Transfer of user database (mobile app)

lastusername

Hi folks,

Let's say you purchase a mobile app from a company based in Canada, and you are based in Ireland. The user database (i.e. the list of of members who signed up to the app) will naturally be transferred as part of the sale.

Does anyone know if there is any action that should be taken as part of this transfer with respect to user data, notifying users that there has been a change of ownership, etc?

All feedback appreciated.

Victor

lastusername wrote: »

as part of the sale.

Part of what sale? Is the company being sold? The app?

lastusername

Victor wrote: »

Part of what sale? Is the company being sold? The app?

The app is being sold to us - a company based in Ireland - by a company based in Canada.

jjpep

what information is stored about the users? Names? Email address's etc

lastusername

jjpep wrote: »

what information is stored about the users? Names? Email address's etc

It would be the bare minimum required to operate the service really - name, email, age, profile picture. There is the option to sign up via email or Facebook, and the Facebook permissions are just email address and basic profile info.

GerardKeating

lastusername wrote: »

Hi folks,

Let's say you purchase a mobile app from a company based in Canada, and you are based in Ireland. The user database (i.e. the list of of members who signed up to the app) will naturally be transferred as part of the sale.

Does anyone know if there is any action that should be taken as part of this transfer with respect to user data, notifying users that there has been a change of ownership, etc?

All feedback appreciated.

1. What are the Terms & conditions that the users agree to when the signed up for the app?
2. What Country are they in?

Peregrinus

You need to satisfy yourself that the vendor does in fact own this app, and the associated data, and that he has the right to transfer it to you. That requires you to look both at the terms of the governing law and the specific terms and conditions that users of the app have signed up to. You'll need local advice (meaning, local to the jurisdiction in which the seller is based/by whose laws the relationship between the seller and the app users is governed. This isn't necessarily Canadian law, but let's assume that it is.)

Obviously, depending on how much you are paying for the app, the cost of doing a due diligence on these points may make the transaction uneconomic. So you might decide just to take a deep breath and pay for the app without checking out these points. Don't do this, obviously, unless the amount you are paying for/investing in the app is a sum that you are prepared to write off, if it comes to that.

OK, do you need to notify the users that you have their data? If it says so in the T&C then, yes, you do. Even if it doesn't say so in the T&C, Canadian data protection law (if it is Canadian law that matters) may required you do so anyway.

And, of course, regardless of what Canadian law and the T&Cs say, you'll need to comply on an ongoing basis with Irish/EU data protection law in relation to this data.

lastusername

GerardKeating wrote: »

1. What are the Terms & conditions that the users agree to when the signed up for the app?
2. What Country are they in?

Pretty much the standard T&Cs - it's a dating app. The vast majority are in the US and Canada, with a small number in the UK.

whippet

I know a guy who had a similar type of site .. not App years back and was in the middle of selling the site and associated member database ... once the buyer realised that he had not gotten permission to transfer the data from the time of sign up the deal vanished. That was 15 years ago ... and in today’s climate data is protected even more.

lastusername

whippet wrote: »

I know a guy who had a similar type of site .. not App years back and was in the middle of selling the site and associated member database ... once the buyer realised that he had not gotten permission to transfer the data from the time of sign up the deal vanished. That was 15 years ago ... and in today’s climate data is protected even more.

Thanks, when you say 'not gotten permission to transfer the data from the time of sign up', what do you mean exactly? Permission from the users, or from a legal perspective, etc?

whippet

lastusername wrote: »

Thanks, when you say 'not gotten permission to transfer the data from the time of sign up', what do you mean exactly? Permission from the users, or from a legal perspective, etc?

Permission from the users .. at the time of sign up the T&C’s didn’t look for permission to pass their details on to any third party which would include a buyer

lastusername

whippet wrote: »

Permission from the users .. at the time of sign up the T&C’s didn’t look for permission to pass their details on to any third party which would include a buyer

Interesting, my question would be is this something that has to be included in the T&Cs, or is it ok to do this afterwards? Cmpanies are sold and taken over all the time.

For example, I am wondering if Tinder were sold, would users have to opt in to the service again or would it just be a case of the new company sending a notification of change of ownership.

Vetch

There is some info here on sale of businesses and data protection: https://www.dataprotection.ie/docs/Transfer_of_ownership_of_Business/217.htm


This is from the current DP Acts - I don't know if the bolded bit can be used if the T&Cs don't specify transfer to a new owner?
2D. - (1) Personal data shall not be treated, for the purposes of section 2(1) (a) of this Act, as processed fairly unless -

(a) in the case of data obtained from the data subject, the data controller ensures, so far as
practicable, that the data subject has, is provided with, or has made readily available to him
or her, at least the information specified in subsection (2) of this section,

(b) in any other case, the data controller ensures, so far as practicable, that the data subject
has, is provided with, or has made readily available to him or her, at least the information
specified in subsection (3) of this section -
(i) not later than the time when the data controller first processes the data, or
(ii) if disclosure of the data to a third party is envisaged, not later than the time of such
disclosure.

Other than that, I think you need detailed advice on GDPR exposure including - depending on how the app works it might involved automated decision making and/or profiling within the meaning of GDPR. If Facebook has access to personal data is it a processor or joint controller within the meaning of GDPR? What does Facebook do with the data? Are there other processors or joint controllers? Would your company be transferring personal data outside the EEA?

Peregrinus

lastusername wrote: »

Interesting, my question would be is this something that has to be included in the T&Cs, or is it ok to do this afterwards? Cmpanies are sold and taken over all the time.

As the owner of the app, you should include a permission to transfer data in the T&Cs, so that when people sign up for the app they authorise you to transfer their data in the future, should you decide to sell or transfer the app.

If you didn't include this at the time, so that you have a lot of users who signed up to T&Cs which did not include a term granting you the right to transfer their date, you're pretty well cactus. It wouldn't be a question of notifying them that you are transferring their data; it would a question of notifying them that you want to transfer their data, and asking for their permission. It's very unlikely that they would all agree, particularly in the current climate. So, at best, what you might be able to transfer is a slimmed down customer list, consisting only of those who have consented to the transfer.

lastusername wrote: »

For example, I am wondering if Tinder were sold, would users have to opt in to the service again or would it just be a case of the new company sending a notification of change of ownership.

Depends on what's in the Tinder T&Cs.

lastusername

Peregrinus wrote: »

As the owner of the app, you should include a permission to transfer data in the T&Cs, so that when people sign up for the app they authorise you to transfer their data in the future, should you decide to sell or transfer the app.

If you didn't include this at the time, so that you have a lot of users who signed up to T&Cs which did not include a term granting you the right to transfer their date, you're pretty well cactus. It wouldn't be a question of notifying them that you are transferring their data; it would a question of notifying them that you want to transfer their data, and asking for their permission. It's very unlikely that they would all agree, particularly in the current climate. So, at best, what you might be able to transfer is a slimmed down customer list, consisting only of those who have consented to the transfer.


Depends on what's in the Tinder T&Cs.

The app has a few thousand people on it but the vast majority of them are inactive and so it is very, very unlikely that they would even see any message asking them to opt in, never mind reply to say they are happy for their data to be transferred.

So it might be best to just start from a clean slate and remove all the current users, update the terms to allow for transfer for data in the case of a future sale, and then get marketing the app. This way at least everyone who joins the app from the point of sale will be eligible to be part of any future sale.

Since the value of the app is actually in the app itself, rather than the 95%+ inactive user base, this looks like the way to go.