Articles

GDPR meets corporate: (new) opportunities in an M&A case

GDPR meets corporate: (new) opportunities in an M&A case

GDPR meets corporate: (new) opportunities in an M&A case

16.08.2019 EU law

The GDPR is everywhere, also in M&A cases. This article covers some practical points how to cope with GDPR during a deal from beginning to end.

GDPR meets corporate: (new) opportunities in an M&A case

The GDPR. No day passes by without having heard of it: fines are issued, additional guidelines are released, privacy is infringed by eavesdropping practices… It is clear that the GDPR is not only relevant for privacy policies and data processing agreements. In some way or another, it plays a role in almost every industry and every process. Also during corporate transactions, GDPR turns out to have a significant impact. According to Merrill, the provider of DatasiteOne data rooms, 55% of the M&A practitioners questioned believe transactions are failing or stalling due to GDPR compliance concerns and accompanied risk or fines. This post will focus on the intertwining of the GDPR and corporate matters, and more specifically on the opportunities the GDPR can offer in an M&A case.

Personal data in M&A case

An M&A transaction is structured either as a share deal, as an asset deal or as a combination of both. In any deal, a plurality of data flows will be exchanged between the parties, including personal data. The amount of personal data will vary depending on the object of the transaction: an industrial glue company will process a lot less personal data than a B2C digital platform. It goes without saying that data, including personal data, are considered as an asset of a company, so that non-compliance with GDPR can cause an economic loss to the business. During the whole M&A process, by all actors, GDPR compliance can be secured or improved in different ways.

Setting up your data room

For the target, a correct set-up of the data room will be of utmost importance. This data room will (almost always) be a virtual data room to which many actors may have access: target and seller group personnel, candidate-buyers, financial advisors, legal advisors, credit institutions,… The scope of the data room, i.e. how much data the data room contains, can evolve throughout the M&A process: typically, less information will be provided during a first round, while full disclosure of all information relevant to the transaction will be the standard when only one or two potential buyers are (still) in the running. However, the target must keep in mind the general principles of GDPR, so that no more personal data than necessary to achieve the purpose may be made available. Several precautions are at your disposal to abide by these principles: besides a typical NDA, also security measures and technical restrictions to the processing are possible. Think about encryption, blacklining, no printing or downloading, provision of templates where possible (e.g. of the employment contracts), restricted access rights per domain, etc. Also a disaster recovery plan and steps to have the data deleted or returned after the due diligence process are recommended.

GDPR on the due diligence checklist

For the potential buyer(s), there are also some points of attention while conducting the due diligence exercise. GDPR compliance is often underestimated in determining the scope of the due diligence. However, given the importance of data as an asset of the company, it is recommended to conduct a transversal due diligence exercise to verify whether the target company complies with the basic principles of GDPR. Such transversal GDPR due diligence will often consist of a review of the policies and procedures in place, the existing data processing agreements and the data register. It may also go further by a.o. assessing the governance and decision making process on processing of personal data, the awareness trainings, the notifications to the competent DPA(s), the appointment of a DPO, the roles and responsibilities regarding processing of personal data, the measures taken for data transfers and the steps taken regarding privacy by design and privacy by default. While the operational and security measures within the company are often part of an IT due diligence, the set up and output are not always considered from a GDPR perspective.

Remedies

If after the due diligence phase, parties reach an agreement with respect to the transaction, they will sign a contract to seal the deal. Such agreement can be either a share purchase agreement, an asset purchase agreement or a combination of both. In case specific infringements were spotted during the due diligence process, the buyer will have to consider, in light of the seriousness, whether it expects the seller to remedy such breaches pre-closing, or to bear the economic risks (such as fines or damages) related to them. In case of infringements that can be fixed in a relatively easy way (e.g. no DPO was appointed), a condition precedent may be appropriate requiring the seller to remedy the breaches even before completion of the transaction. In case an identifiable risk, such as data processing agreements that are missing, is spotted during the due diligence phase, a specific indemnity or price correction could offer a solution. Finally, risks of non-compliance to the GDPR that have not been revealed during due diligence, should be covered by a warranty to ensure the correctness of measures taken or the current state of affairs, e.g. that the company fully complies with GDPR, that there is no pending litigation on data protection or that no data breaches have occurred in the last 3 years. While the former two means of protection depend on the importance of both data protection and the breach itself on the one hand, and bargaining power of the parties on the other hand, and are therefore less common in practice, a data protection warranty is a must in each M&A contract.

