This article is written by Shreya Mazumdar pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.

Introduction

A lot has changed exponentially after the implementation of the European Union’s General Data Protection Regulation (GDPR) and this has significantly affected the mergers and acquisition (M&A) transactions worldwide. The GDPR change is a paradigm shift not only for companies doing business across Europe but also worldwide companies conducting their business in Europe or processing personal data of the EU. Therefore, the due diligence process of the target company had to be changed as per the new regulation, standards and requirements and data protection and security compliance has become a top priority of the due diligence process as non-compliance with GDPR fines can reach up to EUR 20 million or up to 4% of the target’s annual global turnover (whichever is higher). This fine is not just limited to this but also includes a legal fee, damage in goodwill, impact on market standing of the business and many other damages. This shall have a significant impact on the M&A transaction cost as the buyer of the target company may face a massive amount of monetary risk. 

This article is limited to the GDPR risk analysis in an M&A transaction. Even during the transaction the data protection legislation versus the need to ensure that commercial sensitivity and confidentiality shall be respected. The article only gives a general meaning of GDPR and M&A and it does not go to the details implicating it. 

What is General Data Protection Regulation?

Just a basic introduction of GDPR is that General Data Protection Regulation (GDPR) is one of the toughest privacy and security laws of the world. Although it is drafted and passed by the European Union (EU), the implication of it was thought throughout the world organisation so long as these organisations target or collect data related to people in the EU. The regulation was put into effect on the 25th of May 2018. 

Mergers and acquisitions (M&A) in the general sense of terms is a consolidation of companies or assets by way of financial transaction which includes a merger, acquisition, management acquisitions, purchase of assets, tender offers, consolidations. In an acquisition, one company purchases the other company (generally termed as “target”) outright. A merger is the combination of two companies/organisations that subsequently form a new legal entity under a new corporate name. A target/company is objectively valued by studying comparable companies in an industry and the valuation heavily depends on the compliance to the rules, regulations, laws, by-laws etc. of the company and all the applicable laws which are by way of due diligence. 

Impact on valuation

Any GDPR exposures which may include any past data breach incidents or inadequate privacy policies and implementation shall have an impact in determining the valuation of the target. There are incidents where the annual financial filing having presence in the EU reflects the GDPR as a compliance risk that could impact their businesses. 

Confidentiality and non-disclosures

An acquirer/buyer engaged in the M&A deal should at the nascent stage, determine whether or not the target’s business and activities are subjected to GDPR norms. M&A deals at times require parties to share personal data of its employees, customers, clients, vendors across the globe. All this information is governed and protected by the GDPR norms. The very essence of the fact is that a confidentiality agreement and a non-disclosure agreement shall be in place which is well negotiated and robust to comply with GDPR. As a result of this NDA if the personal data is shared outside the EU jurisdiction compliance regarding standard model clauses, an adequate level of protection. 

In a case where the personal data has to be shared, parties should have a secure virtual data room with limited access as well as monitoring rights and other measures to avoid misuse of the data. There are a variety of industries including (but not limited to) the healthcare industry where highly sensitive data is collected, and banks that also deal with a lot of very sensitive data that is collected. 

What are diligence considerations?

As GDPR is a new concept and is also complex there are chances that a lot of organisations may not be fully compliant with the provisions of GDPR. To ensure that the target has complied with the GDPR buyer should do thorough due diligence of the potential target. There are various mentions in which these data could be shared. The target company can only choose to share only redacted or anonymised data during the due diligence which shall fall outside the GDPR applicability.  

The handling of the personal data can also be done in the following ways: 

• Accountability

It is the responsibility of both the parties to identify the lawful basis which shall be in line with the GDPR for the processing of the personal data which they share and receive at the time of transaction and consider accountable as a part of broader compliance framework which not only means compliance but it helps to demonstrate the compliance.

• Transaction objectives during the nascent stage

The Parties to this M&A deal should examine the data protection issues even before the exclusivity agreement or signing of the term sheet. As mentioned before, the NDA should include a robust clause on the data protection that is shared between the parties including the usual confidential undertakings. 

The buyer shall ask for a warranty from the target to ensure that there is legitimate sharing of data concerning the transaction and the buyer can be sure that it is not engaged in any unauthorised processing of data.

If the target has already taken steps to make sure that the data that is owned and possessed is in compliance with GDPR and the target has its internal policies to comply with the data processing and transparency requirement then data transfer may not be controversial. In other words, if the target already has an agreement with the data owner that the data that they own shall be transferred to a third party for processing and the data owner consents to it, then it will be easier for this processing to take place between the target and the buyer. 

• Data room considerations

A due diligence data room is a secure storage cloud or physical space where important documents and files for an M&A transaction are stored. The parties should ascertain properly considering who is being granted access to this data room and if the terms and conditions of this access are complied with. The buyer shall limit the distribution of internal or external personal data to reduce its exposure. Target should have a privacy policy in place which mentions to the data holder, i.e., employees, vendors, consumers etc. that the data can be shared with the potential buyers in case of an M&A transaction. 

• Cyber security

Hackers mostly target M&A transactions to seek profit by inside information or knowledge of a transaction and the data is transferred outside the routine process of the parties. The parties therefore should be very careful as to how the data is handled during the transaction which includes the security of third-party advisers to minimise the risk of data loss.       

• Negotiation

The data provision in NDA and Confidentiality Agreement may be likely to expire when the sale and purchase agreement is entered in the nascent stages of the transaction. To continue that the provisions are mirrored in the purchase agreement the parties should ensure such implementation. 

What is employee data?

The target may choose to release specific details of employee or customer details that shall be shared at the transaction signing stage or as a part of the deal documents. The buyer should note that dealing with personal data, especially in the form of employee data, is an issue in M&A transactions which is particularly during the due diligence process and when disclosure is against warranties. 

Consent

The parties should avoid relying on the consent to be a lawful basis to disclose employee personal data to the buyer as the GDPR considers that the data protection authorities have assessed this and concluded that the validity of the consent in the employment context is very rarely “freely given”. The European Data Protection Board has confirmed that consent can only be appropriate and lawful if the data subject is offered genuine control and choice concerning the data which is not the case in employment scenarios.  

Sharing of Personal Data during M&A

The responsibility to hold data on behalf of the target where the liability will fall on you and you will be assumed to have the rights to deal lawfully with personal data. The buyer shall always consider the need for such data and if they need the personal data or whether general information will be enough.

Legitimate interest

Personal data can be shared if it is anonymised as long as individuals cannot be identified from it by the buyer. In a case where personal data cannot be properly anonymised then such data is protected under GDPR. When it comes to M&A transactions the most appropriate legal basis for disclosure is “legitimate interest” (except in the case of “special personal data which includes biometric data, bank account information, health condition etc.”). This legitimate interest is where the sale of the business or shares needs to disclose the data to a potential buyer and this legitimate interest assessment is conducted and recorded in writing. This process will help to identify legitimate interest and showing that the processing of personal data is essential to achieve that legitimate interest and harmonising it against the relevant individual’s interest, rights and freedom. 

Sensitive personal data

In case of sensitive personal data which is a part of the M&A transaction process, such transfer shall be avoided unless it is anonymised as long as it cannot be linked to the data owner. It is better to consult a data protection lawyer who could handle such sensitive matters.  

Completion of transaction

The diagram explains the pre and post due diligence process and convergence that the buyers and the target can consider while the transaction of data comes into question:

 

Completion and signing

When it is time to integrate the target or assets into the buyer’s business any personal data that is provided should be non-identifiable form wherever possible. So statistical data can be provided instead of granular data of employees or model employment contracts that mention the terms of the employment. When it comes to the clients/customers, general information such as age/geographical data, size and product type, purchase frequency etc. could be shared. 

Sale of asset

The identity of the data controller shall be changed when it comes to the context of the sale of assets and the affected individuals shall be needed to be informed at completion. The buyer shall set out its privacy policy for the owners of the personal data within a reasonable time and in any event within one month. 

The policy shall detail down the need to collect the personal data and the reason for processing such data and the other points including (but not limited to) the data subject rights that are applicable under the GDPR, retention period of data, the identity of the third party who is the recipient of data, the existence of any automated decision making etc. the target can agree to engage a pre-completion undertaking with the buyer to ensure that the buyer is ready to implement the new policy. It is in the interest of both parties to ensure that the transaction process shall run smoothly, effectively and transparently.

Post-closing Integration

The parties need to ascertain the alignment of data protection policies and practices of the acquirer and the target in cases of transactional integration. There might be a need to acquire fresh consent for any additional processing activities after the transaction. If the data is shared among affiliates for transition service arrangement, there shall be a need to binding corporate rules or appropriate safeguards like model clauses and contracts. The parties should keep in mind the following points:

Transparency

Although the target might be the controller post-completion in the context of the share sale, it has to be considered if there is any change in the purpose or use of personal data as a result of the transaction. So, the parties have to check if there is a need to update their privacy policy to reflect the new purposes. 

Security

The buyer shall ensure that the security of the buyer’s system is sufficient to protect the personal data that is received. The buyer shall consider the risk involved to the seller’s systems and incorporation of those systems and the seller’s data that is there in the system. The buyer must do a forensic analysis of the seller’s system to identify the historic issues such as unlawful access to order to systems or malware on the seller’s system that could pose significant risk. 

Conclusion

The above-mentioned points are like a checklist to make sure that the M&A transaction is compliant with data protection rules. This does not substitute as specific legal advice and one must engage an expert in dealing with this kind of process. It is necessary to identify the specific roles and responsibilities of the parties involved in the M&A process (Target company, buyer, advisors, service provider) which come within the meaning of the GDPR which ensures the obligations that relate to the handling of personal data. If the parties fail to take the necessary step to these issues may result in significant risk of penalties for non-compliance in future. 

References

1. Adam Hayes, What are Mergers and Acquisitions (M&A)? (11th April 2021), https://www.investopedia.com/terms/m/mergersandacquisitions.asp. 
2. Ben Wolford, What is GDPR, the EU’s new data protection law? (05th July 2021) https://gdpr.eu/what-is-gdpr/.
3. Carolyn Bigg, Joe Bauerschmidt and Teerin Vanikieti, Impact of Data Protection Laws on Mergers and Acquisitions (M&A) Transactions (4th October 2019) https://www.dlapiper.com/en/thailand/insights/publications/2019/09/impact-of-data-protection-laws-on-mergers-and-acquisitions-mna-transactions/. 
4. Checklist M&A and GDPR (April 2020) https://cms.law/en/deu/publication/checklist-m-a-and-gdpr. 
5. Claire Walsh and Marshall Denning, EU: The elephant in the (data) room – GDPR considerations in M&A due diligence (May 2019) https://www.dataguidance.com/opinion/eu-elephant-data-room-gdpr-considerations-ma-due-diligence.
6. Dr. Axel Funk & Dr. Tobias Grau, Business now feeling the effects of GDPR in M&A transactions  (24th October 2019) https://www.cms-lawnow.com/ealerts/2019/10/business-now-feeling-the-effects-of-gdpr-in-ma-transactions?_ga=2.17207225.108418040.1571990069-53246301.1571990069.
7. GDPR-a major issue in M&A transactions (26th November 2019), https://grlegal.md/gdpr-a-major-issue-in-ma-transactions/. 
8. How Special Is Your Data? (16th July 2020) https://moorcrofts.com/how-special-is-your-data/. 
9. James Waddell, Data Protection Issues on Due Diligence and Disclosure (28th April 2020) https://www.stevens-bolton.com/site/insights/briefing-notes/data-protection-issues-on-due-diligence-and-disclosure.
10. Katie Knowles, Alexander R. Roth, Dr. Paul Voigt and Wiebke Reuter, Data privacy in M&A Transactions (27th February 2020),  https://www.lexology.com/library/detail.aspx?g=4c766594-f1dd-46c8-8b96-1347833d75d7.
11. Kison Patel, What is a Due Diligence Virtual Data Room? (10th June 2021) https://dealroom.net/blog/what-is-a-due-diligence-virtual-data-room. 
12. Rabindra Jhunjhunwala and Shweta Dwivedi, Impact of GDPR on M&A transactions in India (13th September 2018) https://www.fortuneindia.com/opinion/impact-of-gdpr-on-ma-transactions-in-india/102437. 
13. Sarah Wared & Roland Marko, Dealing with GDPR Compliance Risks in M&A Transactions, https://www.ibanet.org/article/C17CCD48-AE2E-4071-B8BA-61EB2F95F05C last visited on 5th July 2021.
14. Using New Technology to make M&A deals a Success-every time, https://aimltd.uk/latest-news/using-new-technology-make-m-deals-success-every-time last visited 05th July 2021.

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: