The guidance is
intended for use only when a database is sold because a business is
insolvent, closing down or being sold. In these circumstances the
Data Protection Act does not prevent the sale of a database
containing the details of individual customers, providing certain
requirements are met.
The requirements:
- The seller must make it clear that the buyer can only use the
data for the purposes for which it was originally collected. The
database should therefore only be sold to a business that will make
the same or similar use of it.
- The buyer must obtain the consent of the individuals referred
to on the database if it wishes to use the data for a new
purpose.
- The buyer should tell the individuals referred to on the
database about the change of ownership.
- The buyer can only use the database for unsolicited marketing
if the individuals referred to in it have agreed to receive such
marketing, or receipt of such marketing is “likely to be within
their reasonable expectations”.
- Where this is the case the buyer can only market products and
services similar to those that have been advertised through the
database before.
- The buyer must delete any unnecessary personal information held
on the database.
“It is important that businesses buying or selling customer
databases are aware of their data protection obligations,” said
Dave Evans, Senior Guidance and Promotion Manager with the ICO.
“This good practice note will help businesses understand what they
need to do to ensure that personal information on the databases is
sufficiently protected.”
