Laura Van Gompel – October 2021 – Data protection (and processing) is not always part of the due diligence in M&A transactions. However, a data due diligence can reveal non compliance of the target company with the GDPR and thus additional risks for the buyer. Specific warranties on data protection and future liabilities or penalties are needed to protect the buyer.
An assessment on the GDPR compliance of the target entity should be construed as early as possible in the M&A process: not only to identify (and idealistically minimize) future liability of the target company and/or the new owner, but also to ensure that the transaction itself is GDPR compliant.
Involved parties do best to check (and possibly extend) their data protection statements in order for the transfer of personal data to third parties to be covered, specifically for purposes of due diligence, deals concerning asset disposal, restructuring or merger or sales. For example: clientele data base, including contact data and historical & actual generated revenue, preferrable partnerships, suppliers, etc.
Possibly, some data processing agreements might have to be amended or foreseen as well, for the same reason. For example with the provider of cloud services and/or the data room.
The information that will be shared in the data room should moreover be selected carefully and be “technically” prepared as well. It might be necessary to (partially) anonymize, pseudonymize or aggregate certain data. The data room itself should be located in a safe, confidential “technological place”. Access control, login control and selective user rights (allowing users to only access specific and for them relevant information in the data room) are recommended.
These steps should allow the legitimate and lawful transfer of personal data in the run up to the transaction, for example during due diligence.
Furthermore, the data protection and processing policy of the target entity should be assessed in detail. Amongst others, the following items shall be at stake:
- Which is the legal basis for the existing processing flows?
- For which purposes are the personal data processed?
- How are data breaches or GDPR rights of data subjects dealt with?
- How is data retention and data security handled? Are there policies in place or certificates obtained?
- Is there an appointed DPO?
- Which warranties are offered for data transfers outside the EEA?
- Which protective technical and organisational measures are implemented?
- Are all (labour, supply and service) contracts GDPR compliant?
Very often the data processing register shall be the starting point of this analysis, which shall be a joint effort of lawyers, ICT department, DPO’s and divisional heads.
Should a contingency be identified, the seller and/or target entity might still solve a thing or two during the pre-closing phase. However, often it will need more than a one-time effort, even after the deal is closed. Buyers shall therefore do best to stipulate specific warranties in their favour.
At Van Gompel Advocaten (VGA), we are happy to assist you on any data protection matter, including for M&A transactions.
0032/(0)11 281 280
Feel free to contact Anton Van Spaendonck for more information.