M&A transactions and the importance of data due diligence

Data protection (and processing) is not always part of the due diligence in M&A transactions. However, data due diligence can reveal non-compliance of the target company with the GDPR and thus additional risks for the buyer. Specific warranties on data protection and future liabilities or penalties are needed to protect the buyer.

An assessment of the GDPR compliance of the target entity should be included as early as possible in the M&A process. This will serve to identify (and idealistically minimize) future liabilities of the target company and/or the new owner. Moreover, this will also ensure that the transaction itself is GDPR compliant.

CHECK DATA PROTECTION STATEMENTS

Involved parties are best to check (and possibly extend) their data protection statements in order for the transfer of personal data to third parties to be covered. This is specifically the case for purposes of due diligence, deals concerning asset disposal, restructuring or merger, or sales. For example clientele database, including contact data and historical & actual generated revenue, preferable partnerships, suppliers, etc.

Possibly, some data processing agreements might have to be amended or foreseen as well, for the same reason. For example with the provider of cloud services and/or the data room.

Moreover, the information that will be shared in the data room should be selected carefully and “technically” prepared as well. It might be necessary to (partially) anonymize, pseudonymize, or aggregate certain data. The data room itself should be located in a safe, confidential “technological place”. Access control, login control, and selective user rights (allowing users to only access specific and for them relevant information in the data room) are recommended.

These steps should allow the legitimate and lawful transfer of personal data in the run-up to the transaction, for example during due diligence.

DATA PROTECTION AND PROCESSING POLICY

Furthermore, the data protection and processing policy of the target entity should be assessed in detail. The following items shall be explored:

• Which is the legal basis for the existing processing flows?
• For which purposes are the personal data processed?
• How are data breaches or GDPR rights of data subjects dealt with?
• How are data retention and data security handled? Are there policies in place or certificates obtained?
• Is there an appointed DPO?
• Which warranties are offered for data transfers outside the EEA?
• Which protective technical and organizational measures are implemented?
• Are all (labor, supply, and service) contracts GDPR compliant?

Very often the data processing register shall be the starting point of this analysis, which shall be a joint effort of lawyers, the ICT department, DPOs, and divisional heads.

Should a contingency be identified, the seller and/or target entity might still solve a thing or two during the pre-closing phase. However, often it will end up being more than a one-time effort, even after the deal is closed. Buyers shall therefore do their best to stipulate specific warranties in their favour.

Questions about data due diligence?

Do you have questions concerning data due diligence within the scope of an M&A transaction, or do you want to learn more about our GDPR audits?

Feel free to contact us.