Data protection in M&A transactions

Data protection in M&A transactions
Categories:

Data protection for company sales

Is Data protection important in M&A transactions? Or is it "nice to have" and can be neglected in favor of "hard" business facts? These questions can be answered quickly. Legally compliant data protection is definitely a business factor. Violations of the requirements of the GDPR are threatened with fines of up to 20 million euros or up to four percent of the previous year's global turnover.

The Marriott hotel group, for example, was fined 110 million euros in 2019 for the consequences of a cyber attack on a hotel group it acquired in 2014. Although this Fine later reduced to 20 million euros, but it clearly shows that deficiencies in the data protection organization of a target company can entail considerable risks for the buyer.

It is also necessary to clarify the legal basis on which personal data can be transmitted from the target company to the potential buyer. Does this require a Consent? Or can you rely on the legitimate interest? There are also considerable pitfalls lurking here.

 

Data protection as part of due diligence

 

Regardless of the type of transaction being sought (share transfer, asset deal or merger), the issue of data protection should always be part of the due diligence process. Due diligence is a detailed economic and legal analysis of the target company. The aim here is to identify risks, mitigate them and/or "price" them.

 

The following list of questions may be helpful:

  1. What categories of personal data does the target company process? What risks may result from this? Which laws are relevant?
  2. How and for what purpose should the target company's data be used in the future? What legal basis can be used for this? For example, is there documented consent for advertising purposes? Which Duty to inform exist vis-à-vis the persons concerned?
  3. What is the status of the target company's data protection organization? Are Processing directory, data protection policy, necessary processes regarding Order processing, Rights of data subjects or data transfers to third countries complete and up to date? If not, what resources are needed to achieve an acceptable current status?
  4. Do appropriate technical and organizational measures exist at the target company and its service providers?
  5. What indications do past data breaches give of risks that still exist at the target company?

 

Once the risks have been identified, the effects and possible countermeasures must be the subject of a thorough analysis, a kind of "merger impact assessment".

As part of the due diligence process, a potential buyer may gain access to IT systems containing personal data of employees and customers of the target company. Confidentiality declarations and confidentiality obligations must be obtained beforehand. In addition, the legal basis for a data transfer from the target company to the potential buyer must be clarified. For only a few people, this could Consent for very many, the legitimate interest, but only after a balance of interests has been struck, whereby in any case in accordance with Art. 13 or 14 GDPR must be informed and the right to object must be pointed out. It should also be checked whether the same purposes cannot be achieved with aggregated or pseudonymized data. The principles of data minimization and Data minimization also apply here.

If at all possible, no special categories of personal data should be stored in the "Data Room". Should this nevertheless become necessary, then only with prior informed consent. Consent of the persons concerned. In addition, the documents should be provided with copy protection and a printer lock, as well as a contract on the Order processing be concluded with the provider of the data room.

After completion of the transaction

Once an M&A transaction has been completed, a new data protection organization usually has to be set up, which may have to comply with the legal requirements of several countries: From accountability, information and reporting obligations to data subject rights. If necessary, existing Legal basis for example when using customer data of the acquired company for advertising purposes of the buyer.

Even when merging different IT systems, the requirements of the GDPR must be observed. In addition, the technical and organizational measures of the service providers must be checked and order processing contracts or Standard contractual clauses to be closed. It may also be necessary to review deletion and further retention obligations, even in the event of a (partial) closure of the acquired company.

Is your company planning a takeover? Or is it to be taken over? 2B Advice will be happy to provide you with expert advice on how to identify, reduce and manage potential data protection risks in an M&A transaction.

 

Get in touch with us today! We look forward to an exciting challenge together with you: 0228 / 926165 -100.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts