Data protection issues arising when deploying commercial agents

The outsourcing of sales and customer support to external service providers is not a new occurrence in an economy which increasingly splits tasks, but it is usually associated with several advantages which in times of growing markets and quicker product cycles become more and more important. The external sales structures created as a result differ in their details. However, they are usually based either on commercial agents within the meaning of Sections 84 ff. of the German Commercial Code (Handelsgesetzbuch – HGB), authorized dealers or mixed forms, or “derivatives”, such as franchisees.

The essential difference between the two basic structures most often used, authorized dealers and commercial agents, and the difference which is decisive in an assessment in terms of data protection, is that the authorized dealer enters into contracts with end customers in its own name and for its account, i.e. recognizably collects any personal data of its customers for itself whereas the commercial agent is an independent businessman and as such permanently entrusted with negotiating (Vermittlungsvertreter) or concluding business transactions (Abschlussvertreter) in the name of the company and therefore recognizably acts on behalf of a third party.

Procedures of relevance in terms of data protection when deploying commercial agents

Deploying a commercial agent necessarily entails the commercial agent’s handling of personal data of end customers as well as the (partial) disclosure of such data to the company. If the tasks of the commercial agent as stipulated in the contract with the company encompass the support of end customers even beyond the conclusion of the contract, the commercial agent will for this often have to use the personal data of end customers again which the company typically makes available by granting the agent access to the company’s systems and which originate from the processing of the initiated business transaction. This often raises the question of whether such use of the data is admissible under data protection law since according to the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) any use of personal data is inadmissible unless it is allowed or prescribed by law, or the data subject has granted his or her consent (“prohibition with reservation of permission”). The restriction resulting from the prohibition with reservation of permission is of particular importance due to the fact that – save for the constellation of commissioned data processing – the Federal Data Protection Act contains no specific provisions for concentrations of legally independent players to one economic unit within which personal data can be exchanged without observing the prohibition with reservation of permission.

Data protection issues arising with a commercial agent negotiating or concluding business transactions

The assessment of whether the collection, processing and use of personal data by the commercial agent is admissible is made on the basis of Sec. 4(1) of the German Federal Data Protection Act, except where special data protection provisions apply. According to Sec. 4(1) of the German Federal Data Protection Act, collecting, processing and using personal data is admissible if it is permitted or prescribed by the German Federal Data Protection Act or any other provision of law or if the data subject (end customer) has consented. When negotiating or concluding a business transaction for the company, the commercial agent first collects personal data, a procedure requiring permission, since the commercial agent normally requires the end customer’s personal data to negotiate or conclude the business transaction. If the commercial agent is to be deemed a third party in relation to the company, the disclosure of such personal data to the company also constitutes a transmission requiring permission.

Deploying a commercial agent as a data processor within the meaning of Sec. 11(1) of the German Federal Data Protection Act for the company is possible only according to the controversial contract theory and only if the contract with the company sets out the scope and purpose of the commercial agent’s collection, processing and use of personal customer data and the kind thereof and a deviation from the instructions of the principal is widely restricted. Independent permission therefore has to exist so that the commercial agent can lawfully collect, process, and transmit to the company, customer data. Apart from cases involving the collection, processing and use of special kinds of personal data and constellations regulated by special laws, the permission granted under Sec. 28(1) sentence 1 No. 2 of the German Federal Data Protection Act can usually be invoked for the collection, processing and use of personal data by the commercial agent as part of his or her negotiation or conclusion of the business transaction for the company.

Customer support by the commercial agent

The term “customer support” provided by the commercial agent after a negotiation or conclusion of a business transaction can mean many different activities, including answering incoming customer inquiries concerning the on-going contractual relationship between the end customer and the company, the commercial agent’s contacting the end customer with the aim of offering other products or services of the company or concluding a contract in this respect for the company, etc. If the commercial agent, to perform such customer support services, is to have access to the end customers’ personal data at the company, the question arises again whether granting such access to such data, and processing and use of such data by the commercial agent for the customer support activities described above is admissible.

Notification of previous commercial agent’s leaving the company’s sales organization and a new commercial agent’s joining

If the previous commercial agent leaves the company’s sales organization and is replaced by a new commercial agent joining the company’s sales organization, the company will be interested in informing its customers about such change. This is often to be communicated through the new commercial agent, which means that the commercial agent needs to have access to existing customer data at the company. Granting a commercial agent such access to customer data existing at the company again means a transmission of such data to the new commercial agent which requires permission, where the commercial agent does not serve as a data processor for the company in this context. The assessment under data protection law differs depending on whether the commercial agent is also to be given access to the personal data for the purposes of the later “customer support”, or whether the commercial agent is only granted access to the data for the purpose of notifying customers.

Our IT partner Tobias Kugler has dealt in more detail with the questions arising when deploying commercial agents in an article published in ZVertriebsR 2015, p. 219. If you are interested in reading Tobias Kugler’s complete article as published in ZVertriebsR 2015, p. 219, please send us a brief email or call us, and we will be happy to send you the article. We are also available for specific questions concerning this topic or any other topic relating to data protection or distribution law.