M&A Due Diligence Considerations from a Data Privacy Perspective

The EU General Data Protection Regulation (GDPR) also applies to M&A processes. Violations of data protection regulations can result in fines of up to EUR 20 million or 4% of the worldwide annual turnover. For compliance reasons, data protection requirements in the M&A process should be considered and documented early to exclude or at least minimize liability risks.

The following checklist facilitates a GDPR-compliant M&A process during three stages:

1) Preparing the Data Room,

2) Asset Transfers

3) Integration Phase of the Deal.

Keep in mind however, that this Checklist cannot replace professional guidance in individual cases. Note that professional weighting and assessment of each measure need to be carried out and documented. This means that the mere implementation of actions suggested in the following list alone does not ensure compliance with and implementation of GDPR requirements.

Additionally, for everyone involved in an M&A process (seller, buyer, consultant, service provider), individual roles and responsibilities in terms of GDPR should be determined to specify obligations for handling provided data and ensure compliance.

As an alternative to providing data in a data room, the seller can conduct a vendor due diligence fact book, which documents the findings that is then provided to interested parties in compliance with data protection.

For a better understanding of the checklist, please consider the following definitions:

• "Personal Data": Refers to all information related to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly, particularly through identifiers such as a name, an identification number, location data, an online identifier, or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data also includes simple email addresses or phone numbers with personal reference.
• "Anonymization": Anonymization, according to GDPR, is the modification of personal data in a way that details about personal or factual circumstances can no longer be assigned to a specific or determinable natural person, or can only be assigned with an unreasonably large amount of time, cost, and effort.
• "Pseudonymization": Pseudonymization, under GDPR, involves processing personal data in a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data is not attributed to an identified or identifiable natural person.

I?????????? The Data Room

Considerations for Sellers

What can you put in a data room and what not? Personal Data cannot be made available to bidders without a legal reason pursuant to Article 6 (1) GDPR. When presenting a company for sale, it is important to ensure that personal data from employees or customers are not put into the data room or displayed in a handbook without the consent of the individual data subject. The general rule is to not put any personal data into the data room until the very end of the transaction.

Information about the employees and customers at this point needs to be anonymized and displayed in aggregate form. You do not need to include the names of particular employees. An exception to this would be the managing directors, who’s special contractual terms or salaries may be relevant for consideration at the beginning of the due diligence process. It is necessary in this case to get their prior consent to disclose their personal information. All other employees may be introduced with generic or aggregated data.

It is recommendable to inform employees about the due diligence process and inform them that their data will be made available to the buyer in the event of a change of ownership. In many jurisdictions, an automatic transfer of employees occurs so there is a need to inform employees in advance to comply with local labor laws. This should be examined in the early stages to ensure legal compliance.

Considerations for Buyers

You may want to take a look at sample contracts to assess the company’s compliance with data protection law. This information can be made available in the data room if the names of on the contract are redacted. The names of signatory authorities do not necessarily need to be redacted from the contract, since it is most likely that they expected their name to be made available in the case of a transfer of ownership. Therefore, the legal basis for making their names available would be a legitimate business interest pursuant to Article 6 (1) (f) GDPR.

?If the buyer can demonstrate a “need to know”, then they may have a legitimate interest in viewing certain personal data in the contracts. Company names are not personal data and therefore do not fall under the GDPR protections. Buyers can request a list of the most important customers (company names).

Some of the most important considerations for the buyer when evaluating whether the risks from a data protection perspective are: 1) whether the seller has a Data Protection Officer, 2) examining sample data processing agreements, 3) a list of vendors and whether the necessary data protection clauses and data processing agreements have been executed, 4) complaints made by data subjects in the last three years 5) view of any and all correspondence with the Data Protection Authorities in the past, and 6) “Breach/Incident” reports. It may be necessary for the Buyer to plan for additional resources to deal with any risks in data protection discovered at this point.

Considerations for both the Buyer and Seller

It may be necessary to take a look at the personal data of customers and employees at the final stage of the bidding where the number of potential buyers has been narrowed down. In this case, it may be appropriate to make the personal data that cannot be redacted available in a separate data room, which would be available to only a small number of people. Make sure that a non-disclosure agreement is signed and that those accessing the data have a need to know this information. The legal basis for disclosing this information is a legitimate business interest, however a three-pronged balancing test must be documented showing that there is 1) a legitimate business interest, 2) that the disclosure of the personal data is strictly necessary for concluding the transaction, and 3) the individual interests and fundamental rights of the data subject do not outweigh the legitimate business interest in disclosure. In many cases, it may be necessary to redact the personal data before disclosing customer data. You need to involve your privacy specialist or data protection officer here.

What if you disclose/receive too much information in the Data Room? Each Party to the Data Room is a Controller and is determining the means and purpose of the processing seperately. Therefore, if the seller accidently reveals personal data in the data room and the bidder receives this information, the each party to the data room potentially has a notification requirement pursuant to Article 33 and 34 of the GDPR, therefore this situation would need to be handled like a data breach, and mitigation measures must be initiated immediately. First, the bidders should be immediately instructed not to take any notes, and to return the information accidently received to the seller. The seller should immediately take the personal data out of the data room and the data room should remain closed until all bidders have given their confirmation that they have deleted/returned the personal data.

If the seller has contracted a data room provider to manage the data room on its behalf, they should be given specific instructions in their data processing agreement on managing a data breach. Additionally, it is advisable to try to maintain the data room in Europe in order to minimize the transfer of EU personal data to countries outside of the EEA. If the seller is managing a data room itself or through its law firm, no data processing agreement is necessary. However, the information is limited and the appropriate technical and organizational safeguards need to be in place. It is also a good idea to execute EU Standard Contractual Clauses with potential buyers in the case the data will transferred to a non-EEA country later in the transaction.

?II????????? Asset Transfers

It is important to consider whether the buyer will be able to use the target company’s customer data for its own purposes after the sale is completed. If the sale involves the sale of assets (buildings, equipment, know-how, etc.), a legal basis for the transfer of any personal data associated with that asset is required. In most cases, the legal basis for the transfer of customer data can be based on either a legitimate business interest (Article 6(1) (f))? or prior consent of the data subject (Article 6 (1) (a) GDPR).

Marketing consents are very valuable to a buyer when evaluating the target company. The issue is whether the new owner is able to email or call potential customers to market their own products moving forward after the deal is finalized. It may be necessary to structure the deal differently in order to allow for this. Perhaps the seller can collect a new consent prior to the sale, which is extended to the new buyer. If health data or sensitive data is involved, prior consent will always be required prior to the transfer. The buyer should expand their privacy policy to make the transfer of customer data transparent, however, a mere reference to a potential M&A transaction is not sufficient to meet the transparence requirements under the GDPR.

The conference of independent data protection authorities at the federal and state level of Germany ("DSK") has agreed on a catalog of scenarios to consider in the context of balancing interests according to Article 6(1) (f) in conjunction with Article 4 of the GDPR in an asset deal. These scenarios are as follows:

1. Customer data with ongoing contracts: The transfer of contracts requires the customer's approval under civil law (§ 415 German Civil Code / assumption of debt). This civil law approval also includes the data protection consent for the transfer of necessary data. This ensures the customer's interests are protected.
2. Existing customers without ongoing contracts and the last contract relationship is older than 3 years: Data of existing customers with no active contract relationship within the past 3 years is subject to processing limitations by the acquiring entity. While these data can be transmitted, they can only be used for legal retention periods. An alternative is to leave such customer data with the old company, especially if an insolvency administrator is involved, who may arrange for a service provider to retain the data for a specific period.
3. Data of customers in advanced contract negotiations; existing customers without ongoing contracts, and the last contract relationship is less than 3 years old: Data of such customers can be transmitted under Article 6(1) (f) GDPR using an opt-out model with a sufficiently long objection period (e.g., 6 weeks). This approach is cost-effective for companies and considers customer interests by providing ample time for objections. Bank data (IBAN) is excluded from the transfer via the opt-out model and can only be transmitted with the explicit consent of the customer, excluding payment behavior.
4. Customer data in case of outstanding debts: The transfer of outstanding debts against customers follows civil law under §§ 398 ff. German Civil Code (assignment of claims). Data related to this can be transferred from the assignor (old creditor/old company) to the assignee (new creditor/new company) based on Article 6(1) (f) GDPR. However, overriding interests exist when the assignment is expressly excluded by agreement (§ 399(2) 2nd Alt. BGB, § 354a HGB).
5. Special category customer data according to Article 9(1) GDPR: Such data can only be transferred with informed consent under Article 9(2) (a), Article 7 GDPR.

These guidelines are helpful, however there are several exceptions and work-arounds to the above-mentioned use cases. It is necessary to examine the legal basis for transferring customer data on a case-by-case basis. For example, if the business cycle is long-term for a particular product, it is reasonable to expect that a customer that no longer has engaged in the provision of a service for ten years may still be interested in receiving more information about similar products and services. Therefore, it is permissible to transfer the customer data to a buyer, since the customer has a legitimate business interest in not losing contact with long-term service offerings, as long as they are afforded the opportunity to opt-out from being contacted.

The OGH Austria recently made a decision that is important for practice because it is very "transfer-friendly" decision that consent to send a newsletter is transferable to the buyer pursuant to an asset deal, that as long as the seller obtained a valid consent in the first place and the customer data was processed lawfully (eg. Only used by the buyer for the purpose for which the consent was collected with a prominent opt-out).

Traditionally, data protection regulations demand precise and specific consent, rejecting broad consents with unspecified beneficiaries. However, this specific decision breaks from that norm by allowing the buyer to utilize the consent for well-defined purposes, such as conducting email marketing campaigns for a specific store (OGH ?sterreich Beschl. v. 31.5.2023 – 4 Ob 237/22, GRUR-RS 2023, 15828).

III The Integration Phase

The buyer may have identified a data protection risk in the due diligence phase, which needs to be addressed. Once you buy the company, you carry the risk. In the case of Marriot Hotel’s data breach in 2014 that was not discovered until 2018, hackers accessed the data base and stole the names, passport numbers, birthdates and credit card information of all the guests of the newly acquired company. The hackers were successful because the seller had failed to update their software and this was not discovered during the due diligence. Not only did Marriot have to pay fines for the data breach but they also had to implement credit card monitoring services for all guests, which was very expensive. It is crucial to integrate the IT of the target company as soon as possible to ensure that it is compatible with that of the acquiring companies data landscape. Also, it is essential to extend all policies to the newly acquired business.

Separation of data should be considered early on in the due diligence phase. Whether the data can be separated from the seller’s data and its business partners and subsidiaries needs to examined and requires prior planning and consideration. Has the seller used a joint data base with its subsidiaries? Does the old IT system meet the requirements for security? It may be difficult to separate the data completely. It may in fact be necessary to enter into a transitional services agreement with the seller, so that they continue to offer the services for a time until the integration can be completed. Data protection agreements and joint controller agreements may be necessary with clear processes for how to handle data subject requests. If the controller of the data has changed, the seller is now the data processor and the buyer is the controller.? To ensure a smooth transition during the integration phase, the processes for handling requests needs to be defined.

Below is a Checklist which addresses how to address 1) the Data Room, 2) Asset Transfers, and 3) Integration:

?Privacy Due Diligence and Pre-Acquisition Checklist:

• Do not reveal personal data to bidders/buyers until the transaction has been approved or finalized.
• Engage a security expert if needed.
• Privacy input needed during different phases of a sale transaction.
• Vendor Due Diligence: identify gaps and specific risks, obligations or liability provisions in vendor agreements.
• Filling the "Data Room": Compilation of due diligence documents and identification of relevant data to be provided to bidders/interested parties within the context of due diligence.
• Is the consent of the data subjects affected by data transmission for the purpose of the transaction effective and irrevocable, or can it be obtained? Determine the date of consent.
• Information sent to data subjects if required due to purpose-changing further processing (Art. 13(3) GDPR).
• Evaluation of personal data and individual determination of relevance (especially for employee, supplier, and customer data; excluding legal entity data).
• Examination of the type of personal data present (special categories of personal data such as health, sexual orientation, political/religious beliefs, etc. must not be disclosed; otherwise, a balancing of interests based on the sensitivity of the personal data and the necessity of disclosure must be carried out).
• Anonymization of all personal data, i.e., permanent deletion of identifiable characteristics (where possible)
• Pseudonymization of all personal data, i.e., redaction (where possible).
• Aggregation of personal data, e.g., statistical averages of various groups (where possible).
• Confidentiality Agreement: Obligation to encrypt, delete/obligation to return provided data upon completion of the transaction, and corresponding return assurance). The buyer commits to processing personal data solely for the agreed-upon purpose and in compliance with data protection regulations.
• Special provisions for data processing in so-called third countries outside the EU, where the level of data protection is not recognized as adequate by the EU (ensuring an adequate level of data protection), particularly the conclusion of EU Commission standard contractual clauses.