The GDPR is everywhere, also in M&A cases. This article covers some practical points how to cope with GDPR during a deal from beginning to end.
GDPR meets corporate: (new) opportunities in an M&A case
The GDPR. No day passes by without having heard of it: fines are issued, additional guidelines are released, privacy is infringed by eavesdropping practices… It is clear that the GDPR is not only relevant for privacy policies and data processing agreements. In some way or another, it plays a role in almost every industry and every process. Also during corporate transactions, GDPR turns out to have a significant impact. According to Merrill, the provider of DatasiteOne data rooms, 55% of the M&A practitioners questioned believe transactions are failing or stalling due to GDPR compliance concerns and accompanied risk or fines. This post will focus on the intertwining of the GDPR and corporate matters, and more specifically on the opportunities the GDPR can offer in an M&A case.
Personal data in M&A case
An M&A transaction is structured either as a share deal, as an asset deal or as a combination of both. In any deal, a plurality of data flows will be exchanged between the parties, including personal data. The amount of personal data will vary depending on the object of the transaction: an industrial glue company will process a lot less personal data than a B2C digital platform. It goes without saying that data, including personal data, are considered as an asset of a company, so that non-compliance with GDPR can cause an economic loss to the business. During the whole M&A process, by all actors, GDPR compliance can be secured or improved in different ways.
Setting up your data room
For the target, a correct set-up of the data room will be of utmost importance. This data room will (almost always) be a virtual data room to which many actors may have access: target and seller group personnel, candidate-buyers, financial advisors, legal advisors, credit institutions,… The scope of the data room, i.e. how much data the data room contains, can evolve throughout the M&A process: typically, less information will be provided during a first round, while full disclosure of all information relevant to the transaction will be the standard when only one or two potential buyers are (still) in the running. However, the target must keep in mind the general principles of GDPR, so that no more personal data than necessary to achieve the purpose may be made available. Several precautions are at your disposal to abide by these principles: besides a typical NDA, also security measures and technical restrictions to the processing are possible. Think about encryption, blacklining, no printing or downloading, provision of templates where possible (e.g. of the employment contracts), restricted access rights per domain, etc. Also a disaster recovery plan and steps to have the data deleted or returned after the due diligence process are recommended.
GDPR on the due diligence checklist
For the potential buyer(s), there are also some points of attention while conducting the due diligence exercise. GDPR compliance is often underestimated in determining the scope of the due diligence. However, given the importance of data as an asset of the company, it is recommended to conduct a transversal due diligence exercise to verify whether the target company complies with the basic principles of GDPR. Such transversal GDPR due diligence will often consist of a review of the policies and procedures in place, the existing data processing agreements and the data register. It may also go further by a.o. assessing the governance and decision making process on processing of personal data, the awareness trainings, the notifications to the competent DPA(s), the appointment of a DPO, the roles and responsibilities regarding processing of personal data, the measures taken for data transfers and the steps taken regarding privacy by design and privacy by default. While the operational and security measures within the company are often part of an IT due diligence, the set up and output are not always considered from a GDPR perspective.
If after the due diligence phase, parties reach an agreement with respect to the transaction, they will sign a contract to seal the deal. Such agreement can be either a share purchase agreement, an asset purchase agreement or a combination of both. In case specific infringements were spotted during the due diligence process, the buyer will have to consider, in light of the seriousness, whether it expects the seller to remedy such breaches pre-closing, or to bear the economic risks (such as fines or damages) related to them. In case of infringements that can be fixed in a relatively easy way (e.g. no DPO was appointed), a condition precedent may be appropriate requiring the seller to remedy the breaches even before completion of the transaction. In case an identifiable risk, such as data processing agreements that are missing, is spotted during the due diligence phase, a specific indemnity or price correction could offer a solution. Finally, risks of non-compliance to the GDPR that have not been revealed during due diligence, should be covered by a warranty to ensure the correctness of measures taken or the current state of affairs, e.g. that the company fully complies with GDPR, that there is no pending litigation on data protection or that no data breaches have occurred in the last 3 years. While the former two means of protection depend on the importance of both data protection and the breach itself on the one hand, and bargaining power of the parties on the other hand, and are therefore less common in practice, a data protection warranty is a must in each M&A contract.
Besides the share or asset purchase agreement, also other agreements may be needed to cover other practical issues after sealing the deal. For instance, in case of an asset deal, the data subjects must be informed of their new data controller and possibly their consent must be obtained as a legitimate ground for the transfer. Also, if personal data is transferred outside of the European Economic Area, e.g, as the data is stored on a server in the U.S., adequate measures must be taken such as the EU Standard Contractual Clauses. For these and other practical issues, good arrangements make good friends (and ensure GDPR compliance).