The General Data Protection Regulation 2016/679 has overhauled EU data protection law and plays an increasingly important role in M&A transactions. The new regime now imposes criminal and civil sanctions for breach, as well as increased enforcement action by regulators (including higher fines) and brings with it the risk of reputational damage to both sides and their advisors when things go wrong. Companies operating or acquiring local companies in the EU will also need to consider national implementing legislation (the Data Protection Act 2018 in the UK) and how it interacts with the GDPR and other privacy regulations at all stages of a transaction from heads of terms to post-completion.
Whether acting as buyer or seller, companies should be aware of the sheer volume of personal data handled throughout an M&A transaction and the relevant data protection issues at each stage. Personal data covers a vast range of information types, from employee CVs stored in a data room to IP addresses caught by the target. Even in straightforward ‘bricks and mortar’ transactions where personal data is not core to the seller’s business, data captured and processed is likely to include employment contracts, information about disputes and key contracts with suppliers.
There will always be a tension in M&A transactions between compliance with data protection legislation versus the need to ensure that commercial sensitivity and confidentiality is respected, particularly if the transaction involves publicly listed securities. Ultimately, what to hand over and when, is a risk-based decision for the seller to take.
Handling data during a transaction
Accountability – both buyer and seller need to identify a lawful basis in line with the GDPR for processing personal data they share and receive during a transaction and consider accountability as part of their broader compliance framework, which means not only achieving compliance but being able to demonstrate that compliance.
Initial scoping of transaction – companies should consider data protection issues even before exclusivity agreements or head of terms are signed. In the early stages of discussions the NDA should include robust protections for personal data shared between the parties in addition to all the usual confidentiality undertakings. The buyer may seek a warranty from the seller that it is lawfully entitled to share the data in the context of the transaction (so that the buyer can be sure it is not engaging in unauthorised processing). Provided that the seller has assessed its own data processing environment and has taken steps to ensure it is GDPR compliant, which will include having its own internal policies in place to comply with lawful processing and transparency requirements, this should not be too contentious.
Data room considerations – disclosure of personal data as part of data room set up may constitute a restricted transfer under the GDPR. The seller will need to ensure that the entity hosting the data room has provided sufficient safeguards, as processor, to ensure that the data is protected, particularly where it leaves the EEA. Adherence to the data minimisation principle is crucial; the seller should only upload personal data that is strictly relevant and necessary for the purposes of evaluating the target or asset and redact/anonymise any redundant data. 'Special category' personal data concerning employees (e.g. racial/ethnic origin, political opinions or health data) are subject to greater controls under the GDPR so it is important to take extra measures like limiting any of this data to specific folders with enhanced access controls.
Due diligence – both sides should carefully consider who is granted access to the data room and ensure that the terms and conditions of access are sufficient. The buyer should limit internal and external distribution of personal data to reduce its own exposure. The seller should have already considered whether its privacy policies adequately notify the relevant individuals (employees, vendors, customers etc.) that their data could be shared with potential buyers as part of an M&A transaction but it is important to check and update to plug any compliance gaps.
Security – M&A transactions have long been targets of hackers seeking to profit from inside information or knowledge of a transaction, and data is processed and transferred outside of the normal processes of both the seller and the buyer. Careful consideration needs to be given to how data is handled during the transaction, including the security of third party advisers, to minimise the risk of data loss.
Negotiations – don't forget that the data protection provisions in the NDA are likely to expire when the sale and purchase agreement is entered into. Both sides should ensure that the provisions are mirrored in the purchase agreement.
Releasing employee data
Consent – the seller should avoid relying on consent as the lawful basis for disclosing employee personal data to the buyer as the GDPR is more prescriptive with regard to the requirements for obtaining consent. For years data protection authorities have questioned the validity of consent in the employment context as it is very rarely "freely given". The European Data Protection Board has confirmed that consent can only be an appropriate lawful basis if a data subject is offered genuine control and choice with regard to the processing of data which is often not the case in employment scenarios.
Other lawful bases – for contracts relating to senior employees involved in the transaction, the seller may be able to rely on "legitimate interests" from the start of the transaction. For the wider pool of employees, the more appropriate lawful basis for processing may be "necessity for compliance with a legal obligation", particularly where there is a TUPE transfer and consultation process as part of an asset sale. Additional conditions need to be satisfied if the data is considered special category. For example, the seller may be able to claim that the processing of health data about disabled employees is necessary for the purposes of complying with its obligations in the field of employment (another lawful basis under the GDPR) as this is required under health and safety law.
Disclosure bundle – personal data may go unnoticed in key documents which could leave both sides exposed. For example, there may be lengthy descriptions of employee settlement agreements or employee disputes in the disclosure bundle. There may also be bonus details or addresses of individuals who are not party to the purchase agreement. When preparing the disclosure bundle, the seller should check that any personal data is redacted or anonymised.
Split signing and completion – it is important to consider the timing of the release of personal data relating to employees, vendors and target client base. Where the target or asset needs to be integrated into the buyer's business between exchange and completion, any personal data should be provided in non-identifiable form wherever possible. So, instead of providing granular data, the seller could instead provide statistical information about employees or model employment contracts which contain standard terms and conditions of employment. With regard to customers/clients, general information such as age/geographic data, size and frequency of purchases, types of products or services purchased etc. could be shared.
Transparency – even though the target will continue to be the controller post-completion in the context of a share sale, it will need to consider whether there will be a change in the purpose or use of personal data as a result of the transaction. If there is, as a minimum, it will need to update its privacy policies to reflect these new purposes. As mentioned above, the buyer of the asset will need to do the same.
Security – the buyer should ensure that the security of its systems (and any legacy infrastructure) is adequate to protect personal data received as part of the purchase. The buyer should assess the risks attaching to the seller's systems and incorporation of those systems and the seller's data into its systems. The buyer should also consider a forensic analysis of the seller's systems to identify any historic issues, such as unlawful access to systems or malware on the seller's systems, which could pose significant business risks if not quickly identified and remediated.
Transitional services – where there is a TSA in place that envisages data migration post-completion, the buyer will need to go through a thorough data mapping exercise to ensure that the data will be protected particularly where it may leave or be accessed from outside the EEA.
Data retention – personal data should not be stored after a transaction by seller or buyer simply because it is easier and cheaper to retain it than to erase it. There may be a legal obligation on either side to retain it but where a transaction is particularly data-rich there will need to be a broader analysis of the value behind retaining each data category using a risk-based analysis. The seller should ensure that the data room is closed as soon as possible following completion.
Direct marketing – the buyer should be mindful of the e-Privacy regime if direct marketing is critical to the business being acquired. Given the nature of the direct marketing rules and the fact that third parties need to be named in any opt-in consents collected by the seller, structuring the deal as a share sale can be more advantageous than an asset sale. The reason for this is that the buyer is more likely to be able to rely on 'soft opt-in' for any promotional activity in the UK if the target is transferred as part of a share sale. The marketing rules in other EU jurisdictions are stricter and require express opt-in consent, strengthening the argument for a share sale if the target is reliant on direct marketing.
International data transfers – depending on the location of the target and any subsidiaries, international transfers of personal data may be an issue for the buyer to remediate post-completion. The default position when the UK leaves the EU is that it becomes a 'third country' for transfer purposes. This means the UK will either need an 'adequacy decision' (from the EC) or the buyer group will need to use one of the legally recognised data transfer mechanisms, including standard contractual clauses, to export EEA data to the UK.