What is Personal Data?
Personal data means any information that can be used on its own or in combination with other information to directly or indirectly identify a specific person (the "Data Subject"). Examples of Personal data include (but are not limited to) a person's name, their employment ID number, their
image or online identifiers from which they can be identified (such as an IP address).
In order to process personal data one must have a lawful basis to do so. Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data. There are a number of lawful bases available. The consent of the data subject is a very common lawful basis on which to rely, although that will rarely be a practical approach in the context of organising a merger or acquisition.
The GDPR provides additional protection for `special categories' of personal data, for example personal data revealing racial or ethnic origin, trade union membership or data concerning health. Processing of special category data is prohibited except in limited circumstances. These circumstances include where processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller as employer, where there is a legal ground to do so under EU or Member State law or whether the Data Subject explicitly consents to the processing of his/her special category data.
Processing Personal Data in an M&A Transaction
Parties to an M&A transaction and their advisors will exchange information on a target business directly or through a virtual data room ("VDR").
This exchange facilitates the due diligence process and the information disclosed is often utilised at the disclosure stage of transaction. Typical examples of personal data disclosed in a VDR include the following:
- Employment contracts or documents listing employees and any additional personal details (such as salary, medical conditions etc., driver licence information etc.).
- Supplier contracts or customer contracts which include individuals' names, addresses, bank account/credit card information and signatures in these contracts.
- Key contact lists.
This exchange of personal data falls within the definition of `processing' for GDPR purposes.
Lawful bases for processing personal data:
- the consent of the individual
- performance of a contract
- compliance with a legal or regulatory obligation
- necessary to protect the vital interests of a person
- necessary for the performance of a task carried out in the public interest
- in the legitimate interests of company/organisation (except where those interests are overridden by the interests or rights and freedoms of the data subject)
Processor v Controller Roles in M&A
A `controller' is a person, company, or other body which decides the purposes and means of processing personal data. In an M&A context this is most likely to be the seller or the target entity itself.
A `processor' is a person, company or other body which processes personal data on behalf of the controller. In the M&A context, the VDR provider is most likely a processor as they are merely hosting data on behalf of the controller. An advisor (including a law firm or corporate finance advisor) may also be acting as a processor to the extent that they are merely hosting or making personal data available to the other parties. It is possible for a party to be acting separately as both a processor and a controller depending on their role.
A party who is acting as a bidder may also be the controller of the personal data processed where they process it for their own purposes (i.e. determining whether or not to buy the target company).
Any party which accesses a VDR containing personal data is going to be either a processor or a controller of data and should consider their obligations under data protection law.
The Seller's Obligations as Controller
The determination as to whether a party is a controller or a processor is ultimately one of fact. Let us assume that in a typical transaction, the seller is the controller of the personal data which is made available in the VDR.
This being the case, the seller will need to satisfy itself that it can meet a number of GDPR requirements.
In the first instance, it will need to consider the transparency obligations of the GDPR. In a typical transaction, the most common type of personal data in the VDR will relate to the employees of the target company. In order to share this data with third parties via a VDR, the employees should be on notice of the possibility that this might happen. This is commonly addressed (for example) in an employee facing privacy statement.
In addition to the above, the seller would need to consider whether it can meet the requirement of having an appropriate lawful basis for making this data available for review by third parties (as set out above).
If the seller cannot meet the transparency requirements, or cannot confidently rely on an appropriate lawful basis for making the data available, there are other options open to it. For example, steps could be taken to effectively anonymise the data in advance of sharing. The removal of personal identifiers should not, for the most part, impact on a buyer's ability to carry out due diligence on the data set. This anonymization process also has the benefit of adhering to the general data minimisation principles which are enshrined in the GDPR.
However, the commercial realities of a transaction may make full anonymisation difficult to achieve. From an efficiency and cost perspective the parties may consider that anonymising a large unstructured dataset is not achievable and the buyer may require certain due diligence information which, even if anonymised, will potentially render the data subject identifiable (for example the salary information about senior executives).
Even if efforts are made to remove all direct or obvious identifiers, such that individuals are not `identified' in the data, the data will still amount to personal data if it is possible to link any Data Subjects to information in the dataset. Account should be taken of all the means likely reasonably to be used, either by the controller or by another person, to identify the Data Subject.
Tips for anonymising Personal Data:
- redaction of special category personal data and personal data
- using sample form contracts (instead of disclosing each original contract)
- compiling summaries or aggregating information relating to personal data so that Data Subjects are not identifiable
Security and Confidentiality
In addition to the above, the seller (as controller) will have a separate obligation to ensure that any personal data shared is kept securely and maintained in confidence.
It is of utmost importance to exercise caution when appointing a party to establish and run a VDR. The VDR provider will need to be able to secure the data and maintain its confidentiality.
Each party who has access to the data should be bound by confidentiality obligations, for example, a non-disclosure agreement ("NDA"). Parties should consider explicitly incorporating GDPR protections in the NDA. This is important to mitigate the risk to the seller, as controller. It gives the seller an ability to sue the recipient of the disclosed information where a data protection breach or issue arises as a result of acts or omissions of the buyer/recipient and additional control over the personal data it discloses.
NDA could include the following obligations:
- comply with relevant data protection and privacy laws
- take security measures to guard against data breaches and notify the buyer if there is a data breach
- restrict/prohibit onward transfers and processing of personal data outside the EEA
There are a number of other, practical ways the security and confidentiality of the personal data in a VDR can be maintained. For example access to the VDR should require login/password details (in the usual way) and the ability for the seller to be able to monitor the data being accessed. A seller may also direct that downloading and printing of information with personal data is restricted.
Where an acquisition of a business results in a change to the identity of the controller (this might particularly be the case in an asset sale rather than a share sale), the new controller should take steps post-transaction to notify the data subjects of the change.
Conclusion Awareness of data protection obligations has increased dramatically in recent years. Breaches of the GDPR can carry significant downside for companies (including the potential for administrative fines and regulatory investigations). All the parties to an M&A transaction, including their advisors, would do well to be cognisant of their own obligations towards data subjects in structuring the M&A transaction process.