Articles

GDPR meets corporate: (new) opportunities in an M&A case

GDPR meets corporate: (new) opportunities in an M&A case

GDPR meets corporate: (new) opportunities in an M&A case

16.08.2019 EU law

The GDPR is everywhere, also in M&A cases. This article covers some practical points how to cope with GDPR during a deal from beginning to end.

GDPR meets corporate: (new) opportunities in an M&A case

The GDPR. No day passes by without having heard of it: fines are issued, additional guidelines are released, privacy is infringed by eavesdropping practices… It is clear that the GDPR is not only relevant for privacy policies and data processing agreements. In some way or another, it plays a role in almost every industry and every process. Also during corporate transactions, GDPR turns out to have a significant impact. According to Merrill, the provider of DatasiteOne data rooms, 55% of the M&A practitioners questioned believe transactions are failing or stalling due to GDPR compliance concerns and accompanied risk or fines. This post will focus on the intertwining of the GDPR and corporate matters, and more specifically on the opportunities the GDPR can offer in an M&A case.

Personal data in M&A case

An M&A transaction is structured either as a share deal, as an asset deal or as a combination of both. In any deal, a plurality of data flows will be exchanged between the parties, including personal data. The amount of personal data will vary depending on the object of the transaction: an industrial glue company will process a lot less personal data than a B2C digital platform. It goes without saying that data, including personal data, are considered as an asset of a company, so that non-compliance with GDPR can cause an economic loss to the business. During the whole M&A process, by all actors, GDPR compliance can be secured or improved in different ways.

Setting up your data room

For the target, a correct set-up of the data room will be of utmost importance. This data room will (almost always) be a virtual data room to which many actors may have access: target and seller group personnel, candidate-buyers, financial advisors, legal advisors, credit institutions,… The scope of the data room, i.e. how much data the data room contains, can evolve throughout the M&A process: typically, less information will be provided during a first round, while full disclosure of all information relevant to the transaction will be the standard when only one or two potential buyers are (still) in the running. However, the target must keep in mind the general principles of GDPR, so that no more personal data than necessary to achieve the purpose may be made available. Several precautions are at your disposal to abide by these principles: besides a typical NDA, also security measures and technical restrictions to the processing are possible. Think about encryption, blacklining, no printing or downloading, provision of templates where possible (e.g. of the employment contracts), restricted access rights per domain, etc. Also a disaster recovery plan and steps to have the data deleted or returned after the due diligence process are recommended.

GDPR on the due diligence checklist

For the potential buyer(s), there are also some points of attention while conducting the due diligence exercise. GDPR compliance is often underestimated in determining the scope of the due diligence. However, given the importance of data as an asset of the company, it is recommended to conduct a transversal due diligence exercise to verify whether the target company complies with the basic principles of GDPR. Such transversal GDPR due diligence will often consist of a review of the policies and procedures in place, the existing data processing agreements and the data register. It may also go further by a.o. assessing the governance and decision making process on processing of personal data, the awareness trainings, the notifications to the competent DPA(s), the appointment of a DPO, the roles and responsibilities regarding processing of personal data, the measures taken for data transfers and the steps taken regarding privacy by design and privacy by default. While the operational and security measures within the company are often part of an IT due diligence, the set up and output are not always considered from a GDPR perspective.

Remedies

If after the due diligence phase, parties reach an agreement with respect to the transaction, they will sign a contract to seal the deal. Such agreement can be either a share purchase agreement, an asset purchase agreement or a combination of both. In case specific infringements were spotted during the due diligence process, the buyer will have to consider, in light of the seriousness, whether it expects the seller to remedy such breaches pre-closing, or to bear the economic risks (such as fines or damages) related to them. In case of infringements that can be fixed in a relatively easy way (e.g. no DPO was appointed), a condition precedent may be appropriate requiring the seller to remedy the breaches even before completion of the transaction. In case an identifiable risk, such as data processing agreements that are missing, is spotted during the due diligence phase, a specific indemnity or price correction could offer a solution. Finally, risks of non-compliance to the GDPR that have not been revealed during due diligence, should be covered by a warranty to ensure the correctness of measures taken or the current state of affairs, e.g. that the company fully complies with GDPR, that there is no pending litigation on data protection or that no data breaches have occurred in the last 3 years. While the former two means of protection depend on the importance of both data protection and the breach itself on the one hand, and bargaining power of the parties on the other hand, and are therefore less common in practice, a data protection warranty is a must in each M&A contract.

Accompanying measures

Besides the share or asset purchase agreement, also other agreements may be needed to cover other practical issues after sealing the deal. For instance, in case of an asset deal, the data subjects must be informed of their new data controller and possibly their consent must be obtained as a legitimate ground for the transfer. Also, if personal data is transferred outside of the European Economic Area, e.g, as the data is stored on a server in the U.S., adequate measures must be taken such as the EU Standard Contractual Clauses. For these and other practical issues, good arrangements make good friends (and ensure GDPR compliance).
 

Team

Related news

27.09.2019 NL law
Stibbe is attending the IBA's annual conference in Seoul

Conference - The annual conference of the International Bar Association (IBA) is currently taking place in Seoul. There are fourteen partners from Stibbe attending the event. Several of them have speaking slots on a wide range of legal topics and will take part in various panel discussions.

Read more

18.09.2019 NL law
AFM en accountants: over wortel en stok (met roeptoeter)

Articles - Sinds de inwerkingtreding van de Wet toezicht accountantsorgansaties (Wta) houdt de AFM toezicht op accountsorganisaties en de bij die organisaties werkzame individuele accountants. Voor dit toezicht heeft de wetgever de AFM ruimschoots voorzien van stokken (en van een enkele wortel). 

Read more

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 2nd at 4 pm, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

28.08.2019 NL law
Masterclass: e-signature and electronic identifiers

Masterclass - Stibbe is organising a Masterclass on 26 September 2019 in Amsterdam on the subject of e-signature and electronic identifiers. This Masterclass will cover the legal framework and focus especially on the numerous possibilities for applying the various electronic signatures in different situations. In addition, we explain the regulations governing electronic identifiers, and the mandatory European recognition they receive.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring