Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights (LOPD) has not only adapted the national legal system to the General Data Protection Regulations (RGPD), but has also introduced clarifications that They will help responsible and treatment managers to carry out treatment operations with greater legal security.
This is the case of the processing of personal data made in the framework of due diligence processes , since the new LOPD provides, finally and expressly, the legality of these treatments.
The exchange of personal information that occurs between participating entities prior to the completion of a corporate transaction or company purchase is evident. Thus, so that the purchaser, absorber or assignee of a branch of activity -under whatever title- has a good knowledge of the entity that is willing to buy, absorb, or receive by virtue of the corresponding transmission, access to Personal data relating to workers, customers and suppliers can be presented as a determining factor for the successful completion of the operation.
The already repealed Regulation of development of the also repealed LOPD of the year 1999 established a legal fiction applicable for operations of structural modification or transmissions of business or branch of activity according to which, once formalized the corporate operation, it was allowed to continue with the treatment originally performed by the previous person in charge, being that the communication of data in favor of the new responsible person resulting from the operation was not considered as a transfer of data. Therefore, it was not necessary to have the consent of the interested parties, but it was enough to inform them about the succession in the condition of the person responsible for their data.
Now, what happened in practice when, for example, the absorbing entity in a merger claimed to have access to personal data of the absorbed entity before the execution of the operation? In my opinion, this situation generated problems, especially when this treatment was necessary for the effective completion of the operation, since it was not clear whether the new data had access to data before concluding the operation.
This led to the issuance of several reports by the Spanish Agency for Data Protection (AEPD) in which it declared the viability of prior access to personal data (see report number 518/2009, where in the framework of a merger initiated and not concluded, the access of the absorbing entity to data of the absorbed entity is allowed to allow the integration of the information systems of both entities, in the same sense, see the report number 194/2017 that analyzes the preliminary draft of the current LOPD).
In the new LOPD, the national legislator wanted to echo these pronouncements of the AEPD. In fact, article 21.1 presumes the lawful processing of data derived from any operation of structural modification or the contribution or transmission of business or branch of business activity, including prior communication.
Certainly, and based on the cause of legality of the legitimate interest, data communications are allowed before the achievement of the operation, because the legislator understands that they are necessary for the successful completion of the operation and can even guarantee the continuity of the operations. services that could be provided to the interested parties. Therefore, we can affirm that the access to data in the framework of the due diligence that entails the transmission of data from the ceding company to the cessionary company can be understood to be covered by this new precept.
However, it must be taken into account that until the operation is concluded, it will not be possible for the data assignee to use it for any purpose other than the correct achievement of the data, which will only be possible at the time of its conclusion.
On the other hand, nothing says the law regarding the obligation to inform interested parties about the communication of data made in the framework of these processes, which, in my opinion, remains equally applicable. Now, if it is considered that the fulfillment of the duty to inform can seriously affect the achievement of the objectives of the previous data communication, then said duty would not be mandatory.
Lastly, article 21.2 of the new LOPD obliges the assignee of the data to delete them in case the operation does not reach a successful conclusion. And this is totally logical to be yes, given that access to data would have been limited to the stated purpose (the successful completion of the operation), without the possibility that the participating entities can keep personal information of others.