Since the General Data Protection Regulation (“GDPR”) went into effect on 25 May 2018, one thing has been clear: it has entailed a lot of changes in a lot of different areas of law. And the practice of conducting transactions is certainly one of them. If you are looking at an acquisition, what do you need to be aware of? Read on to find out.
The GDPR in brief
The GDPR is intended to create a more robust framework for the protection of data of natural persons, and to pair this with strong enforcement. If you process personal data, the GDPR applies to you. And you almost certainly do. Virtually anything that can identify a natural person or that makes a natural person identifiable can be qualified as “personal data”. The definition of the term “processing” as given in the GDPR was deliberately kept broad enough to cover any action performed on personal data. Note, however, that data on legal persons is not personal data. Nonetheless, data on independent contractors, such as sole proprietors without personnel or Partnerships (including limited partnerships, etc.) would in certain cases be qualified as personal data. The party who processes the personal data and who determines the object and the means of doing so is the data controller.
Legitimate processing of personal data requires a legal basis on the part of the controller for doing so. The GDPR provides an exhaustive list of six legitimate bases for the processing of data. This includes by consent of the data subject (the person whose data is being processed) or the justified business interest of an enterprise in the processing of the data in question.
Further, it is important to be in compliance with the principles of data processing. Under the GDPR the processing of personal data must be lawful, fair and transparent. The purposes for which the data is being processed must be clear to the data subject. This processing must then be carried out in a fair and responsible manner. The processing purposes must be explicit and clearly defined. Further, the processing must involve no more data than necessary to achieve the defined object, and the data must not be retained for longer than necessary.
These principles must be observed and complied with by every controller. Noncompliance is subject to severe financial penalties that can be imposed by the Dutch Data Protection Authority, and these can very quickly run up to €20 million or 4% of the enterprise’s annual worldwide turnover.
In short, to avoid severe penalties, a data controller must be sure to comply in full with all obligations under the GDPR whenever processing personal data. As we will see in the following, this is extremely relevant in mergers and takeovers.
Nondisclosure Agreement (“NDA”)
Prior to any takeover, it is advisable to set out in a nondisclosure agreement not only commitments on confidentiality, but arrangements on compliance with privacy legislation both during the negotiations and after the takeover. These should include, for example, arrangements on the storage, return and destruction of personal data in the event that the deal does not go through, or a prohibition on the provision of personal data to third parties and that the personal data collected can only be used for the purposes of evaluation and assessment of the target company.
But even if these arrangements are not set down in black and white, the parties must comply with the GDPR. Both buyer and seller can be qualified as controllers, and each have an independent obligation to comply with the GDPR.
Due Diligence Investigation
A company wishing to evaluate whether the takeover of a given company is a good fit for it as acquiring company will generally perform a due diligence investigation. During this investigation the selling party will share a huge amount of information with the buyer to enable it to make an informed choice about the purchase. In many cases, this will involve the use of a digital data room to which all information is uploaded. For the purposes of full disclosure, the parties will be tempted to exchange large amounts of information through this digital data room, including employment contracts, customer lists, etc. But exchanging this kind of information will very quickly lead to a violation of the GDPR and increase the risks of a penalty. A very legitimate question is whether the seller actually has a basis for making the personal data available for the purposes of the due diligence investigation.
This is why in light of the GDPR it is vital to restrict the amount of data to the absolute minimum necessary. The parties need to understand that they cannot simply share everything. It is essential to put the minimum possible amount of personal data (and ideally, none at all) in the data room. Names, dates of birth, addresses and other personal data of employees must be redacted from employment contracts. Wherever possible, a model employment contract should be uploaded instead of the actual employment contract. Another option is to provide purely abstract information about the personnel. This could include, for example, a list showing the number of employees, the average salaries per position, the rate of sickness absence in percent, etc. This would give the acquiring party the insight it needs into the structure of the target company without sharing personal data unnecessarily. Of course, there is a certain degree of tension between the obligation to be as transparent as possible and compliance with the GDPR.
That’s why as a result of the GDPR, today’s due diligence investigation must also assess the degree to which the target is privacy-compliant. Avoiding any surprises (financial or otherwise) later may call for the performance of a “privacy” due diligence, to assess whether the target is in compliance with all relevant privacy legislation (this of course including the GDPR). This would include relevant questions such as: how does the target company collect, use, destroy, delete or save personal data? How does the target company handle data breaches? Does the target company keep a processing log and data breach log? Have there been data leaks in the past? Is the target company required to appoint a data protection officer, and has it done so?
For this compliance check, the target company’s processing log can be a good starting point, since by definition it logs the type of personal data the target company processes, the purposes for which it does so, the way in which it does so, the retention periods, how the data is secured, etc.
The processing of the personal data is also an important aspect that needs to be addressed during a due diligence investigation. As should be clear, setting up a suitable IT environment and then establishing properly functioning security infrastructure for the personal data processed can be an expensive proposition. If the due diligence reveals that the target company has not yet done this, this can be taken into account in the calculation of the purchase price.
From the position of the seller, it may be advisable to have such a GDPR compliance check conducted prior to the start of the sale process. This is one way the seller can show the buyer that its enterprise is privacy-compliant, which will also have a beneficial effect on the purchase price. However, don’t be fooled by the various GDPR quality marks that one finds in the market these days. This is a warning echoed by the Dutch Data Protection Authority, because there is as yet no standard on the basis of which any such quality marks are issued.
Share Purchase Agreement (“SPA”)
Depending on what the due diligence investigation reveals with regard to the target company’s compliance with all its obligations under the GDPR, it may be advisable to set this out in the purchase contract.
If it turns out that the target company is not yet completely “GDPR-proof”, steps can be taken to limit the buyer’s risk by including specific guarantees or indemnifications.
Want to know more?
If you have any questions after reading this article or would be interested in a GDPR compliance check, contact our teams Mergers & Acquisitions or Privacy. They will be happy to talk things through with you.