Articles

GDPR meets corporate: (new) opportunities in an M&A case

GDPR meets corporate: (new) opportunities in an M&A case

GDPR meets corporate: (new) opportunities in an M&A case

16.08.2019 EU law

The GDPR is everywhere, also in M&A cases. This article covers some practical points how to cope with GDPR during a deal from beginning to end.

GDPR meets corporate: (new) opportunities in an M&A case

The GDPR. No day passes by without having heard of it: fines are issued, additional guidelines are released, privacy is infringed by eavesdropping practices… It is clear that the GDPR is not only relevant for privacy policies and data processing agreements. In some way or another, it plays a role in almost every industry and every process. Also during corporate transactions, GDPR turns out to have a significant impact. According to Merrill, the provider of DatasiteOne data rooms, 55% of the M&A practitioners questioned believe transactions are failing or stalling due to GDPR compliance concerns and accompanied risk or fines. This post will focus on the intertwining of the GDPR and corporate matters, and more specifically on the opportunities the GDPR can offer in an M&A case.

Personal data in M&A case

An M&A transaction is structured either as a share deal, as an asset deal or as a combination of both. In any deal, a plurality of data flows will be exchanged between the parties, including personal data. The amount of personal data will vary depending on the object of the transaction: an industrial glue company will process a lot less personal data than a B2C digital platform. It goes without saying that data, including personal data, are considered as an asset of a company, so that non-compliance with GDPR can cause an economic loss to the business. During the whole M&A process, by all actors, GDPR compliance can be secured or improved in different ways.

Setting up your data room

For the target, a correct set-up of the data room will be of utmost importance. This data room will (almost always) be a virtual data room to which many actors may have access: target and seller group personnel, candidate-buyers, financial advisors, legal advisors, credit institutions,… The scope of the data room, i.e. how much data the data room contains, can evolve throughout the M&A process: typically, less information will be provided during a first round, while full disclosure of all information relevant to the transaction will be the standard when only one or two potential buyers are (still) in the running. However, the target must keep in mind the general principles of GDPR, so that no more personal data than necessary to achieve the purpose may be made available. Several precautions are at your disposal to abide by these principles: besides a typical NDA, also security measures and technical restrictions to the processing are possible. Think about encryption, blacklining, no printing or downloading, provision of templates where possible (e.g. of the employment contracts), restricted access rights per domain, etc. Also a disaster recovery plan and steps to have the data deleted or returned after the due diligence process are recommended.

GDPR on the due diligence checklist

For the potential buyer(s), there are also some points of attention while conducting the due diligence exercise. GDPR compliance is often underestimated in determining the scope of the due diligence. However, given the importance of data as an asset of the company, it is recommended to conduct a transversal due diligence exercise to verify whether the target company complies with the basic principles of GDPR. Such transversal GDPR due diligence will often consist of a review of the policies and procedures in place, the existing data processing agreements and the data register. It may also go further by a.o. assessing the governance and decision making process on processing of personal data, the awareness trainings, the notifications to the competent DPA(s), the appointment of a DPO, the roles and responsibilities regarding processing of personal data, the measures taken for data transfers and the steps taken regarding privacy by design and privacy by default. While the operational and security measures within the company are often part of an IT due diligence, the set up and output are not always considered from a GDPR perspective.

Remedies

If after the due diligence phase, parties reach an agreement with respect to the transaction, they will sign a contract to seal the deal. Such agreement can be either a share purchase agreement, an asset purchase agreement or a combination of both. In case specific infringements were spotted during the due diligence process, the buyer will have to consider, in light of the seriousness, whether it expects the seller to remedy such breaches pre-closing, or to bear the economic risks (such as fines or damages) related to them. In case of infringements that can be fixed in a relatively easy way (e.g. no DPO was appointed), a condition precedent may be appropriate requiring the seller to remedy the breaches even before completion of the transaction. In case an identifiable risk, such as data processing agreements that are missing, is spotted during the due diligence phase, a specific indemnity or price correction could offer a solution. Finally, risks of non-compliance to the GDPR that have not been revealed during due diligence, should be covered by a warranty to ensure the correctness of measures taken or the current state of affairs, e.g. that the company fully complies with GDPR, that there is no pending litigation on data protection or that no data breaches have occurred in the last 3 years. While the former two means of protection depend on the importance of both data protection and the breach itself on the one hand, and bargaining power of the parties on the other hand, and are therefore less common in practice, a data protection warranty is a must in each M&A contract.

Accompanying measures

Besides the share or asset purchase agreement, also other agreements may be needed to cover other practical issues after sealing the deal. For instance, in case of an asset deal, the data subjects must be informed of their new data controller and possibly their consent must be obtained as a legitimate ground for the transfer. Also, if personal data is transferred outside of the European Economic Area, e.g, as the data is stored on a server in the U.S., adequate measures must be taken such as the EU Standard Contractual Clauses. For these and other practical issues, good arrangements make good friends (and ensure GDPR compliance).
 

Team

Related news

02.04.2020 NL law
Stibbe in Amsterdam answers questions from consumers, small business foundations and NGOs about the coronavirus

Inside Stibbe - In a special Q&A (in Dutch), lawyers from our Amsterdam office share their legal expertise and strive to provide answers to questions put to us by consumers, self-employed persons, enterprises large and small, foundations and NGOs as a result of the corona crisis.

Read more

25.03.2020 NL law
Key considerations for management and owners of Dutch privately held companies in distress due to COVID-19

Short Reads - The COVID-19 pandemic has a significant and immediate adverse effect on many companies in different industries. Many PE portfolio companies are particularly vulnerable given the typical high leverage finance structure and inherent need to maintain cash flow. To meet these challenges and mitigate liability risks, management and owners may need to take clear and immediate action (and refrain from certain other actions) in the interest of all stakeholders. The following sets out some key legal guidelines for management and owners when dealing with a Dutch subsidiary in distress.

Read more

31.03.2020 NL law
How to meet (Dutch) substance requirements during the COVID-19 pandemic?

Short Reads - Measures taken by multiple jurisdictions in an attempt to stop the spread of the corona virus (COVID-19) affect many people and businesses. Organizing and attending physical board meetings in the Netherlands or elsewhere may be challenging in these times and this may affect a company’s (Dutch) tax position. Below we discuss the potential impact of the measures and provide some preliminary practical guidance.

Read more

27.03.2020 NL law
Actuele ontwikkelingen rondom de AVA’s van beursvennootschappen en corona

Short Reads - Op 23 maart 2020 heeft het Nederlandse kabinet aanvullende overheidsmaatregelen genomen in het kader van de bestrijding van het coronavirus. Deze maatregelen zijn onder meer gericht op evenementen en samenkomsten. In een nieuwsbericht van het kabinet van 24 maart 2020 zijn deze maatregelen nader geduid (zie ook de Q&A die eveneens door het kabinet is gepubliceerd).

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring