What is allowed and required when transferring personal data, for example in a database sale or company takeover? Read how to stay AVG-compliant and mitigate risks.
Processing and managing personal data entails responsibilities that should not be taken lightly. With the increase in companies’ use of data and the emergence of innovative applications, the complexity of legal issues surrounding data transfer is also growing.
For example, what happens to personal data in a takeover, bankruptcy or the sale of a database? Good Law lists the main points of interest.
Data as a valuable asset
That personal data is valuable is common knowledge. The oft-repeated saying ‘data is the new oil’ highlights how data is an inexhaustible source of value. Many companies use personal data, for example for customer registration or personnel management. In addition, companies are constantly discovering new ways to use data, such as in targeted advertising or health registration in the hospitality industry.
With these growing mountains of data also comes the question of how to manage this data responsibly, especially when personal data changes hands through sale, restructuring or bankruptcy.
The legal snags of data transfer
Personal data are sometimes ‘carelessly’ referred to as assets or transferred without much consideration. This raises complex questions: can personal data be sold just like that? And under what conditions? With data transfer, not only responsibility passes, but also the obligation to comply with the General Data Protection Regulation (GDPR).
This could lead to significant legal liabilities for the new controller.
New responsibilities, new rules
When there is a change of ownership, the new controller must consider how and why personal data was collected. This depends on several factors:
- Categories of data: Special or sensitive data such as BSN numbers or health information require extra care.
- Purposes: Were the data originally intended for the same use as the new owner intends? If the use changes, this must have a valid basis.
- Basis: Is there consent or a contract that legitimises the processing? Or is some other legal basis needed?
For example, a magazine company that continues its business will face fewer legal obstacles in transferring customer data than a telemarketer who wants to combine data for new applications.
Carefulness pays off
In addition to the privacy rules of the AVG, database law and other legal frameworks may also apply. Companies that handle personal data transparently not only increase their compliance, but also their value and goodwill. Careful data transfer is therefore essential.
Knowledge and support of Good Law
Managing personal data requires knowledge and precision. The Personal Data Authority provides information to outline an initial framework, but elaborate situations often require specialist advice.
At Good Law, our support services include:
- Ad-hoc privacy advice;
- Guidance on projects;
- Privacy risk assessments.
With our expertise, we help companies not only comply with their legal obligations, but also proactively add value through careful data processing.