Date of publication: May 2018
Unless you have been living in a cave for the past months, you have probably heard about the GDPR—the new EU General Data Protection Regulation—which enters into force on 25 May 2018. The GDPR aims to strengthen and set out in detail the rights of data subjects and the obligations of those who process personal data. The adoption of the GDPR has forced all businesses in the EU to review the way they handle personal data. And data processing in the context of M&A transactions are certainly no exception.
Most of the principles outlined below already applied under the “old EU Data Protection Directive” (95/46/EC). An important change brought by the GDPR is that the data controller must not only comply with these principles but also be able to demonstrate its compliance.
M&A Transactions and Personal data
M&A transactions are almost always preceded by due diligence investigation in which relevant information on the target is disclosed to the potential buyers so that they can assess the target and decide whether to acquire it. This process is likely to involve the disclosure of personal data, including personal data about employees, customers, and/or the suppliers of the target.
Disclosure of data during Due Diligence
Disclosure of personal data takes place during the data processing within the meaning of data protection regulations and, as a result, will be lawful only if it is justified by one of the legal grounds listed in the GDPR. Two legal grounds may be relevant for personal data processing in the context of M&A transactions: (i) the consent of the data subject, which will be impossible to obtain in most cases, and (ii) the processing is necessary for the purposes of the legitimate interests pursued by the controller (i.e. the seller) or by a third party (i.e. the potential buyer) except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require personal data protection. To be able to base the processing on legitimate interests, the seller will have to pay special attention to the personal data that it will disclose in such context. Personal data should be redacted or anonymized as much as possible, and the seller should only disclose those personal data that are particularly important and relevant for the potential buyer.
In addition, the disclosure of personal data must be done fairly and transparently. This implies that the data subject must be properly informed about the disclosure and processing.
Finally, the seller must take all necessary technical and organizational measures to ensure that the personal data are disclosed securely.
Data Protection-related Representations & Warranties
When conducting due diligence investigation on a target, it is very important that special attention be given to data protection issues. The target’s failure to comply with data protection regulations can create a high risk for the buyer.
First, if the target fails to comply with the GDPR, it can be fined up to €10 million or 2% of its annual global turnover from the previous year, whichever is higher, or up to €20 million or 4% of its annual turnover from the previous year, whichever is higher, depending on the GDPR obligation violated.
Second, and more importantly, if the target’s main activity relies on personal data processing, non-compliance with data protection regulations can put its entire business model of the at risk, especially if the data processing relies on the data subject’s consent and if such consent has not been properly obtained.