Company acquisitions and sales (M&A) are complex processes in which data protection is playing an increasingly important role. The exchange of personal data – whether from customers, suppliers or employees – is a reality at every stage of a transaction and entails considerable legal and economic risks. This article highlights the key data protection requirements and outlines solutions for ensuring compliance.
1. Due Diligence – the pre-purchase check
Due diligence (DD) is the process of conducting an economic and legal review of the target company by the potential buyer. In order to assess risks and potential, extensive information – often including sensitive customer, supplier and employee data – is made available in a data room.
The Data Room
Virtual data rooms (VDRs) are usually used for DDs. These are operated by specialised service providers. Providing them is considered order processing (Art. 28 GDPR). The provider must therefore demonstrate sufficient technical and organisational measures (TOMs) in accordance with Art. 32 GDPR, and the conclusion of a data processing agreement (DPA) is mandatory. Whether the seller or buyer concludes the DPA with the service provider depends on who commissions the service. For providers in third countries, further regulations apply to justify data exports in accordance with Art. 44 ff. GDPR.
Justification of Data Processing in the DD
Both sellers and buyers require a legal basis for the provision of or access to personal data in the data room (‘double door principle’). The following justifications may justify data processing:
Employee Data:
- Consent (Section 26 (2) BDSG / Art. 6 (1) lit. a GDPR): Possible, but often difficult in practice due to the high requirements for voluntariness and revocability. A conceivable option, especially for executives with a personal interest in the transaction.
- Works Agreement (Art. 88 GDPR): Can regulate data processing, but requires negotiations with the works council and may fail due to confidentiality obligations. A possible but rarely used justification.
- Legitimate Interest (Art. 6 para. 1 lit. f GDPR): Most common basis. The seller’s interest in the sale and the buyer’s interest in the risk assessment are generally legitimate. The decisive factor is the balancing of interests. Data minimisation should be used for this purpose and data should be anonymised or pseudonymised.
- Special Categories of Data (Art. 9 GDPR): As a rule, these may not be exchanged and should be filtered out.
Personal Data of Customers and Business Partners
- Consent (Art. 6(1)(a) GDPR): Relevant, for example, for marketing data. It is necessary to check whether consent has been obtained and whether this covers disclosure within the scope of a DD. This is often not the case.
- Legitimate interest (Art. 6(1)(f) GDPR): As with employee data, a balancing of interests must be carried out. The interest in evaluating the customer base, sales potential and supply chains is legitimate. Here too, data minimisation and pseudonymisation/anonymisation apply where possible. The protection interests of customers/partners must be taken into account.
Change of Purpose and Transparency:
If data collected, for example, for the performance of a contract with customers or for the employment relationship is passed on within the scope of DD, this constitutes a change of purpose. This must be permissible (compatible) under Art. 6 (4) GDPR and requires an additional legal basis (see above).
Joint Controllership:
The performance of due diligence may result in joint controllership on the part of the seller and buyer. This gives rise to further legal obligations, which are generally undesirable. If joint controllership cannot be avoided, an agreement on joint controllership should be concluded in accordance with Art. 26 GDPR.
Transparency:
In the DD, too, all data subjects (employees, customers, partners) must be informed about the data collection within the scope of the DD. There are exceptions, but these are limited and interpreted restrictively. Here, it is important to carefully examine whether and how confidentiality interests and transparency obligations can be reconciled.
2. Data Protection in the Corporate Purchase Agreement
Guarantees and indemnities are essential in the purchase agreement (share or asset deal). This must also include data protection. The buyer wants certainty about the legality of data processing in the target (e.g. valid consent for customer databases, compliance of HR processes). The seller wants to limit liability risks. The results of the DD should lead to clear rules on risk allocation. Deficiencies in the data protection organization can significantly reduce the value of the target. This should be reflected accordingly.
3. Integration of the Target – the Post Purchase Period
The purchase (closing) is followed by the integration of the target. The data protection challenges depend heavily on the form of the transaction.
Share Deal:
The target remains the legal entity; only the ownership structure changes. The data protection officer remains the same. The change of ownership does not result in a direct transfer of data. However, problems may arise when integrating the target into a group of companies. If personal data (employee, customer, supplier data) is to be transferred to the new parent company or sister companies (e.g. for central IT, HR, CRM), this requires a separate legal basis, as there is no general group privilege. In this case, data processing agreements, joint control agreements or other justifications (e.g. legitimate interest with careful consideration) are required.
Asset Deal:
Here, individual economic assets are transferred (individual succession). This often also includes contracts and the associated data (employees, customers, suppliers). The transfer is a transfer (Art. 4 No. 2 GDPR) from the seller to the buyer and requires justification for both parties.
- Employee Data: If employment relationships are transferred (§ 613a BGB), the transfer is often justified for the continuation of the employment relationship in accordance with § 26 (1) BDSG / Art. 6 (1) lit. b GDPR. The transfer by the seller can be based on Art. 6 para. 1 lit. f GDPR (fulfilment of purchase contract), whereby the rights of the employees must be protected. For special categories, § 26 para. 3 BDSG / Art. 9 para. 2 lit. b/h GDPR applies.
- Customer and Business Partner Data: If customer or supplier contracts are taken over, the transfer of data for further performance of the contract by the buyer is usually justified under Art. 6 para. 1 lit. b GDPR. The transfer by the seller can again be based on Art. 6 para. 1 lit. f GDPR. Particular caution is required for data that is not directly necessary for the performance of the contract (e.g. marketing data): Is transferable consent available (Art. 6 para. 1 lit. a GDPR)? Or can the transfer be based on Art. 6 para. 1 lit. f (interest in continuing the business relationship)? Here, a thorough review of the lawfulness of the original data collection and the consents is essential.
- Information Obligations: Here too, the data subjects (employees, customers, partners) must be informed in accordance with Art. 13/14 GDPR. This is usually less critical than in the DD phase, as confidentiality interests often do not apply. It may be advisable for the buyer and seller to provide joint information.
- Integration into the Group Structure: As with share deals, the following also applies after an asset deal: The transfer of data within the new group structure (e.g. to central departments) constitutes a transfer of data to third parties and requires a separate legal basis (no group privilege).
Conclusion
Data protection is a key factor in M&A transactions for all types of personal data. From due diligence to the purchase agreement to integration, the requirements of the GDPR must be observed for employee, customer and partner data. Careful planning, data minimization, clear contractual provisions and transparent communication are essential to minimize risks. The early involvement of data protection experts is strongly recommended.
Feel free to contact us if we can help you with this or if you have any questions.
