Data protection in M&A transactions

Data protection in M&A transactions

Data protection for company sales

Is data protection important in M&A transactions? Or is it "nice to have" and can be neglected in favor of "hard" business facts? These questions can be answered quickly. Legally compliant data protection is definitely a business factor. Violations of the requirements of the GDPR can result in fines of up to 20 million euros or up to four percent of the previous year's global turnover.

The Marriott hotel group, for example, was fined 110 million euros in 2019 for the consequences of a cyber attack on a hotel group it acquired in 2014. Although this fine was later reduced to 20 million euros, it clearly shows that deficiencies in the data protection organization of a target company can entail considerable risks for the buyer.

It is also necessary to clarify the legal basis on which personal data can be transferred from the target company to the potential buyer. Is consent required here? Or can it be based on legitimate interest? There are also considerable pitfalls lurking here.


Data protection as part of due diligence


Regardless of the type of transaction being sought (share transfer, asset deal or merger), the issue of data protection should always be part of the due diligence process. Due diligence is a detailed economic and legal analysis of the target company. The aim is to identify risks, mitigate them and/or "price" them.


The following list of questions may be helpful:

  1. What categories of personal data does the target company process? What risks may result from this? Which laws are relevant?
  2. How and for what purpose should the target company's data be used in the future? What legal basis can be used for this? For example, is there documented consent for advertising purposes? What information obligations exist vis-à-vis the data subjects?
  3. What is the status of the target company's data protection organization? Are the processing directory, data protection policy, necessary processes regarding order processing, data subject rights or data transfers to third countries complete and up to date? If not, what resources are required to achieve an acceptable current status?
  4. Do appropriate technical and organizational measures exist at the target company and its service providers?
  5. What indications do past data breaches give of risks that still exist at the target company?


Once the risks have been identified, the effects and possible countermeasures must be the subject of a thorough analysis, a kind of "merger impact assessment".

As part of the due diligence process, a potential buyer may gain access to IT systems containing personal data of employees and customers of the target company. Confidentiality declarations and confidentiality obligations must be obtained beforehand. In addition, the legal basis for a data transfer from the target company to the potential buyer must be clarified. This could be consent in the case of only a few people, or legitimate interest in the case of a large number of people, but only after a balancing of interests has taken place, whereby information must be provided in accordance with Art. 13 or 14 GDPR in each case and the right to object must be pointed out. It should also be checked whether the same purposes cannot be achieved with aggregated or pseudonymized data. The principles of data economy and data minimization also apply here.

If at all possible, no special categories of personal data should be stored in the "Data Room". If this does become necessary, then only with the prior informed consent of the data subjects. In addition, the documents should be copy-protected and locked against printing, and a contract for order processing should be concluded with the provider of the data room.

After completion of the transaction

Once an M&A transaction has been completed, a new data protection organization usually has to be set up, which may have to comply with the legal requirements of several countries: From accountability, information and reporting obligations to data subject rights. Existing legal bases may also need to be reviewed, for example when using customer data from the acquired company for the buyer's advertising purposes.

The requirements of the GDPR must also be observed when merging different IT systems. In addition, the technical and organizational measures of the service providers must be checked and order processing contracts or standard contractual clauses must be concluded. Deletion and further retention obligations must also be reviewed, possibly also in the event of a (partial) closure of the acquired company.

Is your company planning a takeover? Or is it to be taken over? 2B Advice will be happy to provide you with expert advice on how to identify, reduce and manage potential data protection risks in an M&A transaction.


Get in touch with us today! We look forward to an exciting challenge together with you: 0228 / 926165 -100.

Share this post :