Since the General Data Protection Regulation (“GDPR”) became effective on 25 May 2018, I receive many questions from clients about what is still allowed under the GDPR. In this blogpost, the question is: How to sell customer data under the GDPR?
Why sell customer data?
In merger & acquisition deals (M&A) between companies, customer data (CRM database) can be of great value. A buyer may want to contact the customers to continue the services of the seller, or offer different products or services. The GDPR has stricter rules about the use of personal data, so the question is: is it allowed to sell a customer database?
GDPR applies to customer data
The first question is whether the GDPR applies to a customer database. The answer is yes, if the customer list contains personal data, which it usually does. The definition of personal data is so broad, that all data that say anything about a natural person, is considered to be personal data. Even a business-to-business (B2B) company has personal data. Business email addresses with the names of contact persons in it are personal data. Telephone numbers and mobile numbers can also be personal data. So the GDPR also applies to a customer database. Transferring a customer database is a form of “processing” of personal data. In this blogpost, I will briefly discuss what you should know if you want to sell a customer database.
Lawful use of personal data
Under the GDPR, any processing of personal data has to be lawful. In order to be lawful, one of the legal grounds as mentioned in article 6 of the GDPR should apply. ‘Consent’ is one of the possible legal grounds, but this is not the only one. Other legal grounds for using personal data are: the necessity for the performance of a contract, compliance with the law, or a legitimate interest. ‘Legitimate interest’ is broadly used, for example for camera surveillance. It can be argued that there is a legitimate interest to sell a customer database.
Stick to the purpose
Under the GDPR, personal data may only be used for the purposes for which the personal data were collected, the so-called ‘purpose limitation’. The purposes have to be communicated in advance to the customers, by means of a privacy statement. However, a sale of the customer database is often not included in a privacy statement. And if a buyer wants to offer different products or services, there will be a different purpose. The new purpose has to be checked once again under the GDPR. A new use of personal data means that the privacy statement should be changed too. If the privacy statement has been changed, the customers have to be informed upfront about the new purpose, and in some cases have to give their consent.
Opt-in or opt-out?
There are special rules for electronic communications (like emails) in the Telecommunications Act, also called the ‘spam law’. The basic rule is that it is forbidden to use personal data for commercial emails without the prior consent of the person involved (opt-in). This consent has to be given actively, for example by ‘ticking a box’ or by clicking an ‘agree’-button. The sender of the email should be able to prove that consent was given. All emails should contain an easy possibility to unsubscribe to any further emails (opt-out).
Exception for existing customers
There is one exception to the ‘opt-in’ rule. No consent is needed if there is a customer relationship. So you are allowed to send commercial emails to your existing customers, if it concerns ‘similar products and services’.
However, if a buyer only buys a customer database and not the customer contracts, there is no existing contractual relationship and the exception does not apply. A takeover of the customer contracts still requires a (silent) ‘cooperation’ from the customers, which I call the ‘no objection’ rule.
The ‘No objection’ rule
A sale of a customer database is allowed if the customers have been informed upfront about the sale, and the customers have the possibility to object against the transfer. If they have not objected within the given term (2 to 4 weeks is considered reasonable), the personal data may be transferred to the buyer. If a customer objects against the transfer, the personal data of this customer may not be transferred.
A disadvantage of this ‘no objection’ rule is that it takes time and may lead to a loss of customers (if many customers object). However, this rule is more practical than asking consent from all customers, which may lead to a higher loss of customers.
What is your question?
Do you want to know more about this topic, or do you have any other questions about the GDPR? Just leave a message in the comment section below, or check out the Privacy law page.