This article is an extract from GTDT Practice Guides: Swiss M&A. Click here for the full guide.
Applicable law in transactions with international reach
Most M&A transactions involve parties – including employees, service providers such as providers of data rooms, M&A advisers, and law firms – located outside of Switzerland. Whenever this happens, the data protection laws that apply to these parties and their relevant processing ratione loci must be determined first.
Where a claim for an alleged breach of data protection law is brought to a Swiss court by the affected person (the data subject or subject), the applicable law would be determined by that court in accordance with article 139 of the Swiss Private International Law Act (PILA). Under this provision, the following laws may apply:
- the laws of the country where the subject has their ordinary residence, provided the alleged infringer could reasonably have known that its processing may affect subjects in that country;2 or
- Swiss law, where the alleged infringer has their seat or residence in Switzerland.3
It is for the subject to opt for either of these laws.4 If the subject does not opt for the applicable law, the court will be able to opt in its place.
For example, if a Swiss company sells shares in a French subsidiary to a German buyer and is alleged to have unlawfully disclosed sensitive data about employees of the French subsidiary to the prospective buyer, the affected employees may bring a claim before a Swiss court5 and opt for either French law (including the EU General Data Protection Regulation (GDPR)) or Swiss law to govern the claim.6
Moreover, the parties to a transaction will be subject to the GDPR if they have an establishment in an EEA country7 (or subject to the UK GDPR, if they have an establishment in the UK). For example, a share purchase agreement or even a prior non-disclosure agreement between a Swiss and a French company, or between a German and an Italian company, will frequently include data protection provisions that refer to or are based on the GDPR. Moreover, the GDPR may apply where assets transferred to a bidder or buyer in an asset deal include personal data for which the seller is subject to the GDPR; that is, whose processing by the seller is or was related to offering goods or services to individuals in the EEA, or to the monitoring of their behaviour.8 For example, where a Swiss company targets end customers in Germany and sells its business to a Swiss buyer, the asset transfer agreement should include provisions to protect the privacy of the end customers under the GDPR. In all these scenarios, the data recipient may wish to have some form of undertaking or warranty in order to hedge his or her risks arising from a potential breach in relation to data received from the prospective seller.
Revision of Swiss data protection law
In Switzerland, data protection is primarily governed by the Federal Data Protection Act (FDPA) and the Ordinance on the Data Protection Act (FDPO). The FDPA is currently under revision, in order to implement the revised Council of Europe’s Convention 108 and to align with the GDPR. The final text of the revised FDPA (rev-FDPA) was passed in Parliament on 25 September 2020,9 and it is expected that the rev-FDPA will enter into force by the end of 2022. As a rule of thumb, GDPR compliance will imply compliance with the rev-FDPA, but some localisation of contracts, policies and notices in accordance with the GDPR will be necessary. Along with the FDPA, the FDPO will be revised (rev-FDPO). A draft of the rev-FDPO should be published around June 2021 and will then be discussed in a public consultation.
As of today, the FDPA is much less onerous than the GDPR, and sanctions are low and rarely enforced in practice. Compliance with the FDPA is therefore driven by reputational risk as much as legal risk. Under the rev-FDPA, however, legal risk will increase substantially. On the one hand, the Swiss data protection authority, the Federal Data Protection and Information Commissioner (FDPIC), will have a right to issue binding orders (eg, to cease a particular processing activity, to inform data subjects, etc), which the FDPIC cannot under the current FDPA. On the other hand, the individuals responsible for certain breaches of data protection law may be personally liable to fines of up to 250,000 Swiss francs, provided they have acted intentionally and a criminal complaint is filed. Not all breaches will be liable to fines, however. For example, failure to erase personal data in time will not lead to a fine, whereas giving incorrect information to subjects making an access request, failure to comply with the information obligation, transfers abroad in breach of transfer restrictions or the use of processors without the required controls will be liable to a fine.
Data protection in M&A
In the context of M&A transactions, the relevance of data protection law may be grouped broadly in the following categories:10
- Due diligence phase: a prospective buyer or bidder or, in the case of a vendor due diligence, the seller of shares or assets will require some personal data for their due diligence assessment, at least with regard to key employees.
- Asset deal: where a transaction is for assets that include personal data (eg, a customer base or a database with direct marketing information), the transfer of assets and the subsequent use of personal data by the buyer raises data protection questions.
- Share deal: in the case of a share deal, there are usually fewer concerns about data protection, but the due diligence phase may be even more important.
