Privacy Talk

Pdf version Archive Subscribe
Your business • April 2021

Can an acquirer continue to use the customer database for direct marketing after the transaction?

What you need to know.

In the context of a business transaction, the customer database is often an important element of the target enterprise. As an acquirer, you naturally want to be able to continue to write to the customers in such database for direct marketing purposes. From a privacy perspective, however, the further use of these personal data for direct marketing is far from self-evident.

Companies that are active in personal data trading require the prior consent of the data subjects before they can sell the personal data to third parties (see, amongst others, Recommendation 01/2020 of the Belgian Data Protection Authority [currently only available in Dutch]). Were this reasoning to be extended to business transactions, it would make things particularly difficult. After all, no transaction could go ahead without the consent of (a sufficiently large number of) customers, which can hardly be the intention. This requirement might therefore not necessarily apply in the event of a merger, division or acquisition, and in that case it is allowed to build on the legal basis of the transferor. However, it is required that the transferor processes the personal data in a lawful manner, that both companies are transparent about the transfer, and that the transferee uses the personal data for the same purpose.

What you need to do.

As part of the due diligence investigation, you must first verify whether the transferor is processing the customer database in a lawful manner: is valid consent requested to receive direct marketing or can the transferor rely on the legal basis of legitimate interest? Is a real and effective right to object offered to the data subjects? If not, the transferor has been processing the data concerned in breach of the GDPR, which makes further use of this data by you, the transferee, unlawful as well.

If the controller (or one of the joint controllers) changes as a result of the transfer, for example in the case of an asset deal, the following must also be considered.  

The transferor must inform data subjects about the transfer of their personal data in the framework of a business transaction. It is recommended that every company anticipate such a possibility via a standard clause in its privacy statement. If this is not the case, a further communication will in any event have to be sent to the parties involved before the transfer takes place.

As a transferee, you will have to inform the data subjects after the transfer about your identity, the purposes and the processing activities for which the personal data are intended, the processed data, any (new) recipients of the data and the rights that the data subjects have. This can be done in the context of a general communication after the transfer (possibly with a reference to the extensive privacy statement on your website).

If you will be using the personal data for the same purpose as for which the transferor used it (i.e. writing to data subjects about the transferor’s products or services), this further processing may be compatible with this initial purpose and you can continue to write to the data subjects.
 
If you wish to use the obtained personal data for other purposes (for example, direct marketing for other products or services of your company), you will need your own legal basis for this further processing. There is a real risk that a data protection authority will consider such a (different) purpose to be incompatible with the initial purpose. This means that you will have to request the data subjects’ consent to use their data for that other purpose (Article 5.1 b) in conjunction with 6.4 GDPR). A recent decision [currently only available in Dutch] by the Belgian Data Protection Authority appears to indicate that the other legal grounds in Article 6.1 GDPR may also be relied upon, for example legitimate interest; although in the event of incompatible further processing, it will be unlikely that the “balancing test” can be met.

Finally, you should of course also not lose sight of the other obligations of the GDPR when writing to customers for direct marketing purposes, such as providing an unsubscribe option.

Please consult our website or contact one of our team members if you have questions or require more information:

Have a look at our 'GDPR toolkit'

GDPR toolkit

Receive our ‘Privacy Talk’ directly in your inbox

Subscribe

Discover the previous issues in our Archive

Archive
In the Picture - November 2024

Nuts and bolts: the new EU repair rules
Books

Burgerlijk wetboek / Code civil
Articles

FIFA moet transferregels aanpassen na uitspraak Hof van Justitie in zaak-Diarra
More Newsletter

Log into your account

Forgot password? Not a member yet?

Forgot password?

Request a new password by providing your email address.

Log into your account

Password reset

Enter your new password.

Password registration

Enter a password to protect you personal pages.

Activate your account

Activate your account by providing your email address.

Thanks

You will receive an email with a link to enter a new password.

Close

Thanks

Your new password is successfully saved.

Close
Close

Cookies

This website uses cookies to improve your browsing experience and to better tailor the website to your preferences. For more information about cookies and the list of cookies used on this website, see our Cookie Statement.

Below you can indicate your cookie preferences:

ON

Essential cookies are cookies that are necessary for the correct functioning of the website (e.g., to avoid overload on the website, keeping it functional and accessible). These cookies can be placed without your consent.

ON

Functional cookies are cookies that are necessary to improve your browsing experience or to provide a functionality explicitly requested by you (e.g. remembering your settings). These cookies can also be placed without your consent.

Analytical cookies are cookies that collect information about how you use the website to improve search engine hits and the functioning of the website (e.g. we see how visitors move around the website when they are using it to ensure that visitors find what they are looking for easily). These cookies are only placed if you have given your consent.

Advertising cookies are cookies that collect information about your surf and search behaviour in order to offer you personalised advertising in ad spaces on websites based on your personal interests. These cookies are only placed if you have given your consent.

Social media cookies are cookies that make it possible to share certain features from the website on social media networks (e.g. Facebook). Furthermore, these cookies collect information about your surf and search behaviour on the website in order to offer you personalised promotions and advertising about our products on these social media networks. These cookies are only placed if you have given your consent. It is possible that these social media networks also use the information they collect through these cookies for their own purposes. You can find more information about this in the privacy statements of the respective social media networks.

   

You can always change these preferences via your Cookie preferences.