8.9.2016

How to Take Data Protection into Account in M&A Transactions – 6 Tips

Related services

Almost every company processes personal data since customer and employee related data usually also contains personal data. The new European General Data Protection Regulation will be accompanied by amendments to the rules and penalties for non-compliance may run into tens of millions of euros. Therefore, it is critical to immediately begin paying special attention to personal data processing in the context of M&A transactions.

As regards transactions, careful consideration must be given to when, and on what basis, the disclosure of personal data is permitted. From the buyer’s point of view, it is necessary to become thoroughly well-informed concerning the target of the transaction, whereas the seller may only disclose personal data as permitted by law. 

We have put together six tips that will help you take data protection into account at each stage of a transaction.

1)     Agree on Data Protection in the Non-Disclosure Agreement

Parties to a transaction often enter into a non-disclosure agreement (NDA) which governs the way in which confidential information about the target may be processed during the transaction. It is worth agreeing already in the NDA how necessary information about the target may be disclosed to the buyer without unlawfully disclosing personal data. Taking data protection into account by agreement at an early stage of the transaction may make it easier for the parties to prove that they have acted within the limits of the law.

2)    Note the Restrictions Concerning Disclosure of Personal Data

As a rule in personal data processing, the controller, who is the person or body  responsible for personal data processing, shall not disclose personal data to any third party. According to this rule, the seller shall not disclose personal data to the buyer in the context of a transaction before executing the transaction.

The personal data of the employees or customers of the target company shall only be disclosed to the buyer with the consent of those persons, or in cases in which those persons are deemed to be aware of the disclosure. As transactions are often highly confidential, asking for such consent or informing such persons of such disclosure is usually out of the question. However, an exception to this is the situation in which the know-how of key persons of the company is being sold, and such key persons are aware of the transaction. Additionally, data which is publicly available, such as the personal data of the company’s management, may be disclosed.

3)    Consider Alternatives to the Disclosure of Personal Data

The seller may refrain from unlawfully disclosing  data to the buyer by anonymising personal data by, for example, concealing personal data in documents or by delivering model agreements instead of actual employment and customer agreements to the buyer. Summaries, statistics and profiles of different kinds are also permitted provided that no individual person can be identified from the contents thereof.

When considering whether to disclose data, the necessity requirement should be borne in mind: only data necessary for executing the transaction may be disclosed and, as a rule, not until the execution of the transaction. The buyer rarely needs individual information for the purposes of determining value or for identifying risks, and in most cases there is usually an alternative available.

4)    Take Care of Data Protection Comprehensively

While disclosing data of the target to the buyer as a part of the due diligence review, the seller must also ensure security of that data in relation to other parties to the transaction. For example, if the seller uses virtual data room services, it is also recommended to agree with the service provider on the non-disclosure, security, and return of the data.

It is important that confidential data be returned and is not left behind after execution of the transaction. Accordingly, do not send privileged information relative to the transaction, or material containing personal data, by email.

5)    Manage Data Protection Related Risks in the Sale and Purchase Agreement

The manner in which the target company has processed personal data and documented its stages of processing is valuable information for the buyer. Due diligence enables the buyer to detect possible data security threats or inadequacies in the target’s data processing. Based on its findings, the buyer can prepare for any possible subsequent penalties by agreeing with the seller on the handling of such liabilities.

Appropriate processing of personal data also pays off from the seller’s point of view as it may increase the value of the target sold. This is emphasised in industries like healthcare and wellbeing, and digital services destined for consumers, in which personal data is extensively processed.

6)    Remember Obligations Following the Execution of the Transaction

When the transaction is executed, the disclosure of personal data, such as employees’ data, to the buyer is finally authorised. In a business purchase transaction, the buyer becomes the party responsible for that personal data and the seller is no longer authorised to process employee or customer related data. The buyer must take care to ensure lawful processing of the personal data and must update the file descriptions, among other measures.

However, in some cases the seller may continue to have access to the personal data which is in the buyer’s possession after the execution. This may be the case, for example, if the seller provides services relating to payroll or personnel administration to the target company. Such services are often provided during the transitional period after execution until the buyer itself is able or has the time to organise such services. In cases like this, the buyer or the target company shall agree in writing on responsibilities relating to the processing of personal data for the period during which the seller shall act as the controller of personal data on behalf of the buyer or the target company.

Timeline of an M&A Transaction from the Point of View of Data Protection

Timeline of an M&A Transaction from the Point of View of Data Protection

Latest references

We are advising Oomi Oy in a business transaction whereby KSS Energia Oy’s consumer and business customers in the retail sale of electricity will be transferred to Oomi. The transfer is scheduled to take place in March 2025. The arrangement requires approval from the Finnish Competition and Consumer Authority. Oomi Oy is one of the largest energy service companies and electricity sellers in Finland. The arrangement is a result of the recent development of the electricity market and Oomi’s strategy, which aims to offer customers a seamless and improved digital customer experience.
Case published 20.12.2024
We are acting as a counsel to Fortum in a transaction in which Fortum is strengthening its renewable power project pipeline through the acquisition of a project development portfolio from Enersense. The debt-and-cash free purchase price is approximately EUR 9 million, with the potential for project-specific earn-outs subject to projects successfully reaching a final investment decision in the future. The transaction is subject to customary closing conditions and is expected to be completed during the first quarter of 2025. Fortum is a leading Nordic energy company with the purpose to power a world where people, businesses and nature thrive together. Fortum’s core operations comprise of efficient, CO2-free power generation as well as reliable supply of electricity and district heat to private and business customers. The company is listed on Nasdaq Helsinki. One of Fortum’s strategic targets is to develop at least 800 MW of ready-to-build onshore wind and solar projects by the end of 2026.
Case published 19.12.2024
We are acting as Finnish advisor to Hanza AB relating to its acquisition of all the shares in Leden Group Oy. Hanza AB is a Swedish mechanical engineering and electronics contract manufacturing company listed on the Stockholm Stock Exchange. Founded in 2008, the company has six manufacturing clusters in Sweden, Finland, Germany, Baltics, Central Europe and China and an annual turnover of approximately SEK 4.6 billion. Leden Group is a leading Finnish contract manufacturer specialising in sheet metal, machining and complex assembly. Leden Group has four production sites in Finland and one in Estonia and an annual turnover of approximately SEK 1.1 billion.  The closing of the transaction remains subject to authority approval and customary conditions.
Case published 13.12.2024
We assisted Pharmaca Health Intelligence in its acquisition of Mediaattori Ltd’s PODIUM Connect® and PODIUM Visits businesses. Through the acquisition, Pharmaca Health Intelligence strengthens its extensive service offerings in medical information, data-driven management, and education for both healthcare and pharmaceutical companies. Pharmaca Health Intelligence is a pioneer in digital medical information and a reliable partner for wellbeing services counties, the private healthcare sector and pharmacies. The company invests in the development of technology and service solutions related to pharmaceutical information, also on an international scale.
Case published 5.12.2024