(1) The conditions in this paragraph shall apply if the personal data is collected under paragraph 1(p).
(2) If the organisation is a prospective party to a business asset transaction —
(a) the personal data collected must be necessary for the organisation to determine whether to proceed with the business asset transaction; and
(b) the organisation and the other organisation must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.
(3) If an organisation enters into the business asset transaction with another organisation —
(a) the organisation shall only use or disclose the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data;
(b) if any of the personal data collected does not relate directly to the part of the other organisation or its business assets with which the business asset transaction entered into is concerned, the organisation shall destroy, or return to the other organisation, any such personal data; and
(c) the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that —
(i) the business asset transaction has taken place; and
(ii) the personal data about them has been disclosed to the organisation.
(4) If a business asset transaction does not proceed or is not completed, the organisation shall destroy, or return to the other organisation, all the personal data collected.
(5) In this paragraph and paragraph 1(p), “business asset transaction” has the same meaning as in paragraph 3(4) of the Fourth Schedule.