Privacy protection plays a vital role in every transaction, whether as a part of assessing the risks for the buyer in the event that the personal data in the target company is not handled correctly, or in assessing how to deal with personal data obtained within the framework of legal due diligence.
The EU’s General Data Protection Regulation – GDPR, which has been valid in the entire territory of the EU since 25 May 2018, does not affect only the day-to-day running of companies and their marketing departments, but, as it turns out, also has a major impact on M & A transactions. Every company processes personal data, whether of its employees, customers, or business partners, and uses this data, for example, to send special offers to email addresses, or to create a large customer database, or for customer profiling. Moreover, this data is often shared among several companies within a concern or group.
The obligations set out in the new GDPR therefore force all parties involved in acquisition transactions to review their existing procedures, and to adopt new measures to protect personal data. This primarily concerns personal data that is made available to the buyer and their advisers within a legal due diligence review of the purchased company. In this case, the buyer will become a personal data controller once it gains access to the data room where the data is located.
However, both the seller and the purchased company should pay attention to the protection of personal data. It is these persons who have to ensure that personal data is made available in accordance with the GDPR, and only on a need-to-know basis necessary for the completion of the transaction, and exclusively to authorised persons. Personal data must also be sufficiently protected from unauthorised handling and, in the event of unsuccessful acquisition, demonstrably liquidated.
Should any participating party breach its obligations under the GDPR, it is liable to a fine of up to EUR 20 million or, in the case of an enterprise, up to 4 % of the total annual worldwide turnover for the previous financial year, whichever is higher.
The GDPR’s entry into force will therefore necessitate re-evaluation of the entire acquisition process, in particular in relation to the due diligence review of a company and establishment of a data room, and the setting up of new privacy rules that will be in line with the GDPR.
The seller’s position in an M & A transaction
In the preparatory phase of the sale of a company, the seller should ensure beforehand a secure way for the buyer to access documents about the purchased company, for the purposes of legal due diligence or other reviews. In most cases, this will be the preparation of a data room. The data room should be sufficiently secure to prevent unauthorised handling of personal data and its possible leak, so as to meet the GDPR requirements. This will primarily include encrypting stored documents, setting access rights for individual users, user logs, and regular security audits of the IT system that makes up the data room.
If the seller decides to use the services of an external provider, it will be necessary to first enter into a personal data processing agreement with such a provider, since the data room provider will become a data processor. The personal data processing agreement should be concluded with the provider by the purchased company, as it will, in most cases, be the controller of the personal data in the data room.
In the personal data processing agreement, it will be necessary to adjust the scope of personal data disclosed via the data room, and to agree on warranties concerning its protection, including its removal (deletion from the server) after the closure of the data room. One cannot forget the question of the country in which the servers of an external provider will be located, and where the documents for a legal due diligence review will be stored. If these servers are outside the EU, an external service provider must provide guarantees that personal data will be transferred to a third country solely in accordance with the GDPR (usually based on binding corporate rules or standard contractual clauses). An external provider must also be bound by the obligation of confidentiality. However, by concluding the personal data processing agreement, neither the seller nor the purchased company completely relieves themselves of responsibility for the protection of personal data stored in the data room of an external provider. It is therefore desirable that the data room provider also undertakes to indemnify the seller and the purchased company in the case of a breach of the personal data processing agreement.
Many companies make personal data available for the needs of a due diligence review through commonly used cloud storage systems, such as Dropbox, iCloud, Google Drive, OneDrive, and/or uloz.to. However, such a procedure cannot be recommended in the light of the GDPR. These services, in most cases, do not allow you to set up a sufficient level of security for personal data. In particular, the issue of document sharing is problematic enough in itself, as these services usually do not allow to set different rights for different users (e.g. “document read only”), to remotely delete documents from user devices, or to record user logs (e.g. which user has obtained access to a specific document in the data room).
Prior to establishing the buyer’s access to the data room itself, it is appropriate to conclude an agreement with the buyer, which will stipulate the conditions regarding the disclosure of personal data, including its protection during the due diligence review of the purchased company, and its subsequent liquidation, further specifying the title and purpose for which the personal data will be used by the buyer, and in which the buyer’s confidentiality obligation will be agreed. Privacy conditions can also be incorporated into a confidentiality agreement that is normally concluded for M & A transactions, thereby avoiding the need to sign two separate contracts. In the agreement, the buyer should be committed to preventing personal data from unauthorised disclosure to a third party, there should be named advisers who will have access to the data room, and the buyer should ensure the liquidation of personal data if the transaction is not successfully completed. Should the buyer breach the agreement, the buyer should be obliged to indemnify the seller and the purchased company for any damage caused to them in connection with such a breach. If a buyer has its registered office outside the EU, then the seller and the buyer will have to assess the conditions under which they can pass on personal data outside of the EU.
Further, it is necessary to consider which documents containing personal data can be provided to the buyer and its advisers within the framework of a due diligence review. The GDPR is based on the principle of minimising the handling of personal data. This issue typically arises for employment contracts and customer contracts with consumers.
If the seller and/or the purchased company do not anonymise, to the extent necessary, personal data in contracts and other documents uploaded in the data room, e.g. by means of their blacking out, they are exposed to the risk of being imposed a fine by the Office for Personal Data Protection. The redaction of dozens, or even hundreds, of employment or customer contracts can be time consuming and quite costly. As an alternative, it is therefore advisable to provide within the due diligence process only sample contracts usually entered into by the purchased company, together with aggregated, anonymised tables, containing essential business information for the buyer (e.g. wages, severance pay, non-competition clauses, notice periods, etc.), or deviations from the sample contract.
It may be considered that within the framework of due diligence, the buyer and its advisers would be given contracts with key employees or clients in their entirety, on the basis of the buyer’s legitimate interest in knowing in detail the status of the purchased company and the terms of these essential contracts. However, access to such contracts must be assessed on an ad hoc basis, taking into account the buyer’s legitimate interest, the necessity of disclosing personal data to the buyer, and the so-called proportionality test.
On the other hand, the buyer must be aware that the GDPR may set out the buyer’s information obligation vis-à-vis employees, clients, and other persons, as soon as their personal data in the data room is available to it. In this case, the buyer will have to inform these persons that it processes their personal data, and for what purpose(s) it does so. As both parties generally insist on strict confidentiality when negotiating an acquisition, it should be in the interests of all participating parties to disclose to the buyer a minimum of personal data through the data room.
Sensitive data on employees, such as their state of health, trade union membership, etc. cannot be disclosed to the buyer at all.
If the transaction is not successfully completed, the seller or the purchased company will have the obligation to ensure the closure of the data room and the liquidation of all personal data that the buyer and its advisers have gained access to. This obligation should be considered by both the seller and the purchased company before the data room is established.
The buyer’s position in the M & A transaction
Information in the data room is crucial to the buyer, so that it can judge with the care of a diligent manager whether it is profitable for it to complete the acquisition of the purchased company. The buyer’s title for the processing of personal data in the data room will usually be a contract with the purchased company, or the seller, or a legitimate interest of the buyer in knowing the state of the company and the risks that arise to it from the purchase of the company. The buyer must be aware that once it gains access the data room, it becomes a controller of the personal data stored in the data room, and will be obliged to comply with the obligations arising to it from the GDPR.
If personal data of employees and clients of the purchased company, or other persons, is included in the data room, the buyer may be required to provide information to these persons about the manner of their personal data processing. Therefore, it is recommended that employment and client contracts be anonymised. If it is impossible to anonymise employment and client contracts, it is advisable to provide the buyer with a sample employment contract or sample client contract with aggregated anonymised data on key business aspects of the contracts entered into.
The above requirements, however, place increased demands on the content of the transaction documentation. The buyers and its advisers should, therefore, require the seller to provide sufficiently broad guarantees and assurances, especially regarding the extent of the documents made available, and the related anonymous overviews in the data room, the list of all investigations of the purchased company carried out by the Office for Personal Data Protection, including sanctions imposed, the list of all litigation conducted with data subjects, and the list of all recipients of personal data (for example, if personal data is shared within a franchise or a concern). These new guarantees and assurances should guarantee for the buyer, in particular, that after taking over the purchased company, it will not discover, for example, an employment contract with an unusually long notice period or with a non-standard high severance payment, or a client contract which may not be terminated for several years after the acquisition of the company. The client agreements may also include a tenancy agreement if the buyer does not buy a company but an apartment building or residential block.
If the purchased company handles a larger amount of personal data, the buyer will not avoid carrying out a legal review with a particular focus on mapping the process of handling personal data in the purchased company. In practice, it will primarily concern the list of customers that the purchased company has obtained and maintains for marketing purposes, the consent of data subjects, in particular consumers, to sending direct business communications and marketing offers, customer profiling, sharing employee data across a group, assessment of risks arising from the current system of personal data protection in the purchased company, and the obligation to appoint a data protection officer (DPO). In brief, the buyer’s advisers will have to check whether the purchased company processes personal data in accordance with the GDPR.
Within the mapping of processes of handling personal data in the purchased company, it can, for example, show that the purchased company has never received consent from customers to send e-mail offers, and therefore there is a risk that the Office for Personal Data Protection will impose a sanction on it. Or it can further show that the data subjects have not granted the purchased company their consent to the processing of their personal data, and so the purchased company is required to delete its entire customer database. Or it can show that, due to the absence of consent, it is not possible to transfer the customer database owned by the seller to the buyer or to the purchased company as part of the transaction settlement. Transferring such a customer database would be invalid. For companies in the retail sector, violations of the GDPR obligations could have a significant impact on their value.
After the transaction has been concluded, the buyer, in co-operation with the purchased company and the seller, must ensure that all necessary authorisations and permissions to share personal data are obtained within the framework of connecting the buyer’s and the purchased company’s IT systems, so that personal data is not leaked, and that the seller liquidates personal data for which it has no legal reason for further processing.
GDPR and consequences for M & A transactions in the Czech Republic
For both the seller and the purchased company, the GDPR brings new obligations that need to be taken into account as early as in the preparatory phase of each transaction. This means, in particular, ensuring a secure data room for giving the buyer and its advisers an access to documents, entering into contracts with the data room provider and the buyer, and preparing anonymised documents, sample contracts, and anonymised overviews to share with the buyer and its advisers.
Increased attention should be paid to mapping the processes of handling personal data in the purchased company if the value of the purchased company is dependent on how it uses personal data for its business activities.
The need to protect personal data does not only arise in a so-called share deal, but may also be relevant in a so-called asset deal, where the subject of the review can be lease agreements for the property being the subject of the transaction. In some cases, the transaction cannot be structured as an asset deal when the GDPR generally excludes the transfer of personal data without the consent of the persons affected by the processing of said personal data. Unspecific consent to the disclosure of personal data to third parties cannot be considered as a proper consent under the GDPR, and therefore the transfer of such personal data may be considered invalid.
For more information, please contact:
JUDr. Mojmír Ježek, Ph.D.
About ECOVIS ježek advokátní kancelář s.r.o.
The law office ECOVIS ježek practices mainly in the area of commercial law, real estate law, dispute management, as well as finance and banking law, and provides full-fledged advice in all areas, making it a suitable alternative for clients of international law offices. The international dimension of the services provided is ensured through past experience and through co-operation with leading legal offices in most European countries, the US, and other jurisdictions. The members of the ECOVIS ježek team have many years of experience from leading international law offices and tax companies, in providing legal advice to multinational corporations, large Czech companies, but also to medium-sized companies and individual clients. For more information, go to www.ecovislegal.cz.