Don’t fall into the GDPR trap during your acquisition

If you wish to transfer ownership of your enterprise or take over an enterprise yourself, the personal data of customers, suppliers and employees will in principle also be part of this. It’s important to immediately make a distinction here between a share transfer (a so-called “share deal”) and a transfer of assets (a so-called “asset deal”). 

In the case of a transfer of assets, assets that are the subject of the transfer will pass to another owner and thus the personal data transferred with the assets will be processed by another “controller”. This is in contrast to a share transfer, where only the shares are transferred and in other words the owner or “controller” does not change. It is therefore mainly in the case of a transfer of a commercial undertaking that caution is required with regard to the protection of personal data. 

Although the transfer of personal data will generally be possible on the basis of “legitimate interest”, the transferee is still obliged to inform the data subjects about the future use of their data (Article 14 GDPR). This obligation applies in the context of an asset deal as well as in the context of a share deal.

The foregoing, of course, does not alter the fact that, in the context of a share transfer, the due diligence investigation should also take into account how the target enterprise organises its processing of personal data. When an enterprise processes personal data (under the GDPR regulation this means, among other things, the collection, storage, organisation, use, provision and dissemination of personal data), it is important to know for what purposes these are processed, whether the processing is lawful, and that data are not processed for longer than is strictly necessary, whether specific procedures are in place to safeguard the rights of the persons concerned or in the event of a data breach, whether processing agreements have been concluded, whether a data protection officer has been appointed, etc. … It goes without saying that the sector in which the target enterprise is active plays an important role here. 

In addition, also in the context of the GDPR, the importance of a well-organised data room should not be underestimated. It is recommended that professional service providers are called upon to ensure a well-secured data room that is GDPR-proof. It is therefore advisable to conclude a processing agreement in the context of setting up a professional data room. It is also important that only the personal data that are necessary and relevant for the due diligence are transferred, and the current phase of the acquisition process also plays a role. In an earlier exploratory phase, where, for example there are several potential purchasers, it is of course advisable that only general and anonymised data are made available. As the acquisition process progresses and there is more certainty about the purchaser, the seller can release more information, always under the safeguards of a processor agreement with the prospective purchaser. 

It is usual for a general provision to be included in the acquisition contract in which the seller represents and warrants that the target enterprise complies with all applicable laws and regulations, including the GDPR. However, in view of the increasing importance of the GDPR for enterprises, this is often not sufficient, and it is necessary that a specific provision is also included in which the seller gives a number of warranties with regard to the privacy policy pursued by the enterprise, that no significant data breaches have taken place, etc. …

If during the due diligence investigation it appears that the target enterprise has a number of crucial gaps in the area of privacy protection, it is appropriate for the acquiring party to protect itself sufficiently. This can be done, for example, by adding a condition precedent to the acquisition contract. This makes conclusion of the transfer agreement conditional on the fulfilment of a number of acts that ensure that the target enterprise is informed in advance regarding data protection. 

Watertight protection in the acquisition contract is indispensable for both the purchaser and the seller to avoid liability in the future if it turns out afterwards that personal data have not been or will not be processed in accordance with the safeguards included in the GDPR regulations. 

Consequently, the complex subject matter of data protection regulations calls for caution, also in the context of a (possible) acquisition of your enterprise or if you wish to acquire an enterprise yourself. Acquisitions therefore should always be assisted by professional advisers.