- Purchase agreements: with an asset deal as well as a share deal, the buyer will usually seek reassurance by incorporating warranties into the purchase agreement.
- Service providers: where service providers are involved, they may act as ‘data processors’ on behalf of a party or the parties to the transaction acting as controllers, which requires a data-processing agreement.11 Other service providers such as tax, finance and legal advisers usually act as separate controllers, which does not require a data-processing agreement but may raise other data protection questions.
In addition, the communication between the parties requires the processing of personal data at least with respect to the contact persons. However, since this processing is not different from similar processing in other circumstances, it will not be addressed further.
Overview of applicable restrictions
Most data protection laws, including the GDPR, the FDPA and the rev-FDPA, follow a similar pattern.12 They set forth general principles, which are broad and somewhat vague in nature but may be directly enforceable nonetheless, and which are complemented by a number of more detailed requirements (very detailed, in some instances). For example, the GDPR requires all data processing to be lawful, fair and transparent and as unintrusive as possible,13 but what is lawful is subject to detailed provisions,14 and transparency is regulated comprehensively as well.15 In addition, transfers of personal data abroad are restricted,16 data processors must be bound by an appropriate agreement,17 and data subjects have a number of rights,18 most importantly the right to learn about the processing of their data. In addition, controllers are under an obligation to document their data processing and maintain a record of processing activities.19
To allocate the obligations to comply with these requirements, data protection laws make a distinction between the controller on the one hand, and the processor on the other. ‘Controller’ means the party that drives the processing, that determines its purposes and its ‘means’, that is, how the processing plays out – for example, which protective measures are applied, how long data is kept and who will have access to the data. A ‘processor’, on the other hand, is a party that processes data on behalf of and only for the purposes of the controller; for example, the provider of a data room.20 These concepts are rather fluid, and what complicates matters is that several parties can share the role of controller if they determine jointly the purposes or means of the processing. Where this applies, under the GDPR, the joint controllers must allocate the various obligations under the GDPR through an agreement with each other and must tell the data subject who has which responsibilities.21
Due diligence phase
In the due diligence phase, the data protection principles mentioned above require the controller to plan ahead and consider data protection restrictions throughout the due diligence phase. The most important points are set out below, without claiming completeness.
Under the GDPR, all processing must be ‘lawful’, which means it must be based on one or several of the legal grounds provided by the GDPR. With regard to a due diligence assessment, ‘legitimate interest’ will generally be the most likely ground. The interest in carrying out a due diligence assessment constitutes an important legitimate interest for both the seller and the prospective buyer or buyers.22 Where this interest is not outweighed by contrary interests of the subjects, it provides a legal ground for the processing. As a rule, the interests of the parties to the transaction will prevail so long as the scope of the data disclosed is as narrow as reasonably possible, is not disclosed prematurely (eg, only to a buyer with a genuine interest in the transaction, or to the remaining bidders after a first round) and is protected by a non-disclosure agreement that prevents the recipient from disclosure or repurposing.23
However, legitimate interest does not justify the processing of sensitive data (‘special categories of data’ in GDPR lingo). For sensitive data, such as health data, genetic or biometric data, data revealing racial or ethnic origin, or data concerning a natural person’s sex life, etc,24 the only legal ground available in M&A transactions is explicit consent.25 In other words, the seller will not be permitted to disclose sensitive data to a prospective buyer, unless the subject has been informed in sufficient detail about the disclosure and has provided their free, specific and explicit consent and has not withdrawn consent.26
Different from the GDPR, the FDPA (and the rev-FDPA) do not require a legal basis for the processing of personal data. However, the situation is slightly different for employee data. Employers cannot process employee data unless the processing is necessary for the employment,27 which raises the question of whether disclosing employee data ahead of a potential transaction is necessary for the employment. The question remains open, but writers addressing this question specifically remain sceptical in this regard, except perhaps for key employees. Moreover, it is questionable if the processing of employee data for purposes not necessary for the employment may be justified by prevailing interest. If a seller applies a cautious approach, collecting employee consent may be an option, although this raises additional questions.28
Where personal data is transferred abroad to a recipient in a country that is not considered to provide adequate data protection (and that is not certified under the Swiss–US or EU–US Privacy Shield, for transferees located in the US),29 the transferor will need to ensure that the transfer is based on adequate safeguards, such as the EU Model Clauses30 (usually slightly tweaked where data is transferred from Switzerland in order to account for Swiss law). A seller and prospective buyer may therefore need to enter into an agreement incorporating the EU Model Clauses in order for the seller to be able to transfer personal data to the buyer. In accordance with the European Court of Justice’s Schrems II ruling, additional technical and organisational measures may be required for transfers to the US and other countries.31
Data minimisation, proportionality, purpose limitation and data security
The principles of proportionality, data minimisation and purpose limitation32 require the parties to consider carefully the extent of personal data to be disclosed to the prospective buyer, and the time when personal data is first made accessible. As a general guideline, less and later is less intrusive to the privacy of the subjects and preferable under these principles. For example, it may be sufficient in an initial stage to provide anonymous, aggregate information (such as the overall compensation structure or the total compensation paid out to a group of employees) or pseudonymised information (‘employee 1534’ instead of the name), provided the prospective buyer cannot draw personalised conclusions, or to permit the buyer to access a sample of but not all customer data to carry out verification or testing. If and when disclosure of personal data is not a viable option, then the controller is not in breach of the minimisation and proportionality principles but must assess if there is a legal ground for the disclosure (see above).
