Artificiële intelligentie in het HR-proces:
juridische aandachtspunten

Mr. Inger Verhelst en mr. Matthias Vandamme

(Claeys & Engels)

Webinar op vrijdag 7 februari 2025


Privacy, gegevensbescherming
& arbeidsrecht:
een actueel overzicht

Mr. Isabel Plets (Lydian)

Webinar op donderdag 8 mei 2025


De afschaffing van de quasi-immuniteit van de bestuurder: waarom delegatie én compliance nog belangrijker zijn geworden

Mr. Stijn De Meulenaer en mr. Fien Schreurs (Everest)

Webinar op dinsdag 18 februari 2025


Wenst u meerdere opleidingen
te volgen bij LegalLearning?

Overweeg dan zeker ons jaarabonnement 

 

Krijg toegang tot +150 opleidingen

Live & on demand webinars

Voor uzelf en/of uw medewerkers


Bestuurdersaansprakelijkheid
na 1 januari 2025:
een handleiding voor de bestuurder

Mr. Joris De Vos (Dentons)

Webinar op dinsdag 25 maart 2025


Het belang van exit regelingen
voor aandeelhouders:
6 exit methoden onder de loep

Mr. Francis van der Haert (Cazimir)

Webinar op donderdag 22 mei 2025

M&A and GDPR – What To Watch Out For? (Strelia)

Authors: Gisèle Rosselle and Marie Keup (Strelia)

Date of publication: May 2018

Unless you have been living in a cave for the past months, you have probably heard about the GDPR—the new EU General Data Protection Regulation—which enters into force on 25 May 2018. The GDPR aims to strengthen and set out in detail the rights of data subjects and the obligations of those who process personal data. The adoption of the GDPR has forced all businesses in the EU to review the way they handle personal data. And data processing in the context of M&A transactions are certainly no exception.

Most of the principles outlined below already applied under the “old EU Data Protection Directive” (95/46/EC). An important change brought by the GDPR is that the data controller must not only comply with these principles but also be able to demonstrate its compliance.

M&A Transactions and Personal data

M&A transactions are almost always preceded by due diligence investigation in which relevant information on the target is disclosed to the potential buyers so that they can assess the target and decide whether to acquire it. This process is likely to involve the disclosure of personal data, including personal data about employees, customers, and/or the suppliers of the target.

Disclosure of data during Due Diligence

Disclosure of personal data takes place during the data processing within the meaning of data protection regulations and, as a result, will be lawful only if it is justified by one of the legal grounds listed in the GDPR. Two legal grounds may be relevant for personal data processing in the context of M&A transactions: (i) the consent of the data subject, which will be impossible to obtain in most cases, and (ii) the processing is necessary for the purposes of the legitimate interests pursued by the controller (i.e. the seller) or by a third party (i.e. the potential buyer) except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require personal data protection. To be able to base the processing on legitimate interests, the seller will have to pay special attention to the personal data that it will disclose in such context. Personal data should be redacted or anonymized as much as possible, and the seller should only disclose those personal data that are particularly important and relevant for the potential buyer.

In addition, the disclosure of personal data must be done fairly and transparently. This implies that the data subject must be properly informed about the disclosure and processing.

Finally, the seller must take all necessary technical and organizational measures to ensure that the personal data are disclosed securely.

Data Protection-related Representations & Warranties

When conducting due diligence investigation on a target, it is very important that special attention be given to data protection issues. The target’s failure to comply with data protection regulations can create a high risk for the buyer.

First, if the target fails to comply with the GDPR, it can be fined up to €10 million or 2% of its annual global turnover from the previous year, whichever is higher, or up to €20 million or 4% of its annual turnover from the previous year, whichever is higher, depending on the GDPR obligation violated.

Second, and more importantly, if the target’s main activity relies on personal data processing, non-compliance with data protection regulations can put its entire business model of the at risk, especially if the data processing relies on the data subject’s consent and if such consent has not been properly obtained.

Read the original article here

Boeken in de kijker: