Customer databases often include addresses, phone numbers, email addresses and other sensitive personal information belonging to business customers. If you’re selling your business, you must understand how the Privacy Act 1988 (‘Privacy Act‘) applies to your customer database and avoid breaching legal obligations when transferring information to a buyer. This article outlines how to manage personal data in a business sale and the need for individual consent if data is part of the transaction.
How will selling the business impact personal information?
The sale of an entire business is not considered trading in personal information. The Privacy Act does not prohibit the transfer of sensitive information (i.e. customer database) if the sale involves a change of ownership resulting from a transfer of shares, provided that the personal information held by your business remains within your organisation. In such cases, your business may have new shareholders (as a result of the sale), but they have not disclosed the personal information to any external party. By contrast, if your business intends to sell personal information as part of a transaction to a new entity (for example, as part of an asset sale), you must obtain explicit consent from every individual whose personal data is impacted before finalising the sale. Failure to secure this consent would be subject to the provisions of the Privacy Act.
In essence, the Privacy Act allows for the transfer of personal information within a business during an ownership change or share sale as long as the data remains confined to the organisation. However, if personal information is bought or sold as a commodity (i.e. an asset), explicit individual consent is mandatory to comply with privacy regulations.
Before buying a business, it is important to undertake due diligence, to verify the information supplied by the seller. This guide will walk you through the due diligence process.
Exempt businesses and due diligence
When selling assets with personal information (i.e. customer database), both parties must comply with the Privacy Act after the sale.
If you’re buying a business and are unsure about Privacy Act coverage during due diligence, consult your solicitor before starting the process.
Before starting due diligence, both parties should sign a non-disclosure agreement to protect sensitive information exchanged during negotiations and in the data room.
Continue reading this article below the formVendor compliance during due diligence
When a business is under the Privacy Act, buyers and vendors should consult their solicitors to protect personal information.
Specifically, the Australian Privacy Principles (APPs) guide how to protect this personal information. Personal information may be disclosed if and when the individuals concerned would reasonably expect this disclosure because the reason for disclosing relates to the purpose of collecting the information. Ask your small business solicitor about the limits of disclosure during due diligence. For example, you do not need to disclose unnecessary personal information to assess the business.
Vendors are typically allowed to disclose the following:
- partnership/supply/contractors agreements;
- details regarding employment contracts of key employees;
- certain customer details;
- certain details about employee entitlements; and
- financial information.
The vendor is responsible for safeguarding the personal information held by the business. Have your small business solicitor draft privacy provisions into all confidentiality agreements when dealing with potential buyers. Ensure these buyers do not make copies of the documents; they’re typically only entitled to view them.
Purchaser compliance during due diligence
As the potential purchaser of the business, you will also have certain duties to protect the personal information of individuals when conducting due diligence. Your small business solicitor should advise you to comply with the APPs when dealing with personal information.
Key Takeaways
Many risks are associated with selling or buying a business containing personal data. As a seller or buyer, you should perform the required due diligence to ensure you are not violating the Privacy Act. If you do not comply, you will risk serious legal consequences.
If you have further questions, our experienced sale of business lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Due diligence is the process of collecting and analysing information to ensure the business is viable. Sellers use this process to check what issues they must solve or what information they should provide.
Vendors are generally allowed to disclose the following:
1. partnership/supply/contractors agreements
2. details regarding employment contracts of key employees;
3. certain customer details;
4. certain details about employee entitlements; and
5. financial information.
Vendors who go beyond what is necessary will risk serious legal consequences.
We appreciate your feedback – your submission has been successfully received.
