In a recent decision, the Higher Regional Court of Düsseldorf held that data controllers may claim immediate surrender of customer data in the insolvency of marketing agencies and IT service providers in Germany under section 47 of the German Insolvency Statute (decision of 27 September 2012, file number: I-6 241/11; view a German text version of this decision). Final decision is expected to be taken in the course of 2014 by the Federal Supreme Court, which is appointed to decide on the insolvency administrator’s appeal.
The asset of customer data – clash of interests
Many companies use customer data to reach out to those customers using online marketing tools. It is essentially a necessity for a company to use large-scale customer databases for advertising its products or services. Often, such data is stored and processed by IT service providing companies or marketing agencies that develop marketing strategies or provide marketing tools for data controllers.
If these agencies or providers become insolvent, there is a clash between two antagonistic interests: the interest of the insolvency administrator to liquidate the financial value of the customer data for augmenting the insolvency estate, and the interests of the principal to receive the customer data for subsequent marketing measures.
This clash of interests became visible in a recent dispute between a sales company and an insolvency administrator at the courts in Düsseldorf (Germany), when the insolvency administrator of a marketing agency refused surrender of customer data that had been collected and processed for the purposes of a sales company.
The principle of separation
With its decision, the Higher Regional Court of Düsseldorf took a stand on how the asset of customer data must be treated in insolvency proceedings.
According to the German Insolvency Statute, creditors may either (i) claim surrender of an object that is in the possession of the bankrupt debtor, if they can rely on a right in rem, or (ii) seek for separate satisfaction in respect of their claims, or (iii) – even less privileged – register their claims for final distribution of the insolvency estate on a pro rata basis only.
In the case at issue, the insolvency administrator argued that the marketing agency itself had received a right in rem by obtaining the customer data from carrying out the data collecting services (with the consequence that no right to separation would apply) and approved a claim of the sales company for separate satisfaction only.
Data controller may claim surrender of customer data
In contrast, the Higher Regional Court of Düsseldorf ruled that the principal who ordered data collecting and processing services for an electronic newsletter had obtained a right in rem and could request surrender of data based on a right to separation according to section 47 of the Germany Insolvency Statute.
The Court considered that
the data was collected via online form stored on the website of the principal who was named in the imprint of the homepage as legally responsible for the internet content;
the legal purpose for the collection, usage, and processing of personal data was defined by the data principal;
the customer data was forwarded to the marketing agency for performance of data collection and processing and distribution of the electronic newsletter, once the internet user had pushed the “submit” button to order the electronic newsletter.
Against this factual background, the Court classified the principal as a “data controller” and held that the marketing agency had received the customer data from the principal to perform the marketing services ordered.
What can companies learn from this decision?
Companies that are interested in using online marketing tools by outsourcing data collection and processing services in Germany should make arrangements to be classified as data controller to benefit from the recent decision of the Higher Regional Court of Düsseldorf. Collection of data should happen on their own website instead of a linked webpage provided by the marketing agency. Moreover, they should ensure that the legal notice in the imprint of the website is clear and consistent and that internet users encouraged to submit personal data understand that the company is the entity responsible for all issues related to the collection, storage, use, and processing of personal data.