Data Protection considerations when managing Mergers and Acquisitions (“M&A”)27 May, 2021
Since the EU 2016/679 General Data Protection Regulation (the “GDPR”) came into force on 25th May 2018, data protection law has become a fixture of public consciousness and many companies have had to assess and strengthen their data practices and policies to comply with the requirements under this important area of law.
In recognising the protection of individuals with regard to the processing of their personal data as a fundamental right, the GDPR sets out the principles relating to the processing of personal data, including the conditions for lawful processing.
Typically during the due diligence process of M&A transactions, queries may arise in relation to a target company’s employees, directors, customers, clients or other individuals. This therefore raises considerations as to the manner or extent to which information containing personal data may be shared, stored or otherwise processed in response to such queries or otherwise during the course of the due diligence process.
Personal Data and Special Categories of Personal Data
Personal data is defined by Article 4(1) of the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The information concerned must directly identify an individual or be capable of indirectly identifying an individual in particular by reference to an “identifier”. By way of example, an employee name is personal data as it directly identifies the employee. Similarly, an employee ID or PPS number is capable of indirectly identifying an employee and as such is personal data. In the context of M&A transactions, the information shared (or required to be shared) about target companies may often contain information of this nature and as a result may trigger a possible GDPR exposure for the seller and perspective purchaser.
Special categories of personal data” is described under Article 9(1) of the GDPR as personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Given the sensitivity of the information, special categories of personal data merit and require higher protection.
The key principles set out under Article 5 of the GDPR in relation to the processing of personal data require that personal data must be:
- processed lawfully, fairly and in a transparent way
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
- adequate, relevant and limited to what is necessary for the specified purposes (data minimisation)
- accurate, kept up to date and erased or rectified without delay (accuracy)
- kept in a form which permits identification of data subjects and only for as long as is necessary for the specified purposes
- processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
A controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing of personal data. Usually, the seller will be the controller as it generally holds the personal data required for review by the prospective purchaser and their advisers. A controller, whether the seller or prospective purchaser, is responsible for and must be able to demonstrate compliance with these principles.
A processor is the natural or legal person who processes personal data on behalf of the controller and certain contractual terms must be in place between the processor and the controller to authorise and regulate such processing activities.
Notably, “processing” is broadly defined under Article 4(2) of the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
In all cases (subject to any derogations provided for under the GDPR), however, the processing of personal data within the scope of the GDPR will only be lawful to the extent that at least one of the following legal basis applies:
- the individual data subject has consented to the processing of their personal data for one or more specific purposes;
- the processing is necessary for the performance of a contract;
- the processing is necessary to comply with a legal obligation;
- the processing is necessary to protect the vital interests of the individual data subject or another natural person;
- the processing is necessary for the performance of a task carried out in the public interest;
- the processing of data is in the legitimate interests of the controller (except where those interests are overridden by the interests or rights and freedoms of the data subject).
Where special categories of personal data are concerned, restrictions apply and further conditions (in addition to the legal basis above) must be satisifed to lawfully process special categories of personal data. This would be relevant, for example, to the processing of patient medical records in the context of the sale of a medical practice or the processing of employee medical records in relation to an employee personal injuries claim.
Virtual Data Rooms
It is common practice in M&A transactions for the parties and their legal / financial advisors to exchange information about the target company during the due diligence process through a virtual data room (“VDR”). Information and documentation which contain personal data may be required to be uploaded to this data room, e.g., contracts of employment, customer contracts, etc. This exchange of personal data would be deemed “processing” and as such must comply with the requirements of the GDPR.
To help ensure compliance with the GDPR, the following steps should be carried out before any personal data is uploaded to a VDR:
- choose a reputable VDR service provider;
- carry out a data protection impact assessment where appropriate;
- ensure appropriate technical and organisational measures (including security requirements) are in place;
- ensure an appropriate agreement is in place with the VDR service provider stipulating the clauses required by Article 28 of the GDPR;
- unless a valid legal basis applies, fully redact and anonymise all personal data before it is uploaded to and shared within the VDR;
- where a valid legal basis applies, only upload or share the minimum amount of personal data or special categories of personal data necessary for the specific purpose (a data minimisation approach should be adopted);
- prepare summaries or aggregated data without directly or indirectly identifying the data subjects concerned, e.g. salary summaries;
- restrict access to the VDR and its downloading / printing features;
- require secure passwords to access the VDR; and
- in circumstances where it is necessary to upload to and share personal data via the VDR, i.e., in respect of senior management; the controller must have a valid legal basis to do so. Where relying on consent, bear in mind consent must be freely given, specific, informed and unambiguous by way of a statement or clear affirmative action by the data subject concerned. Bear in mind also that consent may be withdrawn. Depending on the circumstances and the seniority of the data subjects concerned, the controller may be able to rely on its legitimate interests to share such information. This would need to be carefully assessed on a case by case basis.
Robust privacy policies are also key in M&A transactions and the existence/non-existence of such policies should be considered at the negotiation stage of the transaction. A robust policy of any business should contemplate M&A transactions and provide for such disclosures as may be reasonable and proportionate to achieve the desired (and specified) business purpose, having regard to the principles of processing, including the conditions of lawful processing.
Given the commercial sensitivity of negotiations and the information concerned, an appropriate non-disclosure agreement should be put in place at the earliest opportunity between the seller and the prospective purchaser. Any processor, advisor or person who may be permitted to access confidential information, personal data or special categories of data must be bound by appropriate obligations of confidentiality.
Share Sales vs Asset Sales
When it comes to the management of M&A transactions, different factors will need to be considered for share sales and asset sales for data protection purposes.
Given that only the shares in a target company will transfer to the purchaser on completion, the target company will remain the controller in respect of any personal data that it controls, i.e., its employee personal data and customer contact lists. As the controller will not change, there is no requirement to provide the relevant data subjects with information in relation to the further processing of their personal data post-completion unless there is a change to the nature, scope or purpose of processing.
It would be advisable nonetheless for the target company to inform data subjects of the change of control, to mitigate any perceived ambiguity or dishonesty. This is often likely to occur in any event as part of the deal completion process.
The seller may wish to agree a pre-completion undertaking with the purchaser providing that it will implement its new policies upon completion.
- The identity and contact details of the controller (and where applicable the contact details of its Data Protection Officer);
- The type of personal data processed;
- The purpose(s) for processing personal data;
- The lawful basis for processing personal data;
- The data subjects rights under the GDPR;
- Details of the recipient of personal data (or the categories of them);
- Details in relation to international transfers of personal data and the appropriate safeguards in place; and
- Retention periods.
Where certain liabilities are to remain with the seller, it is also important that the seller understands the state of their compliance and potential liabilities on completion
The due diligence process is an essential component of M&A transactions and it is important that the application and effect of the GDPR on this process is understood by all parties to the transaction at the outset.
Given the severity of the sanctions and administrative fines that may be impose under the GDPR in the event of non-compliance, it is critical to ensure that all necessary measures are implemented to ensure compliance. If and to the extent any personal data must be disclosed or shared for due diligence purposes, the principles of processing, including the conditions for lawful processing, must be complied with. Ideally, redact and anonymise.
If you have any queries or if you would like to discuss this content in further detail, any member of the FOD data protection team would be happy to assist.
About the Authors
Head of Technology & Intellectual Property