Are Your Business & Personal Details For Sale Under GDPR, The Legislation Designed To Protect You?

Recently, I was approached by the Administrator of a competitor company. I know and like the owner of the company … but the approach worried me.

In advance of signing a Non-Disclosure Agreement, the Administrator was advertising the website domain (fine), a list of sales leads (OK) … and the company’s business contact list!

This is the list of people they’ve done business with … and many that they haven’t.

The one that under GDPR, we’re all supposed to protect with care and diligence.

Like many well-directed companies, we’ve spent a lot of time and effort to ensure GDPR compliance, and we’ve commissioned expert advice. We’ve developed online resources that employees can use to refer to, or to refresh their memory. 

And as we all know, one of the key elements of GDPR is the requirement to keep lists of customers and business contacts confidential. 

But it’s hardly confidential if it can be sold to any Tom, Dick or Harry who buys the company in Administration.  

I queried this with the Administrator, and they insist that they, too, have taken advice, and that what they’re doing is perfectly legal.

I’ve no idea whether they’re right, or not, but if they are, it drives a coach and horses through GDPR. 

In my view, it may or may not be legal, but if it is, it quite clearly flies in the face of (even makes a mockery of) the intentions of the legislation. At the very least, it’s a loophole. 

So is it legal, or not? I don’t know. I’m not a lawyer, and apparently there are conflicting views out there. 

I’d be interested in the views of any lawyers reading this. 

But if it is legal, as this Administrator claims, I’d question the value of having GDPR at all.  

When you buy a company, one of the things you’ll do is conduct due diligence to ensure that the seller has legal title to the assets being sold.

So, in this case, you’d question the lawful basis upon which they hold the customer data. 

You’d do that in any corporate transaction, because you don’t want to buy something that the seller has no right to sell.

And presumably, they don’t have some legal instrument which allows them, on the one hand, to hold this data, and on the other, to ignore the principles of GDPR when it comes to selling the company.

I’ve never heard of any such instrument, if one exists. Which I doubt.

My understanding of the training I undertook may be flawed – I claim no expertise – but if I’m right, you can’t sell-on (or share in any way) data you’ve acquired about customers unless you have the customers’ specific consent to do that.

Their privacy policy should address this – there should be provision for this scenario (a sale of the company, merger etc). I asked for a copy some time ago. 

Still waiting.

Clearly, GDPR is not intended to inhibit the sale of a company, and clearly it would allow (for example) data about employees and probably individuals they work with to be shared with a purchaser.

But I suspect that they can only sell-on customer details if the sale was predicted and the customers have consented to that. 

Perhaps if the company changes hands, but remains the same legal entity, it’s fine (although surely, you’ve then passed on customer details to the new owners, without the customers' consent)?

If the contacts can be sold as an independent asset, though, it does render GDPR a little pointless. 

And for the record, I’ll be on that list, and I definitely haven’t consented to it.  

I don’t know the answer to this.

But I think we need to know, because for many companies, building a database is expensive, it’s an investment and an asset, and we need to know whether it has a commercial value, and what restrictions (if any) now apply to its sale.

So I thought I’d punt it out there, and see if anyone else knows (!)

I blog regularly on LinkedIn about industrial and business matters, and often on health and safety. Please visit my profile, my other blogs, or our company’s website for further information.