GDPR

Can a company sell your personal data in the event of a takeover?

Joris Deene
1 month ago
192 views
7 minutes reading time

In a business takeover or the sale of a business activity, not only buildings and contracts are transferred, but often an entire customer base. What then happens to your personal data? A ruling of the Market Court in Brussels on 3 September 2025 offers a clarifying answer: the sale of a customer database is a processing of personal data that must follow strict rules. However, the Data Protection Authority (DPA) must also proceed with caution in this regard.

The facts: sales of Jobat and a user's complaint

The case revolved around the sale of the activities of the well-known jobsite Jobat by Mediahuis NV. In 2019, these activities, including user data, were transferred to Hors bv, a new company established as a joint venture between Mediahuis and DPG Media.

A user of Jobat disagreed. He claimed that his personal data had been transferred to a new entity without his consent or proper information. He filed a complaint with the DPA.

The DPA ruled in favour of the complainant and issued Mediahuis with a reprimand. According to the DPA, Mediahuis should have proactively informed users about the transfer in advance. The DPA also stated that while Mediahuis could have a "legitimate interest" in the transaction, it violated the GDPR because it had not conducted a prior documented analysis of this interest. Mediahuis disagreed with this decision and appealed to the Market Court, a specialized section of the Brussels Court of Appeal.

The decision: the Market Court overturns the DPA's sanction

In its September 3, 2025 ruling, the Market Court overturned the DPA's decision. The Court ruled that the analysis of the DPA was legally and factually deficient on several crucial points.

The main reasons for the annulment were:

  1. Wrong focus of research: The DPA focused solely on the material "transmission" of data. The Market Court held that this was too narrow. The relevant act under the GDPR was the entire legal transaction: the sale and transfer of ownership of the customer base as a business asset ("asset deal"). The mere transmission is merely a logical and necessary consequence of this.
  2. Violation of rights of defense: The DPA accused Mediahuis of failing to conduct a prior, documented analysis of its legitimate interest. The Market Court held that this obligation did not follow directly from Article 6.1.f GDPR (legitimate interest), but from the general accountability principle of Article 5.2 GDPR. Crucially, the DPA had never properly examined or questioned this specific allegation (the lack of documentation) during the proceedings. This prevented Mediahuis from adequately defending itself against it, in violation of its rights of defense.
  3. Incomplete investigation of responsibilities: After the transfer, Hors bv became the new data controller for Jobat's data. This meant that Hors bv had its own legal duty under Article 14 GDPR to inform users. However, the DPA had not involved Hors bv in any way and placed the duty to inform unilaterally and retrospectively on the seller, Mediahuis. This made the DPA's decision insufficiently reasoned.

Legal analysis and interpretation

This ruling is of great importance for the practice of company takeovers in Belgium. The Market Court corrects an overly narrow and formalistic approach to the DPA and places data protection in the proper corporate law context.

The crux of the matter is the legal basis of the legitimate interest (Article 6.1.f GDPR). Selling a business unit is a fundamental commercial interest for a company. The GDPR does not prohibit this, but it does require a careful balancing of this business interest against the rights and freedoms of the individuals involved (the users).

The crucial lesson from this ruling is the link to the accountability requirement in Article 5.2 GDPR. A company must not only believe that it has a legitimate interest; it must also be able to demonstrate this. This requires a proactive, documented analysis (a Legitimate Interest Assessment or LIA) conducted prior to processing. This describes the transaction, identifies the interest and justifies the trade-off with data subjects' rights.

In addition, the ruling clarifies the information duties in the case of an ''asset deal'. The seller (Mediahuis) must be transparent about the processing (Article 13 GDPR), but the buyer (Hors bv) is given its own separate duty of information after receiving the data (Article 14 GDPR). Ignoring the buyer's role was a fundamental error in the DPA's investigation.

What this specifically means

  • For selling companies: Selling a customer database is perfectly possible under the GDPR, but requires preparation. Prior to the transaction, document your legitimate interest in an LIA. Be transparent in your privacy policy about the possibility of such transactions and inform data subjects at an appropriate time.
  • For buying companies: Realize that after purchasing a customer database, you become the new data controller. You inherit not only the data, but also full responsibility for GDPR compliance. You must independently inform data subjects that you are now processing their data, on what legal basis and for what purposes (Article 14 GDPR).
  • For users: Your personal data is no ordinary commodity. While your explicit consent is not always required for a transfer in the context of an acquisition, you are entitled to clear and timely information. You need to know who controls your data and why.

FAQ (frequently asked questions)

Do I have to give explicit consent if my data is resold in an acquisition?
Not necessarily. As this ruling confirms, the transfer can be based on the "legitimate interest" of the seller. In that case, your consent is not a requirement. However, you must be properly informed and you retain the right to object to the processing.

What is the difference between an "asset deal" and a merger for my data?
In a merger, two companies merge completely and the legal entity often remains (in modified form). In an "asset deal," as in this case, company A sells a specific asset (e.g., a customer base) to a completely separate company B. Legally, this is a transfer to a third party, which strongly activates information obligations under the GDPR

Can a decision of the Data Protection Authority be challenged?
Yes. This ruling is perfect proof of that. A company that disagrees with a sanction or decision of the DPA Litigation Chamber can appeal it to the Market Court. This court will then completely reassess the case, both factually and legally.

Conclusion

The Market Court ruling is an important justification that reminds companies that a business acquisition requires careful data protection planning. It is not enough to simply transfer the data; the underlying legal basis must be proactively documented and the responsibilities of both buyer and seller must be clear. At the same time, the ruling shows that decisions of the DPA are not infallible and can be successfully challenged if the investigation was conducted incompletely or with legal carelessness.

Are you facing a complex case involving the processing of personal data in an acquisition or a dispute with the DPA? Our attorneys, specialized in privacy and data protection law (GDPR), are ready to analyze your case. Feel free to contact us for an initial advice.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics