1. General principles of the GDPR during the acquisition process
A company that processes personal data must adhere to the principles of the GDPR.
During an acquisition process, potential buyers and their advisors are granted access to personal data on the target company’s clients, employees, suppliers, etc. (e.g., during the due diligence audit). In this respect, the target company and the potential buyer(s) must take appropriate measures to comply with the basic principles of the GDPR and to protect the personal data adequately.
In each phase of the acquisition process, the following basic principles of the GDPR must be adhered to:
1) Lawfulness, fairness, and transparency
First and foremost, every instance of personal data processing must be based on one of the legal grounds for processing, which are listed in the GDPR.
In the context of an acquisition, making available (or, generally speaking, processing) personal data under certain conditions can be authorized on grounds of the balanced legitimate interest of the target company and/or the potential buyer(s). In such scenario, the balancing test of this legitimate interest could be, for example, the financial audit with a view to selling the shares or certain assets of the target company.
For a company to be able to invoke the legal ground of the balanced legitimate interest, all 3 conditions below must be fulfilled:
- The data controller or a third party to whom the data were provided is pursuing a legitimate interest;
- The data processing is necessary to achieve this legitimate interest;
- The fundamental rights and freedoms of those concerned (the data subjects or the persons whose data are shared) are not overridden.
To this end, the company must conduct a balancing test of the interests in writing. It is recommended that this balance of interests be documented accurately at all times in the context of the accountability obligation.
We advise the target company to at least declare in its privacy statements that the company could, under certain conditions, possibly transmit personal data to other companies in the context of an acquisition process. In this way, the employees, clients, suppliers, etc. will already be informed that their personal data could possibly be transmitted during an acquisition process.
2) Purpose limitation
This basic principle aims to ensure that personal data may be processed only for specified, explicit, and legitimate purposes and that they may not be processed in a manner that is incompatible with those purposes.
Concretely, this principle comes down to the fact that the personal data may be exchanged and used only in the context of the acquisition (which is our example) and for the specific purpose for which personal data are made available (e.g., to determine if an acquisition should go ahead or not).
3) Data minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. In other words: the target company and the potential buyer(s) must not process more personal data than they need in the context of the set purpose.
Concretely, the target company may make the personal data available only to the potential buyer(s) for their purpose of assessing the feasibility of the acquisition. Personal data that are not relevant must be shielded as much as possible from the potential buyer(s) (e.g., by pseudonymizing or anonymizing the personal data). If documents, for example, copies of contracts, are uploaded onto the data room, then the target company must check whether the names of the natural personal who are mentioned in these documents are effectively necessary for the potential buyer or buyers’ evaluation. A potential buyer must also check that only the personal data that are truly necessary are those that have been processed.
In the preparatory phase (in the run-up to the acquisition process), particular attention must therefore be given to documents that will be made available in the data room.
The target company and the potential buyer or buyers must take all reasonable measures to keep the personal data accurate and up to date at all times. Inaccurate data must basically be erased or rectified without delay.
5) Storage limitation
Personal data must not be stored longer than is necessary for the purposes for which they are processed, unless if they are stored in an anonymized form.
6) Integrity and confidentiality
Lastly, the target company as well as the potential buyer(s) must take appropriate technical and organizational measures to ensure that the security of the personal data—and especially the confidentiality, integrity, and availability of the data—is safeguarded at all times (e.g., by monitoring access to the data room, by logging all actions made in the data room, etc.).
For instance, if documents are uploaded onto the data room, then the necessary measures must be taken to secure the data room adequately so that the personal data are protected against unauthorized or unlawful processing, distribution, or access, among others, and against intentional or accidental loss, destruction, or damage. The same principle applies to the instance in which the potential buyer proceeds to download and save the documents in its own file or drive.
Take the necessary measures contractually as well to safeguard the integrity and confidentiality (e.g., by concluding a data processor agreement with the external provider for a data room, a confidentiality agreement (NDA) with the potential buyer(s) and possibly with the persons who are given access to the information).
2. Target company’s compliance level
As potential buyer, it is important to gain a comprehensive understanding about the extent to which the target company complies with the GDPR. Primarily in certain sectors (e.g., IT sector, healthcare, etc.), it is extremely important that the target company has taken the necessary measures to make itself compliant with the GDPR.
In any event, ask for the following documentation or information so that you gain insight into the processing activities of the target company:
- The categories and volume of personal data that are processed by the target company;
- The company’s processing cycle in terms of category of personal data (how do they collect personal data, how are these used, shared, stored, and removed, etc.);
- The legal ground on which the personal data are processed;
- Data processing register;
- Privacy statements;
- How is GDPR awareness created or generated among employees at the company;
- How does the target company classify itself (i.e., as data controller or as processor) when it conducts its business activities;
- List of processors (situated in and outside the EEA);
- Data processing agreements that were concluded;
- How are data transmitted outside the EEA;
- Procedure for data breaches;
- Information about data breaches that have already occurred;
- Procedure for how data subjects can exercise their rights;
- Policy on storage of personal data (as well as the policy on the location where they are stored);
- Data protection officer (or the person responsible for data protection) at the company;
- Information about complaints filed with the Data Protection Authority or about investigations conducted by the Authority;
- Reports on data protection effect evaluations that were conducted;
- Information security policy.
If the target company is unable to demonstrate it has met a sufficient level of GDPR compliance, then a potential buyer should have the necessary representations and warranties stipulated in the transaction documentation and/or possibly include a special indemnity if specific risks have come to light during the financial audit by the potential auditor.
Also—depending on the risks identified—certain arrangements can be made with the target company, e.g., renegotiation about the price, who will take what measures to remediate certain breaches, etc.
3. GDPR checklist for the acquisition process:
To-dos for the seller:
- Adhere to the basic principles of the GDPR in every phase of acquisition process;
- Make a balance of interests in writing and on time to justify the transmission of personal data (in the context of the legitimate interest as legal ground);
- Stipulate in the privacy statement(s) that personal data can be transmitted in the context of an acquisition process;
- Transmit only the data that are necessary for the potential buyers to assess the feasibility of the acquisition;
- Check if the personal data, which have been transmitted, are accurate and up to date;
- Do not store the personal data longer than is necessary;
- Take appropriate technical and organizational measures to secure the personal data.
To-dos for the buyer:
- Ask for the necessary documentation or information to gain insight into the data processing activities of the target company;
- Investigate the extent to which the target company has effectively applied the GDPR and the extent to which data protection is integrated into its business culture;
- If the target company cannot demonstrate that it has achieved a satisfactory level of GDPR compliance, then ensure that the acquisition documentation contains the necessary representations and warranties and/or a special indemnity;
- Depending on the risks identified, make arrangements with the target companies on how the lack of GDPR compliance can be overcome;
- Adhere to the principles of the GDPR if you receive personal data in the context of the acquisition process.
If you have any questions regarding business acquisitions and/or GDPR compliance, feel free to contact one of our experts.