The sale of almost all businesses will include the sale of its database, and a database is often a key asset within any acquisition, for example, in the form of customer lists, sale and purchase ledgers, inventories and know-how systems.
When considering the sale and purchase of a database, it is important to establish whether the data stored in it falls within the scope of data protection legislation and, if so, whether it complies with it. Any shrewd buyer will seek reassurance by incorporating warranties into the sale agreement.
Data protection warranties generally cover the following points:
The data protection legislation has been complied with in all regards in relation to the database.
The seller is entitled to transfer the database to the buyer.
The buyer is entitled to use the database under the relevant data protection legislation for the purposes that he intends to use it.
The buyer has no notice of any claims or complaints in connection with the relevant data protection legislation by data subjects in relation to the database.
The seller has received no notice that the information commissioner or any other regulatory authority considers the seller has or may have infringed any provision of the applicable data protection legislation in relation to the database.
The buyer, as always, should complete appropriate due diligence, asking to see copies of the information provided to data subjects, copies of any agreements with third parties if those agreements are to continue or copies of complaints and the details of how they were handled.
In the case of an outright sale of a database as an asset, the transfer of personal data from one controller to another will amount to processing under the applicable data protection legislation and therefore on completion of the sale, the buyer will become a controller with respect to the database.
In relation to the transfer of data from one controller to another, there will be a duty to inform the data subjects that their personal data is to be transferred to a new controller. If the buyer is relying on the seller to send out such notice, it is advisable that this is detailed in the sale agreement.
If the sale of the database is part of a business sale by way of a share purchase, then the controller will remain the same. Nevertheless, as part of the due diligence process, the buyer will wish to be satisfied that data protection requirements in relation to the database have been met.
If you require specialist advice on data protection matters during the purchase or sale of a business, please get in touch with Farleys’ GDPR solicitors on 0845 287 0939 or email us today.
Download Your FREE GDPR Checklist
We have created this handy GDPR checklist to check where your business is now in terms of compliance.