> I mean, this is really a condemnation of any data privacy practices whatsoever claimed by any company, as they may at any point in the future sell the entire company and databases with it.
Yes! That's why you should be very very careful who you give your data because you are exactly one acquisition away from the same effect as a breach. Fortunately the GDPR affords some protection here, if the data was collected for one purpose it can not suddenly be used for another.
As for never selling the company: there is one other option: you could give users the option to destroy their data just prior to the transfer. Of course no acquirer would be interested but that is another way of dealing with it.
I put in our privacy policy that customers will be notified if majority ownership changes, but had not considered advance notification of the ownership change.
Such a clause might work as long as it's part of the sale contract to adjust the sale price if any customers take that option.
I split my comment into two parts, since this one is more my personal opinion, and I don't want it to colour an otherwise straightforward request for sources.
From noyb's fight against Facebook (https://noyb.eu/en/open-letter), to me it is very clear that Facebook does not intend to comply with GDPR. They are actively trying to find loopholes, and according to noyd, also working with the Irish DPO to find and exploit loopholes. It is also worth noting that the total fines Google has faced from GDPR enforcement come to just under EUR 58 Mn (http://newsbreaks.infotoday.com/NewsBreaks/GDPR-2020-Where-C...). 58 Mn is chump change compared to Google's total revenue, and unless the threat of the full 4% turnover fine becomes credible, I doubt it will lead to any better action.
Wait, wait, wait a minute. In the same comment, you are claiming that Facebook is GDPR compliant, and that Facebook was fined for violating the GDPR. It sure seems like there is a major contradiction between those two.
Errm. No. In the same comment I am claiming that Facebook has already received a warning fine and that thus they stand to lose a lot if they are found to be in violation. I am not saying they are GDPR compliant because I can not know that with 100% certainty, but I'm sure they are doing what they can to not cross that line knowingly.
Facebook, Google, Apple & Microsoft are arguably the companies that stand the most to lose from GDPR enforcement, you can bet that they are well aware of this.
They're trying to stay fine free while also violating the spirit of GDPR as much as possible, since their business hinges on irresponsible and invasive data gathering.
Facebook is not GDPR compliant at all. The only reason they appear to be is that there is no enforcement of this regulation so nobody is actually looking at what they're doing.
There's no mention of any enforcement against Facebook on that website, except for one by the German DPC of EUR 51,000 for failing to notify them about their DPO.
Yes! That's why you should be very very careful who you give your data because you are exactly one acquisition away from the same effect as a breach. Fortunately the GDPR affords some protection here, if the data was collected for one purpose it can not suddenly be used for another.
As for never selling the company: there is one other option: you could give users the option to destroy their data just prior to the transfer. Of course no acquirer would be interested but that is another way of dealing with it.