Moreover, disclosing personal data for a due diligence will generally not amount to a change in the processing purpose. However, to prevent the recipient from processing data for additional purposes, the disclosing party should enter into an appropriate non-disclosure agreement, which will certainly be in place at this stage of the transaction, and should include a specific clause to limit data processing and require erasure should the transaction be aborted.
Finally, data minimisation and proportionality require restricting the individuals with access to the due diligence documentation and the due diligence report, both at the buyer as well as the seller, and under the data security principle,33 data should be transferred securely.
The principle of transparency34 requires the controller to inform the data subject about the purposes of their processing, among other points. In many cases, the privacy notices provided earlier to the subjects (usually employees) will lack an express reference to M&A transactions. It is therefore advisable (and perhaps necessary in order to assess risk arising under a warranty or other undertaking agreed with a buyer) for the party providing information for the due diligence process to review the relevant privacy notices, even though it is questionable if ‘transactions’ really are a separate processing purpose that must be notified to the subjects.35 If they are found to be lacking, that party may wish to update the notices36 or provide additional information about a potential transaction in generic terms if that is a viable option at this stage.37 This applies for all subjects whose data is expected to be disclosed or otherwise processed within the framework of the transaction. However, the controller may have an argument that providing the required information is impossible (if these subjects are not known) or ‘likely to seriously impair the achievement’ of the transaction, if confidentiality is of the essence, at least with respect to third parties where the controller has no direct contact.38
The comments above deal with the data protection framework around due diligence reviews. A different point, however, is the focus a due diligence review should have in view of data protection restrictions. The answer here is twofold – a due diligence should detect and help mitigate compliance risks of the target company in a share deal generally, and it should help a potential buyer to understand the risks involved with acquiring data as an asset or as part of an asset. These questions will be addressed below in ‘Focus areas for a due diligence review’.
In asset deals, the key question usually is whether personal data may be transferred to and further processed by the buyer, and if consent by the affected data subjects (usually the seller’s end customers, such as users of a software product or online service) is necessary. Under Swiss law, consent is generally not a requirement, provided that:
- the subjects are informed at the appropriate time and in the appropriate manner about the transaction;
- the seller discontinues its use of the relevant data; and
- the buyer does not process the data in ways that would not have been permitted for the seller.
If these conditions are satisfied, the only real effect of the transaction is a change in the controller, which does not constitute a breach of a processing principle and is therefore not in need of justification (whether by consent or by a prevailing interest).39 However, to mitigate risks, the seller may seek an agreement with the buyer that restricts the buyer’s processing to the earlier processing by the seller.
Should the seller consider a change in the processing, the question arises whether this change amounts to a different processing purpose. In the affirmative, the purpose limitation principle may be infringed, which would require the buyer to justify the novel purpose.40 Justification by commercial interests is a possibility, as well as benefits arising from the changed processing for the data subjects, but all depends here on the nature and scope of the novel processing. For example, should the buyer intend to leverage data by performing analytics not carried out previously by the seller, or to market different types of services to the data subject, there might be a change in purpose that is difficult to justify by prevailing interest. In that case, the buyer (or the seller) may consider collecting consent from the subjects, for example, by sending an email notification to the subjects with information about the transaction and the further processing by the buyer, and asking the subjects to opt in.41
Under the GDPR, the analysis is similar. If personal data is transferred as part of a business, then the seller and the buyer should be able to rely on legitimate interest for the transaction.42 Where the original processing by the seller relied on consent, however, the buyer will have to make an assessment if consent is specific to the seller or, rather, covers the processing independently of the name of the controller. In any event, risks can be mitigated by giving an option to the data subjects to object to the transaction and the subsequent processing by the buyer.
