Due diligence

Typical areas

What are the typical areas of due diligence undertaken in your jurisdiction with respect to technology and intellectual property assets in technology M&A transactions? How is due diligence different for mergers or share acquisitions as compared to carveouts or asset purchases?

Typical areas of intellectual property and technology due diligence undertaken in Germany with respect to technology M&A transactions include:

  • identifying all registrations and applications for IP assets owned by the target and confirming the status, lien status, chain-of-title, expiration date (if applicable), scope of protection and ownership thereof;
  • identifying all other IP assets (ie, unregistered intellectual property and IP assets that are not capable of registration) owned or used by the target and confirming the ownership thereof, any restrictions thereon, and the target’s scope of rights therein;
  • reviewing and analysing the target’s agreements with past or present employees, independent contractors and consultants with respect to the creation and ownership of IP assets and the use and disclosure of trade secrets and other confidential information;
  • identifying and determining the scope of licences-in and licences-out in respect of IP rights granted by or to the target;
  • reviewing and analysing all other IP-related agreements (or intellectual provisions in agreements), including research and development agreements, consulting agreements, manufacturing, supply, and distribution agreements, settlement agreements, and IP licensing and assignment agreements;
  • determining and analysing the target’s process for IP clearance, protection, and enforcement and for protecting trade secrets and confidential information;
  • determining and analysing any past, present, or threatened intellectual property-related claims or disputes involving the target, such as infringement actions, cease-and-desist letters, requests for intellectual property-related indemnification, disputes with past or present employees or contractors, and claims for remuneration for the creation of intellectual property;
  • reviewing and analysing the target’s processes and procedures for developing software code, including identifying open source or copyleft code, reviewing source code scans and identifying third-party access to code as well as the target’s processes and procedures in respect of employee inventions;
  • reviewing and analysing agreements and rights with respect to information and communication technology assets and equipment;
  • where the target’s business is subject to regulatory requirements with regard to technology (eg, applicable to technology outsourcing in the financial industry sector), reviewing the target’s compliance with such requirements;
  • reviewing the target’s compliance with privacy and data protection laws, contractual obligations and company policies;
  • vetting the extent and ramifications of any privacy or breaches or security incidents; and
  • determining whether and what rights to process and use personal data will be available to the buyer.

Although the due diligence process for share deals and carveouts or asset purchases are similar, there are several key differences.

Where a business to be divested is not organised in the form of separate legal entities, the assets, contracts, rights, liabilities, employees and other resources pertaining to the business will have to be carved-out from existing legal entities. As part of such transactions, an additional focus of due diligence is identifying and understanding:

  • what is within the scope of the transaction and what is not;
  • which resources have to be and can be transferred;
  • whether there are any such resources that are in shared use;
  • which activities are required to separate the business; and
  • which interdependencies exist between the business to be divested and the business to be retained.

Where carveout or asset purchase transactions require the assignment and transfer of IP rights, the buyer should confirm that all desired IP assets may be transferred (and are properly transferred) under applicable law. The buyer should ensure that any shared rights in intellectual property are properly allocated (usually on the basis of concepts of exclusive use or predominant use) and cross-licensed between the parties post-closing in appropriate fields of use.

If source code or data is being transferred, the right of the seller to transfer any third-party code (including open source) or third-party data (including personally identifiable information) should be properly vetted.

With respect to mergers or share acquisitions, the buyer should review material intellectual property, information and communication technology contracts to determine whether they include change of control provisions triggered by the contemplated transaction, whereas for carveouts or asset purchases, the buyer should analyse any anti--assignment provisions triggered by the contemplated transaction. In Germany, where a contract is silent on transferability of the contract as a whole, consent by the third-party counterparty to the transfer is required.

German law also provides for transfer of assets by way of (partial) universal succession in the context of transformations under the German Transformation Act (such as statutory mergers or hive-downs). It requires a case-by-case analysis whether assignment restrictions or change of control termination rights may have an impact in the context of such transformations.

If a carveout or asset-purchase transaction does not include all employees relevant to the purchased IP assets or business, the buyer should perform sufficient diligence to confirm that there is no ‘key person’ risk, whether the seller will need to give or receive any (transitional) services, whether any information and communication technology systems or data will need to be migrated or separated, and whether the buyer will be able to use, maintain and exploit the purchased IP assets post-closing.

Customary searches

What types of public searches are customarily performed when conducting technology M&A due diligence? What other types of publicly available information can be collected or reviewed in the conduct of technology M&A due diligence?

