Data protection (and processing) is not always part of the due diligence in M&A transactions. However, data due diligence can reveal non-compliance of the target company with the GDPR and thus additional risks for the buyer. Specific warranties on data protection and future liabilities or penalties are needed to protect the buyer.
GDPR compliance
An assessment of the GDPR compliance of the target entity should be construed as early as possible in the M&A process: not only to identify (and idealistically minimize) the future liability of the target company and/or the new owner but also to ensure that the transaction itself is GDPR-compliant.
Involved parties do best to check (and possibly extend) their data protection statements in order for the transfer of personal data to third parties to be covered, specifically for purposes of due diligence, deals concerning asset disposal, restructuring, a merger, or sales. For example: clientele database, including contact data and historical & actual generated revenue, preferrable partnerships, suppliers, etc.
Possibly, some data processing agreements might have to be amended or foreseen as well, for the same reason. For example with the provider of cloud services and/or the data room.
The information that will be shared in the data room should moreover be selected carefully and be “technically” prepared as well. It might be necessary to (partially) anonymize, pseudonymize, or aggregate certain data. The data room itself should be located in a safe, confidential “technological place”. Access control, login control, and selective user rights (allowing users to only access specific and relevant information in the data room) are recommended.
These steps should allow the legitimate and lawful transfer of personal data in the run-up to the transaction, for example during due diligence.
Furthermore, the data protection and processing policy of the target entity should be assessed in detail. Amongst others, the following items shall be at stake:
- What is the legal basis for the existing processing flows?
- For which purposes are the personal data processed?
- How are data breaches or GDPR rights of data subjects dealt with?
- How is data retention and data security handled? Are there policies in place or certificates obtained?
- Is there an appointed DPO?
- Which warranties are offered for data transfers outside the EEA?
- Which protective technical and organisational measures are implemented?
- Are all (labour, supply, and service) contracts GDPR compliant?
Very often the data processing register shall be the starting point of this analysis, which shall be a joint effort of lawyers, the ICT department, DPOs, and divisional heads.
Should a contingency be identified, the seller and/or target entity might still solve a thing or two during the pre-closing phase. However, often it will need more than a one-time effort, even after the deal is closed. Buyers shall therefore do their best to stipulate specific warranties in their favour.
Questions?
At Euregio Law & Tax we are happy to assist you on any data protection matter, including for M&A transactions.
Contributors
