Accessibility Page Navigation
Style sheets must be enabled to view this page as it was intended.
ebizinfo

Sign up to receive updates in ebizlaw and details of our ebizlaw events.

Before you provide your details to register, we want to tell you how we'll use your data. »

ebizsearch

Search all of ebizlaw

See all Legal Guidance items by topic

Fox Williams websites
Please visit our other specialist websites

Data protection issues on business sales

For any purchaser, databases of customers, clients, suppliers and employees are a valuable asset and an integral part of any business acquisition. Indeed, for online businesses, the company’s customer database is a key element of its market value. However, despite the importance of databases, due consideration is not always given to the data protection issues that arise concerning the inevitable transfers of data that occur in connection with a business sale. 

The Data Protection Act 1998 (“DPA”) regulates the use of data relating to living individuals. This includes a range of data such as employee and customer data. Aside from legal sanctions such as fines and compensation claims from aggrieved individuals, failure to comply with the DPA can result in damaging adverse publicity. Increasingly, any false step in the area of privacy attracts intense media scrutiny, regardless of whether any law has in fact been infringed, which can cause significant damage to the reputation of the business concerned.

The DPA requires that individuals (such as employees and customers) be provided with certain information concerning any disclosure or transfer to a buyer (of the individuals’ data) either during the due diligence process or on completion. This is called the “fair processing information” and must include the following:

  • The identity of the purchaser.
  • The purpose(s) for which the data will be processed.
  • Any other information that is necessary to enable the particular processing to be fair.

Often, for good reason, the seller does not wish to inform individuals such as employees and customers about the potential transaction. If the seller is not willing to provide the fair processing information, the seller should consider taking the following practical steps in order to protect an individual’s privacy rights and to mitigate any risk of a potential non-compliance with the DPA:

  • Only disclose what is absolutely necessary for the purposes of the sale. For example, it may only be necessary to disclose details of key employees rather than the details of all employees. It is likely that the key employees know about the sale anyway;

  • Consider whether the data could be anonymised in some way. For example, give a sample customer contract rather than the contract of a particular person;

  •  Limit the use of the data by the purchaser. For example, disclosure should only be made pursuant to a confidentiality agreement which requires the data to be returned if the sale aborts and restricts further disclosures to third parties;      

  • Ensure that any pre-sale disclosure is appropriately reflected in the sale agreement;

  • Ensure that data is kept inside the EEA (as, subject to certain exceptions, international transfers of data outside the EEA are prohibited).

Once the sale has been completed, individuals should be given the fair processing information so that they have an opportunity to decide whether they are happy for the purchaser to continue to hold their personal data. Again, this is something that may need to be explicitly covered in sale agreement.

Further readingData Protection, Privacy and emarketing

Date: 27/09/2006 | Author: ebizlaw team