Counsel for the buyer typically conducts:

  • searches of publicly available databases (including the German Patent and Trademark Office and domain name registries) to identify and confirm the status, chain-of-title, expiration date (if applicable), scope of protection and ownership of the registered IP rights purportedly owned by the seller;
  • trademark clearance and availability searches may be performed to identify potential third-party trademark rights, or ‘freedom to operate’ searches may be performed to identify potentially problematic patents;
  • searches of websites owned by the target to analyse privacy policies, terms of service and other publicly available information regarding the target; and
  • if the target is a public company, searches for public disclosures, such as annual reports.
Registrable intellectual property

What types of intellectual property are registrable, what types of intellectual property are not, and what due diligence is typically undertaken with respect to each?

A copyright is not registrable (but authors of anonymous works can apply for registration in a separate register to extend the duration of protection). All IP rights mentioned in the last paragraph of the answer to question 1 other than copyright are capable of registration.

For IP rights that can be registered and domain names, typically register searches are conducted to assess if the target is the registered owner. Since domain name registrars, in the context of the GDPR, have drastically reduced the scope of information that can be retrieved via ‘whois’ queries without demonstrating a legitimate interest, domain name searches in these registers may become less important going forward.

For non-registrable IP rights, review of underlying employment, development, contractor or licence agreements is important to determine their scope or the relevant rights to use and licences.

Liens

Can liens or security interests be granted on intellectual property or technology assets, and if so, how do acquirers conduct due diligence on them?

Liens and security interests (including security assignment) can be granted on intellectual property. Liens and security interests in trademarks can be registered in Germany, but there is no obligation to do so.

Employee IP due diligence

What due diligence is typically undertaken with respect to employee-created and contractor-created intellectual property and technology?

With respect to contractor-created intellectual property, the underlying development or contractor agreements are reviewed for clauses addressing the allocation, transfer and licensing of the IP rights created by the contractor.

The same applies with respect to employee-created intellectual property, it being understood that statutory law in respect of some forms of IP rights provides for legal presumptions or grants of rights regarding employee-created intellectual property. Inventions created or conceived by employees in connection with their employment are subject to a specific regime under which the employee has to notify its employer of the invention. If the employer claims the invention, all title, right and interest is acquired by the employer. The same applies if the employer does not release the invention within a specified period of time. The employee then has the right to claim an appropriate remuneration. As part of customary due diligence, typically the processes and procedures in place at the target are reviewed and any outstanding amounts of employee inventor remuneration or any disputes in connection therewith are sought to be identified.

Transferring licensed intellectual property

Are there any requirements to enable the transfer or assignment of licensed intellectual property and technology? Are exclusive and non-exclusive licences treated differently?

In general, the terms of a licence agreement govern whether the licence can be transferred or assigned. If the licence is not only a pure right of the licensee, but the licensee also assumes obligations under the licence, transfer of the licence requires a transfer of agreement, which requires the counterparty’s consent (which may also be given in advance and is often given in advance to facilitate transfers to affiliates).

Regardless of the above, the transfer of copyright licences in general requires the consent of the copyright owner.

Software due diligence

What types of software due diligence is typically undertaken in your jurisdiction? Do targets customarily provide code scans for third-party or open source code?

Software due diligence generally consists of the following steps (in no particular order):

  • What kind of software is involved? Proprietary, self-developed, purchased, open source?
  • Who developed the software? Have all rights to the software been allocated or transferred to the target to allow the use of the software for the intended purpose?
  • Is the scope and term of the licence appropriate for the intended purpose?
  • Do the relevant software agreements contain any termination rights or change-of-control clauses that would enable the respective licensor to terminate the licence?
  • For open source software and for software that includes any open source components or libraries, have these parts and the corresponding licence terms been identified accordingly?

Where software is ‘a’ or ‘the’ key asset, source code may be scanned by specialised providers for open source components or vulnerabilities within the source code.

Other due diligence

What are the additional areas of due diligence undertaken or unique legal considerations in your jurisdiction with respect to special or emerging technologies?

In due diligence involving artificial intelligence products, the following points may be considered:

  • the rights in and to the artificial intelligence (ie, the software itself, and the resources and databases it is based on); and
  • the ownership in IP rights for something that the artificial intelligence may be able to create (whereby it is worth noting that current German copyright law and patent law envisages a natural person as an author).

Additionally, depending on the field of use, further specific regulations may have to be observed and compliance may have to be checked.

As regards autonomous driving, unique legal considerations include the liability for decisions taken by the autonomously driving vehicle, in particular in case of death, bodily injury or damage to property caused by such decision.

Big data raises legal issues mainly in respect of data protection and data security compliance, where personal data is part of the big data. Key issues to be considered in this context are:

  • Can valid consent of data subjects for processing of their personal data be obtained in a situation where the scope and purpose of the processing is not yet defined when the personal data is collected?
  • Do data points, which in themselves do not allow to identify a natural person, become personal data because, when taken together with other data points included in the big data, they allow such identification?