The Transfer of Patient Data in the Sale of a Business Under GDPR

26 Feb 2024

In the intricate process of selling a business, the transfer of patient data between legal entities raises significant concerns under the General Data Protection Regulation (GDPR). The sale can be structured as either a share purchase or an asset and goodwill purchase, each with distinct implications for the transfer of personal data.

Share Purchase: A Seamless Continuation

In a share purchase, the legal entity owning the business does not change; only the ownership of the shares in the entity is transferred. This means there is no direct transfer of patient data between entities, as the legal entity that holds the data remains the same. Consequently, from a GDPR perspective, the continuity of the data controller remains unaltered, thus sidestepping the complexities of data transfer rules under GDPR.

Asset and Goodwill Purchase: A Change in Data Ownership

Contrastingly, an asset and goodwill purchase involves the sale of individual assets of the business, including potentially the data held by the business. In this scenario, there is a transfer of patient data to another legal entity, which constitutes a change in the data controller. This transfer raises significant GDPR considerations, as it involves the sharing of personal data between distinct legal entities, necessitating strict adherence to GDPR transfer rules.

Legitimate Interest Assessment

The concept of legitimate interest under GDPR can, in certain circumstances, provide a lawful basis for the transfer of specific patient data as part of a business sale. A Legitimate Interest Assessment (LIA) is required to determine whether the interests of the data receiver in acquiring the data are sufficiently compelling to override the privacy rights of the individuals whose data is being transferred. This assessment must consider the necessity of the transfer for the sale and the impact on individuals’ rights and interests.

For further guidance on conducting a Legitimate Interest Assessment, the Information Commissioner’s Office (ICO) provides a detailed resource, which can be accessed here.

Example: Sole Practitioner Physiotherapist Selling to Another Practitioner

Consider a sole practitioner physiotherapist planning to sell their practice to another practitioner. This transaction involves transferring patient records to the buying practitioner. The process starts with identifying the legitimate interest (continuation of care), followed by conducting a necessity test (whether the transfer is necessary for providing care), and finally, a balancing test to ensure that the patients’ rights do not override the legitimate interests identified. Informing patients about the transfer and offering an opt-out is also a critical step in this process.

For the transfer of patient data in an asset sale, the GDPR mandates that individuals are informed about the transfer and their rights concerning their data. This includes the right to object to the transfer and the provision of clear guidance on how their data will be used by the new entity.

Professional Guidance Is Key

The transfer of patient data during the sale of a business as a going concern under GDPR is a complex legal issue that hinges on the structure of the sale and the results of a thorough LIA. Whether through a share purchase or an asset and goodwill purchase, the overriding priority is the protection of individuals’ data rights and compliance with GDPR.

Given the complexity of these issues, it is imperative for parties involved in such transactions to seek professional legal advice. This will ensure that the transfer of patient data is conducted in compliance with GDPR and that the legitimate interests of all parties, including the protection of individual privacy rights, are duly considered and safeguarded.

Disclaimer: This article provides an overview of the considerations involved in the transfer of patient data during the sale of a business under GDPR. It is not legal advice. Individuals and businesses should consult with a legal professional to understand the specific implications of any business transaction they are considering.

Helping facilitate major change for healthcare businesses

© Verilo. All Rights Reserved. Powered by FL1 Digital