal involves transferring personal data, which form part of the sold assets, to a new owner, the buyer (the 'data controller' under GDPR). Such a transfer of personal data to a new owner entails significant obligations under GDPR that don’t initially apply in a share deal.

Data Room

Informing?
It’s usually unnecessary to ask for consent from individuals whose data you transfer as part of a sale. The transfer will often be justified based on the (albeit to be documented) legitimate interest of the involved company.
Individuals involved always have the right to know how and why their personal data is used. Ensure that the transfer of personal data as part of a share sale is standard in your privacy statements for employees, clients, and suppliers.

Minimizing
You may only transfer personal data that is necessary and relevant for due diligence. The extent and detail of the information must always be aligned with the phase of the acquisition process.
The Belgian Data Protection Authority (DPA) advises that in the initial phase, when there are multiple potential buyers, only general and aggregated information (read: anonymous data) should be made available. As more potential buyers drop out, you can then release more information. Specifically, this means that you must make models (of employment and customer agreements) available, possibly supplemented with a list of specific clauses used, instead of individually signed agreements.

Organizing
Using a professional data room significantly reduces the risk of data leaks. Always engage service providers whose data room and privacy policies meet all standards for protecting that information.
For instance, it’s customary for a data room to provide for encryption of personal data, restricted access (on a 'need-to-know' basis), and access control, limited printing, deleting, and downloading functionalities, and so on. Don’t forget to enter into a data processing agreement with the data room provider. Include provisions regarding who gets access and what happens to personal data after the due diligence process has ended in the confidentiality agreement with potential buyers (and their advisors).
Also implement the necessary procedures for handling data leaks and ensure that all parties involved in or having access to the data room are aware of these procedures, for example, by including them in a processing and confidentiality agreement. Start preparing the data room in good time and seek assistance from a GDPR expert in this matter.

Due Diligence and Contract

Be Prepared
A potential buyer will investigate the purposes for which you process personal data. The sector in which you’re active plays an important role in this. For example, in the automotive sector, a chassis number is considered personal data. If you’re active in the IT sector, IP addresses will also be personal data.
The register of processing activities is a good barometer for the buyer of the company’s maturity in data protection and will therefore often be one of the first things requested. They will also ask questions about the legitimate processing of personal data, purposes, the implementation of procedures for exercising data subjects' rights, the location of personal data, data processing agreements and joint data controller agreements, the security of personal data, the appointment of a data protection officer (DPO), etc.

Data Protection as Culture
It’s also important for the buyer whether data protection is part of your culture and whether the measures you’ve taken are not a one-time effort aimed at due diligence. They will verify whether the established procedures are effectively applied in practice and whether there have already been incidents in the past, such as a data breach or an investigation by the DPA.

Statements and Indemnifications
Today, a general guarantee is often still used that states the target complies with applicable legislation, to also cover risks under data protection legislation.
However, the buyer will increasingly require you to explicitly guarantee that the company has implemented its data protection policy, privacy statements, adequate procedures and security measures, and is not aware of data breaches or related complaints, etc.
For specific risks (complaint, data breach, ...) that due diligence has raised, the buyer will often also request specific indemnification.

Seller's Interests
As a seller, you have an interest in clear agreements regarding your continued responsibility and the buyer's subsequent use of personal data. It is not excluded that you could be (co-)liable for uses of that personal data by the buyer that are incompatible with the purposes for which you initially collected them.

Example of a GDPR Text in an Acquisition

Dear Contact (customer / prospect),

We are writing to inform you about the latest developments in our company. As you may be aware, we have found a new owner. The transaction is expected to be completed in the coming weeks.

As part of this transaction, the administration, including your personal data (such as name, surname, address, email address, date of birth, nationality, and previous bookings), will be transferred to the new owner of the company. This transfer is based on our and the new owner's legitimate interests to ensure proper execution of the transaction. If you have objections and/or concerns about this transfer, please let us know before ../.../... via email at maildres.

If you object to this transfer, your data will not be transferred to the new owner. If we do not receive a response within this period, we will assume that you have no objections to this transfer of your personal data, and your personal data will be transferred to the new owner.

Information about the data processing by the new owner will be available in their data policy, which will be accessible on their website after the transaction's completion.

Best regards,

(signature, name, and capacity of the seller's legal representative)

Additional Info

(...) The final conclusion is that GDPR doesn’t change this point compared to the old Data Protection Act. Therefore, the transfer of customer files in the context of a business acquisition is not problematic. Only if the buyer approaches the acquired customers with different types of products or services might there be an issue. (...)

See also https://www.webshopovername.nl/kennisbank/klantenbestand-privacy-avg (AVG is the Dutch implementation of the GDPR).

This article was created thanks to practical experience from several acquisition guides in relation to Overnamemarkt.be

Disclaimer All information on this website is of a general nature. The information is not tailored to personal or specific circumstances and cannot be considered as personal, professional, or legal advice to the user.

Overnamemarkt.be makes great efforts to ensure that the information provided is complete, accurate, precise, and up to date. However, Overnamemarkt.be cannot be held liable for direct or indirect damage resulting from the use of the information on this site.

If you identify inaccuracies, please contact the site administrator via info@overnamemarkt.be

Also interesting for you

Istock 490482936 1 dc3325ddb903ed9e1bf36cabb292b7fb 2000
Control over the takeover process: avoid these pitfalls during a share transfer
Sfeerbeeld overnamecontract 5d82205192f385aa0e66e2f96242955e 2000
Step-by-Step Plan for Selling a Small Business (Seller's Perspectiv)
Rekeningcourant2 768x947 2d6fbcd24fbfc4069aa9f52253a2e342 2000
What about current accounts in a business transfer? 5 possible solutions

Ensure a smooth company transfer by auditing financial accounts, focusing on shareholder current accounts. Verify receivables and payables, settle accounts in advance, and consider options like converting liabilities into capital or repaying debt. Proper documentation and clear agreements are essential for a seamless transition.

Receive our newsletter

Leave your e-mail address and stay informed of our latest updates and offers. We will gladly keep you informed of new search results and relevant information.