Finally, data should again be transferred securely, for example, by an encrypted file or using a secure data-sharing platform.43
Focus areas for a due diligence review
If personal data is transferred as an asset or part of an asset, the buyer will value the transaction fully or partly in accordance with the value of the buyer’s anticipated processing of the data. The due diligence will therefore focus on restrictions applicable to that processing. For example, and depending on the circumstances (including the risks for the data subjects and the companies involved with the transaction), the buyer will ask to review the following documents and items:
- privacy notices presented to the data subjects;44
- where the processing is based on consent (for example, processing for electronic direct marketing), whether consent has been properly collected and documented, and generally the consent management used by the seller. Likewise, the management of objections against the seller’s processing;
- if, how and when the subjects will be informed about the transaction, and the likelihood for subjects to opt out of or object to the transfer, which may directly affect the transaction’s value proposition;
- any restrictions arising under specific regulation. For example, personal data may be subject to secrecy obligations, which may prevent the seller from transferring personal data to the buyer without a waiver by the subject;
- terms and conditions applicable to the agreement between the seller and the data subjects (if any), which may state expressly that personal data will not be shared with a third party, and may also include a waiver for transactions; and
- the age of the relevant data, and whether it has been kept beyond the periods stated in the seller’s retention policy or applicable under law.
Asset purchase agreements
When considering the purchase of data as an asset or part of an asset, the prospective buyer will usually seek reassurance by incorporating warranties into the asset purchase agreement. For example, the seller may warrant – depending on the circumstances and the negotiation – that the seller has complied with applicable data protection laws when acquiring and maintaining the data and is entitled to transfer the database to the buyer, that the buyer is entitled to use the data under applicable data protection legislation for the intended purposes, and that the seller has no notice of any claims or complaints by data subjects in relation to the data and no notice that any data protection authority considers the seller to have infringed applicable data protection legislation in relation to the data. On the other hand, general compliance with data protection laws by the seller will be of less interest, unlike a share deal.
Different from an asset deal, with a share deal the controller for the personal data processed by the acquired company does not change. There is therefore no transfer of personal data from one company to another. However, the buyer must be aware that data flows from the acquired company to other members of the acquiring group constitute a data transfer that is only permitted within the constraints of data protection law, which does not give carte blanche for intra-group transfers.45 Likewise, if the acquired company adjusts its business model following the integration in a new group, it must be conscious that a change in its data processing may lead to a new purpose, which may violate the purpose limitation principle.46
Focus areas for a due diligence review
With respect to share deals, a buyer will expect the target company to be reasonably compliant with data protection regulation, in particular with the GDPR but also with other applicable regulation, for example, Swiss or US legislation (such as the Health Insurance Portability and Accountability Act, which protects health information, or the California Consumer Privacy Act). Under normal circumstances, a buyer should not expect full compliance with applicable data protection law and instead should focus on the key compliance issues potentially arising for the target company. ‘Compliance’ in absolute terms is not possible to achieve in any real-world scenario, and looking for it would potentially delay the transaction and take the focus away from other equally important areas.
However, a buyer should look for documents and information that demonstrate robust, workable procedures designed to ensure compliance. The following list sets out documents that might be reviewed by a prospective buyer (including on a group level if the target company is part of a group), although not all of these documents may be necessary or available, and that additional documents may need to be reviewed, in particular in regulated areas:
- ‘records of processing activities’ (sometimes abbreviated as ROPAs), which is the inventory of the company’s various data-processing activities mandated under the GDPR and under the rev-FDPA, along with any data protection impact assessments carried out or ongoing;
- if the company has appointed a data protection officer (DPO), the job description or appointment document;
- if the company has appointed an EU representative under the GDPR, the document appointing the representative;
- internal policies and procedures for dealing with data breaches and for carrying out data protection impact assessments;
- the company’s retention policy, along with information about its retention and deletion practices;
- customer-facing privacy notices, in particular where the target company is active on the mass market, and in that case policies or procedures for dealing with data subject requests;
- if the company generally relies on consent for key processing activities, information about the collection, documentation and management of consent;
- information about high-risk profiling activities and automated decision-making (if any);
- agreements regulating intra-group data flows, which may consist of a framework agreement along with terms for joint controllership, controller–processor arrangements, and standard clauses for data exports to third countries;
- data protection agreements with key suppliers, customers and partners and standard clauses used by the company in agreements with these parties, for example, a standard data-processing agreement;
- a document explaining the company’s security measures to protect key data;
- ‘legitimate interest assessments’ carried out for key or high-risk processing activities;
- a privacy notice for employees, along with other employee regulation such as acceptable use policies and policies for whistle-blowing or the use of personal devices for business purposes;
- agreements with works councils or other employee organisations with respect to the company’s data processing (if any);
- any regular or ad hoc reports submitted by the DPO to the management;
- breach notifications and data protection impact assessments submitted to authorities;
- breach notifications communicated to the affected data subjects;
- a description of data protection training given to all or key employees;
- records of government action related to data protection, including requests from data protection supervisory authorities and fines imposed on the company; and
- records of litigation related to data protection, for example, subject access requests that were escalated to a court.