Accompanying measures

Besides the share or asset purchase agreement, also other agreements may be needed to cover other practical issues after sealing the deal. For instance, in case of an asset deal, the data subjects must be informed of their new data controller and possibly their consent must be obtained as a legitimate ground for the transfer. Also, if personal data is transferred outside of the European Economic Area, e.g, as the data is stored on a server in the U.S., adequate measures must be taken such as the EU Standard Contractual Clauses. For these and other practical issues, good arrangements make good friends (and ensure GDPR compliance).
 

Team

Related news

17.01.2020 LU law
Stibbe boosts service offering in Luxembourg with new partners and counsel for asset management/funds and corporate & finance

Inside Stibbe - Luxembourg, 17 January 2020 – Stibbe reinforces its corporate & finance and asset management/funds practices in Luxembourg with the hire of Bernard Beerens (corporate partner), Audrey Jarreton (banking and finance counsel), Edouard d’Anterroches (investment funds partner), Victorien Hémery (investment funds partner), and Dayana Bert (investment funds counsel). Their arrival comes after the recent hire of tax partner Johan Léonard. All of these new additions demonstrate the firm’s commitment to expanding Stibbe’s service offering in Luxembourg.

Read more

15.01.2020 NL law
Consultatiereactie 'Wet plan van aanpak witwassen'

Short Reads - Soeradj Ramsanjhal, Karlijn van den Heuvel, Djoe Kuils, Rogier Raas, Judica Krikke en Muriël Rosing hebben een reactie ingediend op het concept wetsvoorstel ‘Wet plan van aanpak witwassen’. Dit wetsvoorstel is 2 december 2019 in consultatie gegaan en bevat verschillende voorgestelde wijzigingen van de Wet ter voorkoming van witwassen en financieren van terrorisme en de Wet op de economische delicten. 

Read more

17.01.2020 LU law
Stibbe Luxembourg étend son offre de services par la venue de nouveaux associés et counsels au sein des pratiques spécialisées en gestion d’actifs/fonds d’investissement, en droit des sociétés ainsi qu’en droit financier

Inside Stibbe - Luxembourg, le 17 janvier 2020 – Stibbe renforce ses pratiques spécialisées en droit des sociétés, en droit financier ainsi qu’en gestion d’actifs/fonds d’investissement par la venue de Bernard Beerens (associé, droit des sociétés), Audrey Jarreton (counsel, droit bancaire et financier), Edouard d’Anterroches (associé, fonds d’investissement), Victorien Hémery (associé, fonds d’investissement) et Dayana Bert (counsel, fonds d’investissement).

Read more

14.01.2020 EU law
Stibbe launches UBO Webtool

Short Reads - "Determine your UBO for the three Benelux countries"  In Luxembourg, companies and other legal entities have been required to register their UBO(s) since 31 August 2019.  In Belgium, the UBO register is also already operational. Although 30 September 2019 was the formal deadline for registration, Belgian authorities announced they would begin policing non-compliance as from 1 January 2020. The Dutch legislator did not meet the implementation deadline. We expect that the law will not enter into force prior to 1 March 2020.

Read more

15.01.2020 NL law
The Dutch scheme - a summary of the upcoming new restructuring tool

Short Reads - As mentioned in our earlier blog, the Dutch legislator has prepared a bill – the Act on confirmation of private restructuring plans (Wet homologatie onderhands akkoord) – introducing a framework that allows debtors to restructure their debts outside formal insolvency proceedings (the “Dutch Scheme“). We expect this highly-anticipated bill to enter into force by this summer. The Dutch Scheme combines features from the UK Scheme of Arrangement and the US Chapter 11 proceedings. Below, we summarize certain key aspects of the Dutch Scheme.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring