By now (2021), most companies are familiar with the General Data Protection Regulation (GDPR) and the (main) obligations imposed by it. Yet, we notice that companies are still facing specific issues and challenges regarding them, such as, for example, in the context of an acquisition of shares of a company.
During an acquisition process, a lot of data, including personal data, are usually exchanged between the target company, the sellers, and the potential buyer(s).
Therefore, the GDPR must not be ignored (i) during the actual acquisition process and (ii) when evaluating the target company. The most important considerations in this context are explained below.
1. General principles of the GDPR in an M&A process
A company that processes data must adhere to the principles of the GDPR.
In an M&A process, potential buyers and their advisors are granted access to personal data on the target company’s clients, employees, suppliers, etc. (e.g., during due diligence or financial audit). In this respect, the target company and the potential buyer(s) must take appropriate measures to comply with the basic principles of the GDPR and to protect the personal data adequately.
The following basic principles of the GDPR must be adhered to at all times:
1) Lawfulness, fairness, and transparency
First and foremost, every instance of personal data processing must be based on one of the legal grounds for processing, which are listed in the GDPR.
In the context of an acquisition, making available (or, generally speaking, processing) personal data under certain conditions can be authorized on grounds of the balanced legitimate interest of the target company and/or the potential buyer(s). In such scenario, the balancing test of this legitimate interest could be, for example, the financial audit with a view to selling the shares or certain assets of the target company.
For a company to be able invoke the legal ground of the balanced legitimate interest, all 3 conditions below must be fulfilled:
- the data controller or a third party to whom the data were provided is pursuing a legitimate interest;
- the data processing is necessary to achieve this legitimate interest;
- the fundamental rights of those concerned (the data subjects or the persons whose data are shared) are not overridden.
To this end, the company must conduct a balance of the interests in writing. It is recommended that this balance of interests be documented accurately in the context of the accountability obligation.
We advise the target company to at least declare in its privacy statements that it could, under certain conditions, possibly transmit personal data to other companies in the context of an acquisition process. In this way, the employees, clients, suppliers, etc. will already be informed that their personal data could possibly be transmitted in an acquisition process.
2) Purpose limitation
This basic principle aims to ensure that personal data may be processed only for specified, explicit and legitimate purposes and that they may not be processed in a manner that is incompatible with those purposes.
When applying this principle to our example (the acquisition), it comes down to the fact that the personal data may be exchanged and used only in the context of the M&A deal and for the specific purpose for which personal data are made available, which is to determine if the acquisition should go ahead or not.
3) Data minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. In other words: the target company and the potential buyer(s) must not process more personal data than they need in the context of the set purpose.
In our example here, this principle means that the target company is allowed to make personal data available only to the potential buyer(s) for their purpose of assessing the feasibility of the acquisition. Personal data that are not relevant must be shielded as much as possible from the potential buyer(s) (e.g., by pseudonymizing or anonymizing the personal data). If documents, for example, copies of contracts, are uploaded onto the data room, then the target company must check whether the names of the natural personal who are mentioned in these documents are effectively necessary for the potential buyer or buyers’ evaluation. A potential buyer must also check that only the personal data that are truly necessary are those that have been processed.
In the preparatory phase (in the run-up to the acquisition process), particular attention must therefore be given to documents that will be made available in the data room.
4) Accuracy
The target company and the potential buyer or buyers must take all reasonable measures to keep the personal data accurate and up to date at all times. Inaccurate data must basically be erased or rectified without delay.
5) Storage limitation
Personal data must not be stored longer than is necessary for the purposes for which they are processed, unless if they are stored in an anonymized form.
6) Integrity and confidentiality
Lastly, the target company as well as the potential buyer(s) must take appropriate technical and organizational measures to ensure that the security of the personal data—and especially the confidentiality, integrity, and availability of the data—is safeguarded at all times (e.g., by monitoring access to the data room, by logging all actions made in the data room, by making it impossible to print certain documents, etc.).
For instance, if documents are uploaded onto the data room, then the necessary measures must be taken to secure the data room adequately so that the personal data are protected against unauthorized or unlawful processing, distribution, or access, among others, and against accidental or intentional loss, destruction, or damage. The same principle applies to the instance in which the potential buyer proceeds to download and save the documents in its own file or drive.
Take the necessary measures contractually as well to safeguard the integrity and confidentiality (e.g., by concluding a data processor agreement with the external provider for a data room, a confidentiality agreement (NDA) with the potential buyer(s) and possibly with the persons who are given access to the information).
2. Target company’s compliance level
As potential buyer, it is important to gain a comprehensive understanding about the extent to which the target company complies with the GDPR. Primarily in certain sectors (e.g., IT sector, healthcare, etc.), it is extremely important that the target company has taken the necessary measures to make itself compliant with the GDPR.
In any event, ask for the following documentation or information so that you gain insight into the processing activities of the target company:
- The categories and volume of personal data that are processed by the target company;
- The company’s processing cycle in terms of category of personal data (how do they collect the target company’s personal data, how are these used, shared, stored, and removed, etc.);
- The legal ground on which the personal data are processed;
- Data processing register;
- Privacy statements;
- How is GDPR awareness created or generated among employees at the company;
- How does the target company classify itself (i.e., as data controller or as processor) when it conducts its business activities;
- List of processors (situated in and outside the EEA);
- Data processing agreements that were concluded;
- How are data transmitted outside the EEA;
- Procedure for data breaches;
- Information about data breaches that have already occurred;
- Procedure for how data subjects can exercise their rights;
- Policy on storage of personal data and where the data are stored (e.g., premises and hardware);
- Data protection officer (or person responsible for it) at the company;
- Information about complaints filed with the Data Protection Authority or about investigations conducted by the Authority;
- Reports on data protection effect evaluations that were conducted;
- Information security policy.
If the target company is unable to demonstrate it has met a sufficient level of GDPR compliance, then a potential buyer should have the necessary representations and warranties stipulated in the transaction documentation and/or possibly include a specific indemnity if risks have come to light during the due diligence.
Also—depending on the risks identified—certain arrangements can be made with the target company, e.g., price renegotiation, remediation measures, etc.
3. GDPR checklist for the acquisition process:
To-dos for the seller:
- Adhere to the basic principles of the GDPR in every phase of acquisition process;
- Make a balance of interests in writing and on time to justify the transmission of personal data (in the context of the legitimate interest as legal ground);
- Stipulate in the privacy statement(s) that personal data can be transmitted in the context of an acquisition process;
- Transmit only the data that are necessary for the potential buyers to assess the feasibility of the acquisition;
- Check if the personal data, which have been transmitted, are accurate and up to date;
- Do not store the personal data longer than is necessary;
- Take appropriate technical and organizational measures to secure the personal data.
To-dos for the buyer:
- Ask for the necessary documentation or information to gain insight into the data processing activities of the target company;
- Investigate the extent that the target company has effectively applied the GDPR and the extent that data protection is integrated into its business culture;
- If the target company cannot demonstrate that it has achieved a satisfactory level of GDPR compliance, ensure that the acquisition documentation contains the necessary representations and warranties and/or a specific indemnity;
- Depending on the risks identified, make arrangements with the target companies on how the lack of GDPR compliance can be overcome;
- Adhere to the principles of the GDPR if you receive personal data in the context of the acquisition process.
If you have any questions regarding business acquisitions and/or GDPR compliance, feel free to contact one of our experts.