Privacy Talk

Pdf version Archive Subscribe
Your business • April 2021

Can an acquirer continue to use the customer database for direct marketing after the transaction?

What you need to know.

In the context of a business transaction, the customer database is often an important element of the target enterprise. As an acquirer, you naturally want to be able to continue to write to the customers in such database for direct marketing purposes. From a privacy perspective, however, the further use of these personal data for direct marketing is far from self-evident.

Companies that are active in personal data trading require the prior consent of the data subjects before they can sell the personal data to third parties (see, amongst others, Recommendation 01/2020 of the Belgian Data Protection Authority [currently only available in Dutch]). Were this reasoning to be extended to business transactions, it would make things particularly difficult. After all, no transaction could go ahead without the consent of (a sufficiently large number of) customers, which can hardly be the intention. This requirement might therefore not necessarily apply in the event of a merger, division or acquisition, and in that case it is allowed to build on the legal basis of the transferor. However, it is required that the transferor processes the personal data in a lawful manner, that both companies are transparent about the transfer, and that the transferee uses the personal data for the same purpose.

What you need to do.

As part of the due diligence investigation, you must first verify whether the transferor is processing the customer database in a lawful manner: is valid consent requested to receive direct marketing or can the transferor rely on the legal basis of legitimate interest? Is a real and effective right to object offered to the data subjects? If not, the transferor has been processing the data concerned in breach of the GDPR, which makes further use of this data by you, the transferee, unlawful as well.

If the controller (or one of the joint controllers) changes as a result of the transfer, for example in the case of an asset deal, the following must also be considered.  

The transferor must inform data subjects about the transfer of their personal data in the framework of a business transaction. It is recommended that every company anticipate such a possibility via a standard clause in its privacy statement. If this is not the case, a further communication will in any event have to be sent to the parties involved before the transfer takes place.

As a transferee, you will have to inform the data subjects after the transfer about your identity, the purposes and the processing activities for which the personal data are intended, the processed data, any (new) recipients of the data and the rights that the data subjects have. This can be done in the context of a general communication after the transfer (possibly with a reference to the extensive privacy statement on your website).

If you will be using the personal data for the same purpose as for which the transferor used it (i.e. writing to data subjects about the transferor’s products or services), this further processing may be compatible with this initial purpose and you can continue to write to the data subjects.
If you wish to use the obtained personal data for other purposes (for example, direct marketing for other products or services of your company), you will need your own legal basis for this further processing. There is a real risk that a data protection authority will consider such a (different) purpose to be incompatible with the initial purpose. This means that you will have to request the data subjects’ consent to use their data for that other purpose (Article 5.1 b) in conjunction with 6.4 GDPR). A recent decision [currently only available in Dutch] by the Belgian Data Protection Authority appears to indicate that the other legal grounds in Article 6.1 GDPR may also be relied upon, for example legitimate interest; although in the event of incompatible further processing, it will be unlikely that the “balancing test” can be met.

Finally, you should of course also not lose sight of the other obligations of the GDPR when writing to customers for direct marketing purposes, such as providing an unsubscribe option.

Please consult our website or contact one of our team members if you have questions or require more information: