8.9.2016

How to Take Data Protection into Account in M&A Transactions – 6 Tips

Related services

Almost every company processes personal data since customer and employee related data usually also contains personal data. The new European General Data Protection Regulation will be accompanied by amendments to the rules and penalties for non-compliance may run into tens of millions of euros. Therefore, it is critical to immediately begin paying special attention to personal data processing in the context of M&A transactions.

As regards transactions, careful consideration must be given to when, and on what basis, the disclosure of personal data is permitted. From the buyer’s point of view, it is necessary to become thoroughly well-informed concerning the target of the transaction, whereas the seller may only disclose personal data as permitted by law. 

We have put together six tips that will help you take data protection into account at each stage of a transaction.

1)     Agree on Data Protection in the Non-Disclosure Agreement

Parties to a transaction often enter into a non-disclosure agreement (NDA) which governs the way in which confidential information about the target may be processed during the transaction. It is worth agreeing already in the NDA how necessary information about the target may be disclosed to the buyer without unlawfully disclosing personal data. Taking data protection into account by agreement at an early stage of the transaction may make it easier for the parties to prove that they have acted within the limits of the law.

2)    Note the Restrictions Concerning Disclosure of Personal Data

As a rule in personal data processing, the controller, who is the person or body  responsible for personal data processing, shall not disclose personal data to any third party. According to this rule, the seller shall not disclose personal data to the buyer in the context of a transaction before executing the transaction.

The personal data of the employees or customers of the target company shall only be disclosed to the buyer with the consent of those persons, or in cases in which those persons are deemed to be aware of the disclosure. As transactions are often highly confidential, asking for such consent or informing such persons of such disclosure is usually out of the question. However, an exception to this is the situation in which the know-how of key persons of the company is being sold, and such key persons are aware of the transaction. Additionally, data which is publicly available, such as the personal data of the company’s management, may be disclosed.

3)    Consider Alternatives to the Disclosure of Personal Data

The seller may refrain from unlawfully disclosing  data to the buyer by anonymising personal data by, for example, concealing personal data in documents or by delivering model agreements instead of actual employment and customer agreements to the buyer. Summaries, statistics and profiles of different kinds are also permitted provided that no individual person can be identified from the contents thereof.

When considering whether to disclose data, the necessity requirement should be borne in mind: only data necessary for executing the transaction may be disclosed and, as a rule, not until the execution of the transaction. The buyer rarely needs individual information for the purposes of determining value or for identifying risks, and in most cases there is usually an alternative available.

4)    Take Care of Data Protection Comprehensively

While disclosing data of the target to the buyer as a part of the due diligence review, the seller must also ensure security of that data in relation to other parties to the transaction. For example, if the seller uses virtual data room services, it is also recommended to agree with the service provider on the non-disclosure, security, and return of the data.

It is important that confidential data be returned and is not left behind after execution of the transaction. Accordingly, do not send privileged information relative to the transaction, or material containing personal data, by email.

5)    Manage Data Protection Related Risks in the Sale and Purchase Agreement

The manner in which the target company has processed personal data and documented its stages of processing is valuable information for the buyer. Due diligence enables the buyer to detect possible data security threats or inadequacies in the target’s data processing. Based on its findings, the buyer can prepare for any possible subsequent penalties by agreeing with the seller on the handling of such liabilities.

Appropriate processing of personal data also pays off from the seller’s point of view as it may increase the value of the target sold. This is emphasised in industries like healthcare and wellbeing, and digital services destined for consumers, in which personal data is extensively processed.

6)    Remember Obligations Following the Execution of the Transaction

When the transaction is executed, the disclosure of personal data, such as employees’ data, to the buyer is finally authorised. In a business purchase transaction, the buyer becomes the party responsible for that personal data and the seller is no longer authorised to process employee or customer related data. The buyer must take care to ensure lawful processing of the personal data and must update the file descriptions, among other measures.

However, in some cases the seller may continue to have access to the personal data which is in the buyer’s possession after the execution. This may be the case, for example, if the seller provides services relating to payroll or personnel administration to the target company. Such services are often provided during the transitional period after execution until the buyer itself is able or has the time to organise such services. In cases like this, the buyer or the target company shall agree in writing on responsibilities relating to the processing of personal data for the period during which the seller shall act as the controller of personal data on behalf of the buyer or the target company.

Timeline of an M&A Transaction from the Point of View of Data Protection

Timeline of an M&A Transaction from the Point of View of Data Protection

Latest references

We advised WithSecure Oyj in the sale of its open source data collection product and business to Patria Oyj. The divested business combining software and services falls outside WithSecure’s current strategy. Through the sale, WithSecure sharpens its focus on the Elements portfolio. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki) with more than 35 years of industry experience. WithSecure offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape. Patria is an international company in the defence and security industry offering defence, security and aviation life cycle support services and technology solutions. As a result of the transaction, Patria will open a new office in Oulu and 10 WithSecure experts currently working in the business area will join Patria. 
Case published 30.9.2024
We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We advised Exsitec Holding AB in a transaction whereby it acquired all the shares in M-flow Finland Oy. M-flow Finland Oy is a Finnish company engaged in reselling Medius B2B standard S2P software-as-a-service solutions in Finland. Exsitec Holding AB is a Swedish company part of the Nordic Exsitec group, which has over 20 offices in the Nordics. Exsitec delivers digital solutions to improve its customers’ businesses.
Case published 4.7.2024