Almost every company processes personal data since customer and employee related data usually also contains personal data. The new European General Data Protection Regulation will be accompanied by amendments to the rules and penalties for non-compliance may run into tens of millions of euros. Therefore, it is critical to immediately begin paying special attention to personal data processing in the context of M&A transactions.
How to Take Data Protection into Account in M&A Transactions – 6 Tips
Annamari Friskopf
Related services
As regards transactions, careful consideration must be given to when, and on what basis, the disclosure of personal data is permitted. From the buyer’s point of view, it is necessary to become thoroughly well-informed concerning the target of the transaction, whereas the seller may only disclose personal data as permitted by law.
We have put together six tips that will help you take data protection into account at each stage of a transaction.
1) Agree on Data Protection in the Non-Disclosure Agreement
Parties to a transaction often enter into a non-disclosure agreement (NDA) which governs the way in which confidential information about the target may be processed during the transaction. It is worth agreeing already in the NDA how necessary information about the target may be disclosed to the buyer without unlawfully disclosing personal data. Taking data protection into account by agreement at an early stage of the transaction may make it easier for the parties to prove that they have acted within the limits of the law.
2) Note the Restrictions Concerning Disclosure of Personal Data
As a rule in personal data processing, the controller, who is the person or body responsible for personal data processing, shall not disclose personal data to any third party. According to this rule, the seller shall not disclose personal data to the buyer in the context of a transaction before executing the transaction.
The personal data of the employees or customers of the target company shall only be disclosed to the buyer with the consent of those persons, or in cases in which those persons are deemed to be aware of the disclosure. As transactions are often highly confidential, asking for such consent or informing such persons of such disclosure is usually out of the question. However, an exception to this is the situation in which the know-how of key persons of the company is being sold, and such key persons are aware of the transaction. Additionally, data which is publicly available, such as the personal data of the company’s management, may be disclosed.
3) Consider Alternatives to the Disclosure of Personal Data
The seller may refrain from unlawfully disclosing data to the buyer by anonymising personal data by, for example, concealing personal data in documents or by delivering model agreements instead of actual employment and customer agreements to the buyer. Summaries, statistics and profiles of different kinds are also permitted provided that no individual person can be identified from the contents thereof.
When considering whether to disclose data, the necessity requirement should be borne in mind: only data necessary for executing the transaction may be disclosed and, as a rule, not until the execution of the transaction. The buyer rarely needs individual information for the purposes of determining value or for identifying risks, and in most cases there is usually an alternative available.
4) Take Care of Data Protection Comprehensively
While disclosing data of the target to the buyer as a part of the due diligence review, the seller must also ensure security of that data in relation to other parties to the transaction. For example, if the seller uses virtual data room services, it is also recommended to agree with the service provider on the non-disclosure, security, and return of the data.
It is important that confidential data be returned and is not left behind after execution of the transaction. Accordingly, do not send privileged information relative to the transaction, or material containing personal data, by email.
5) Manage Data Protection Related Risks in the Sale and Purchase Agreement
The manner in which the target company has processed personal data and documented its stages of processing is valuable information for the buyer. Due diligence enables the buyer to detect possible data security threats or inadequacies in the target’s data processing. Based on its findings, the buyer can prepare for any possible subsequent penalties by agreeing with the seller on the handling of such liabilities.
Appropriate processing of personal data also pays off from the seller’s point of view as it may increase the value of the target sold. This is emphasised in industries like healthcare and wellbeing, and digital services destined for consumers, in which personal data is extensively processed.
6) Remember Obligations Following the Execution of the Transaction
When the transaction is executed, the disclosure of personal data, such as employees’ data, to the buyer is finally authorised. In a business purchase transaction, the buyer becomes the party responsible for that personal data and the seller is no longer authorised to process employee or customer related data. The buyer must take care to ensure lawful processing of the personal data and must update the file descriptions, among other measures.
However, in some cases the seller may continue to have access to the personal data which is in the buyer’s possession after the execution. This may be the case, for example, if the seller provides services relating to payroll or personnel administration to the target company. Such services are often provided during the transitional period after execution until the buyer itself is able or has the time to organise such services. In cases like this, the buyer or the target company shall agree in writing on responsibilities relating to the processing of personal data for the period during which the seller shall act as the controller of personal data on behalf of the buyer or the target company.
Timeline of an M&A Transaction from the Point of View of Data Protection