The GDPR and the customer database

With the acquisition of an online store, it is common for the buyer to also become the owner of the related customer base; these then form part of the goodwill acquired. Since there is a so-called "transfer of undertaking," this seems like a done deal. However, in 2018, the General Data Protection Regulation (GDPR) also came into force. This article will discuss the impact of the old Data Protection Act and the new GDPR on the acquisition of a customer base as part of a online business takeover.

The GDPR and taking over a customer base

When taking over a company, it is common for the customer base to be taken over as well. These files contain personal data, making the GDPR applicable. Does this new privacy law cause problems when taking over a customer file?

Data processing in the GDPR

The acquisition of the customer database is considered a "further processing of personal data" under the GDPR. The seller is responsible for processing these personal data. According to the GDPR, any processing must be lawful.

There are several grounds for lawful processing of personal data in the GDPR. The different bases that can apply to a takeover are consents legitimate interest. This does not differ from the old Personal Data Protection Act.

Consent

It is theoretically possible to obtain prior consent from customers to transfer their data in the event of an acquisition. This could be done in the privacy notice or privacy statement. In practice, however, this happens very rarely, because asking such consent confuses customers. In addition, the GDPR has strict requirements for this consent.

Justifiable interest

Transferring a customer base must therefore find basis in a legitimate interest. This may be the business interest of the seller, because in many cases the customer base constitutes a significant part of the value of the business (goodwill).

Thus, the GDPR does not create any new problems when taking over a customer database compared to the Data Protection Act. Please note that if the next owner of the customer database uses the data for purposes other than the continuation of the business, this may cause problems. One example is a mailing for other products than the products the customer purchased from the previous owner.

The final conclusion is that the GDPR does not entail any change on this point compared to the old Personal Data Protection Act. Thus, transfer of customer files in the context of an acquisition of a company is not a problem. Only if the buyer is going to approach the purchased customers with other types of products or services can a problem arise.