May a business transfer my customer data on company takeover?

Business takeover data transfer is governed by GDPR + Dutch Civil Code (Book 2 demerger/merger + transfer of undertaking). Three main rules: (1) Duty to inform (Art. 13 + 14): business must notify in advance that transfer takes place — who the new controller is, DPO contact of new organisation, your rights. (2) Purpose limitation preserved (Art. 5(1)(b)): new owner may only use your data for the same purpose as the previous. On broadening of purpose — e.g. new owner wants to use for entirely different market — separate consent required. (3) Right to object: on transfer you have additional right (Art. 21) to object — often forgotten in merger announcements. When is new consent required? Material change — not just "new owner" but also: different purpose, different recipient, international transfer changes, retention changes. Common mistakes: "we've taken over your data, you don't need to do anything" — often unlawful without transparency + objection option. Example AP decision 2023: webshop takeover without customer notification + without unsubscribe option for the marketing part = €75k fine. Your rights: on takeover access request to new owner — what exactly did they take over, what purpose, which partners. Erasure request on changed purpose.