Readers Questions: I’m buying a business with customers, can I contact them or not because of GDPR?
Experts answer: The expert answering this question is Charlotte Gerrish, the founding lawyer of Gerrish Legal.
Firstly, it is worth noting that GDPR is not the only source to look at when deciding if or how you can contact customers and prospects. The applicable legislation is the Privacy and Electronic Communications Regulations, also known as PECR which was in force long before the GDPR. PECR governs marketing by electronic means, including marketing calls, texts, emails and faxes and using cookies on your website. The GDPR supplements PECR by providing for a higher standard of consent from the individuals that you market to.
In response to your question, it all depends on how you are buying the business.
If you are only buying the assets of the business (including any customer lists) then this means that the legal entity of the business will not be the same. This means that the identity of the data controller for GDPR purposes will change and so the customers would not necessarily expect to be contacted by you, as a third party. In this case, you should obtain assurances from the seller confirming that they obtained the relevant consent from their customers to be able to sell their customer database to you. Before you start contacting anyone, you should also undertake and review any policies and procedures that you have obtained as part of the sale and also implement your own data protection and marketing practices. As this can be a tricky area of law, it is usually worth seeking specific legal advice to avoid any issues later on.
If you are buying the shares of the business, then the legal entity itself remains the same and does not change. This also means that the identity of the data controller, for GDPR purposes, will not change. In this case, whether you can contact the business’ existing customers depends on what processes were put in place by the previous owner. In theory, you can carry on contacting the customers and carry out business as usual, but it will be important to ensure you properly review any pre-existing practices to ensure compliance with PECR and the GDPR.
Furthermore, as part of the share purchase, you should also seek assurances from the seller to confirm that all of the personal data within the company is GDPR-compliant and that any marketing lists are made, held and maintained in accordance with PECR. It might also be worth seeking an indemnity from the seller to hold you harmless if you suffer any losses after the purchase (such as fines or court proceedings) due to the seller’s failure to comply with these rules. Again, if in doubt, it is always worth seeking legal advice on your own situation, to make sure you are doing things properly and to avoid any unnecessary liability.
Do you have a question that you need an expert answer to? Here is where you can ask your questions.