Buying a Business and all its (highly sensitive) Data - How to navigate GDPR?

searcher profile

August 10, 2025

by a searcher from IMD in Hamburg, Germany

Does anyone have experience in negotiating the purchase of sensitive customer data w.r.t. GDPR? The business operates in Germany, and has physical retail and ecommerce. I am currently looking at a deal that includes the transfer of the website and email accounts to me. Of course, I would like access to the full history of the email accounts, including all past communications with clients and suppliers. The seller wants to sell me a blank email accounts, because he has GDPR-concerns —> selling people’s personal data (in this case names, addresses and data from which sexual preferences can be inferred) without their explicit consent is against GDPR. To me, the customer data is not as important as the communication with suppliers (which includes all history on pricing, incoterms, and negotiations). Separating the data would be a Herculean task.
0
2
102
Replies
2
commentor profile
Reply by a professional
from University of Colorado at Denver in Denver, CO, USA
Nantwin: I do privacy law compliance (GDPR, CCPA, HIPAA) in addition to M&A. Ideally you'd localize processing of personal data via AWS or Azure, but if that's not possible you have a couple options. First step is to see what the legal basis of all those email interactions would be- if it's to fulfill an ongoing transaction (as likely would be the case for the B2B customers), minimal GDPR concerns there. Lots more to GDPR compliance, but you'd want to do a legal basis review, consent being just one of several reasons you could retain and use emails. Feel free to email me if you want to talk- redacted
commentor profile
Reply by a professional
from Rheinische Friedrich in Charlotte, North Carolina, United States
I know quite a bit about GDPR, feel free to reach out.
Join the discussion