The availability of these documents, their granularity and generally the way they are drafted and used and communicated internally will give a sound idea of the company’s general maturity of data protection compliance and the legal risk it may be exposed to. If important documents are missing, the buyer will expect the company to explain its data protection implementation programme in order to understand legal risk related to any gaps, which will depend to a large extent on the company’s business case and its exposure in countries with tighter data protection supervision.
Share purchase agreements
In share purchase agreements, sellers usually provide warranties for compliance in general or specifically with respect to data protection. For example, the buyer may ask for a warranty that the target company complies with applicable data protection legislation, that no litigation on data protection is pending or threatened, or that no data breaches have occurred in a past period. If the target company operates under increased risk, for example, a regulated entity, an additional warranty may be required for compliance with internal policies. Warranties may be subject to disclosure letters stating exceptions for a data protection warranty, and to a cap on indemnities, which may be different for violations of data protection laws than for breaches of other warranties.
Where specific infringements have been detected during the due diligence review, the buyer may expect the seller to remedy the infringements prior to closing, unless the buyer is content to accept the risks related to the infringements. Infringements of a lesser nature that can be remedied quickly (for example, where a data protection officer is necessary but has not been appointed) and a remedy of the infringement may be agreed as a condition precedent to closing. For other infringements, a specific indemnity may be a more appropriate solution.
In M&A transactions, the parties will usually employ a range of service providers, for example, law firms, M&A advisers and data room providers. Depending on their role, particular agreements with these providers may be required.
Even though they are service providers, law firms and M&A advisers generally act as individual controllers, as opposed to data processors in terms of article 28 GDPR and joint controllers under article 26 GDPR. A transfer of personal data to these providers is therefore subject to the general processing principles but does not require an agreement with specific minimum content. However, where a transaction is particularly sensitive, the seller or buyer may wish to have an agreement with these providers to restrict their processing of information, for example, by requiring Chinese walls between different teams or erasure of data transmitted (subject to retention requirements). In some cases, these providers will additionally be required to apply certain data security standards. However, these requirements will usually be driven by general confidentiality concerns, not data protection law specifically.
On the other hand, a provider of an electronic data room (for example, Merrill or Intralinks) acts as a data processor under article 28 GDPR (or, under Swiss law, article 10a FDPA and article 8 rev-FDPA). The controller is therefore under an obligation to enter into a data-processing agreement. Typically, these providers use their own data-processing terms as part of their general conditions of business or as a separate agreement, and tailor these terms to article 28 GDPR. Moreover, where the provider is located in a country that is not considered to provide adequate data protection, such as the US, the provider will typically incorporate the EU Model Clauses mentioned above in the applicable terms (unless the provider is certified under the Swiss–US or EU–US Privacy Shield).
A review of these terms may be prudent, however, for example, to ensure that the controller does not accept to be bound by the GDPR (should the GDPR not apply), and that the controller is content with other terms such as a limitation of liability.
On a related note, the seller and the buyer should not be seen as joint controllers in the transaction, including with respect to data room and other providers, even though there are other views, and will not require a joint controller agreement in terms of article 26 GDPR.
Data protection is gaining importance in all areas, including M&A transactions. While restrictions under data protection law generally do not conflict with transactions per se, risks can be mitigated, and negotiations can be helped, if data protection is considered early on, before and in the transaction. Law firms know today that their M&A team should speak to the data protection team and involve specialists in transactions where data is an important asset. As regulation becomes tighter and data becomes more important, the due diligence specifically with respect to data and data protection gains increasing importance as well. In this respect, the buyer – in the case of buyer due diligence – should take care to understand the maturity of the target’s data protection and restrictions potentially applicable to data acquired, but without perfectionism and without expecting full compliance in every regard.