Belgian DPA issues decision on legal basis and GDPR compliance in corporate transactions

On 15 January 2025, the Belgian Data Protection Authority (Belgian DPA) issued a decision imposing a reprimand and an order to comply on Mediahuis NV (Defendant). The reprimand was for failing to provide an appropriate legal basis and inadequate transparency practices in the context of transferring Jobat, a job-posting and matching service platform, to a joint venture company, House of Recruitment Services (HORS).

The decision provides important insights into the Belgian DPA’s perception of corporate transactions that include transfers of databases. And it should be taken into consideration when planning such transactions and conducting due diligence exercises.

In this blogpost, we’ll set out the facts of the case, the findings of the Inspection Service, the subsequent determinations made by the Litigation Chamber and the key takeaways.

 

Facts

The case was initiated on 14 May 2020 with a complaint to the Belgian DPA from a data subject whose personal data was processed (and stored) in the context of Jobat’s services.

Previously, in a separate case, the Belgian DPA had ordered the Defendant to grant the data subject access to their personal data.

As indicated above, as part of an asset deal, Jobat services (including relevant personal data and corresponding contracts with service recipients and data subjects) were transferred to HORS, which was established in June 2019.

The complaint isn’t solely limited to the practices in relation to this asset deal but also encompasses alleged violations of the GDPR before the transfer.

 

The findings of the Inspection Service

Upon request of the Litigation Chamber, the Inspection Service investigated the matter and established the following key findings in its inspection report:

• There was no violation of the GDPR in relation to the:
  • lawfulness of other processing activities;
  • data minimisation principle;
  • transparency and information obligations (on matters that don’t relate to the asset deal);
  • retention periods and storage limitation principle;
  • accuracy of personal; and
  • notification obligations (eg article 33 GDPR).
• The transfer of personal data to HORS by the Defendant constitutes “processing” within the meaning of the GDPR.
• The Defendant didn’t have any applicable legal basis (including legitimate interests) for the transfer, constituting a violation of article 6 GDPR.
• The transfer of personal data and relevant details about the asset deal weren’t sufficiently and transparently disclosed, constituting a violation of articles 5.1(a), article 12 and article 13 GDPR.

 

The main findings of the Litigation Chamber

• Abuse of rights: The Litigation Chamber started by ruling on the complainant’s alleged abuse of rights. According to the Defendant, the contentious past between the complainant and the Defendant indicates that the complainant, by submitting a complaint to the Belgian DPA, wanted purely to harm the Defendant. The Litigation Chamber indicated that the complainant’s personal data was processed by the Defendant. The Litigation Chamber added that even if the complainant wanted to cause harm or detriment to the Defendant, this doesn’t by itself preclude the right to complain when there are legitimate reasons behind exercising this right. Interestingly, the Litigation Chamber noted that the conclusion could be different if the complainant had deliberately allowed their personal data to be processed, creating artificial circumstances and then ie consciously provoking a violation.
• The notion of “processing” in the context of the transfer of a dataset: The Litigation Chamber rebutted the Defendant’s argument that the transfer is an “operation” for performing the asset purchase agreement and doesn’t constitute “processing” on its own under the GDPR and should be interpreted as part of the wider processing. The Litigation Chamber decided that the transfer constitutes (separate) “processing” under the GDPR. It noted that HORS is a separate legal entity and transferring the dataset isn’t necessary for performing the agreement.
• Contractual necessity isn’t a possibility: On the legal basis, the Litigation Chamber noted that:
  • the “legal obligation” legal basis cannot be invoked in the absence of an underlying law stipulating this legal obligation;
  • the Defendant never considered consent;
  • the performance of a contract only applies in cases where the processing activity is “objectively indispensable” (as noted by the EDPB guidelines) for the performance of a contract with the data subject, and in any case, the Defendant didn’t transfer the dataset due to an economic necessity but purely for commercial purposes.

The Litigation Chamber also noted that the asset purchase agreement isn’t an agreement between the data subject and the Defendant.

• Legitimate interests: As none of the other legal bases are available, the Litigation Chamber assessed whether legitimate interest is a valid legal basis and conducted a legitimate interest assessment (LIA). Referring to the CJEU caselaw and the EDPB guidelines, the Litigation Chamber stated that the concept of necessity needs to be interpreted in the relevant context and that transferring personal data in the context of a corporate transaction, such as transferring assets to a joint venture, can be considered necessary to safeguard the controller’s legitimate interest to operate a successful corporate transaction. Unlike the Inspection Service, the Litigation Chamber confirmed that the balancing test under the LIA succeeds as the Defendant referred to corporate transactions, including with a reference to possible establishment of joint ventures, in its privacy notice and the nature and extent of processing activities and formalities around them would be limitedly affected as a result of the asset deal. Interestingly, the Litigation Chamber drew a line between the generic and general references to corporate transactions in privacy notices and the information obligations that would accompany a concrete transfer (as explained below). The Litigation Chamber stressed that not all corporate transactions can rely on the “legitimate interests” legal basis for transferring personal data and analysis should be carefully conducted.
• Homework for sellers: Conduct and document your LIA: As the Defendant didn’t conduct and document an analysis before transferring personal data to HORS, the Litigation Chamber found that the Defendant violated the conditions of article 6.1(f) GDPR and also the accountability principle (article 5.2 GDPR). The Litigation Chamber referred to the new EDPB Guidelines 1/2024 on Legitimate Interests, which explicitly requires prior analysis and documentation in the context of legitimate interests.
• Transparency: While assessing compliance with transparency obligations, the Litigation Chamber recalled that article 13.2 GDPR requires controllers to “(…) provide the data subject with the following further information necessary to ensure fair and transparent processing: (…) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability”. Referring to the Working Party 29 Guidelines on Transparency, the Litigation Chamber concluded that for data subjects to be truly enabled to exercise data subject rights (such as the right to object), the identity of the buyer (new controller) should be disclosed to data subjects before the transfer of the personal data occurs. The Litigation Chamber indicated that this information should be actively provided to data subjects, with a reference to the applicable data subject rights. The Litigation Chamber ordered the Defendant to organise, within four months after the transfer, an active communication to all existing users of Jobat’s services. The communication should inform the data subjects of the identity of the new controller and refer to how data subjects can exercise their data subject rights.

 

Takeaways, tips and tricks

The decision affects the transfer of personal data in the context of asset deals. At the start of the transaction, sellers must:

• identify the relevant legal basis for transferring personal data in the context of corporate transactions, as the transfer constitutes a separate processing under the GDPR;
• perform and document an LIA if the transfer is based on legitimate interest and if an LIA isn’t yet in place;
• identify an appropriate exception ground under article 9 GDPR if special category data is transferred; and
• check whether the applicable privacy notice includes information on the transfer of personal data in the context of corporate transactions. If not, data subjects must be informed at an appropriate time.

The buyer will also need to provide data subjects with its privacy notice to ensure its complies with article 14 GDPR and is in line with the timing requirements of article 14.3 GDPR.

Finally, the Belgian DPA seems to require that sellers disclose the identity of the buyer, with information on how data subjects can enjoy their rights, before the corporate transaction occurs. This isn’t an explicit requirement from the text of the GDPR.

It’s correct that a change in identity of the controller is considered a material change that data subjects should be informed about. But in the Working Party 29 Guidelines on Transparency, it’s not indicated that it’s the previous controller who needs to inform the data subjects.

We believe there’s leeway to argue that this can be done by the buyer, or jointly by the seller and buyer. Communicating this information can also be combined with communicating the buyer’s privacy.

The full decision can be consulted here (in Dutch).