Data protection in M&A deals – at crossed purposes?

Whether acting for the buyer or seller in a sale or disposal, one of the most crucial tasks is the due diligence (DD). It enables the buyer to find out as much as possible about the target (to support its pricing and consider risk allocation), and the seller to disclose as much as possible (to hold the agreed price, qualify the warranties and deal with risk allocation). Depending on the business, the information given could major on employees, customers, suppliers and include much personal data about individuals. 

Whether it is an asset purchase, or the purchase of a company, the data protection principles set out in the GDPR and the Data Protection Act 2018 apply to the entire timeline of a deal, from inception to completion and integration. Both sides need to pay particular attention to ensure ongoing compliance with those principles throughout the transaction, meaning personal data must be:

• processed lawfully, fairly and in a transparent manner;
• collected for a specified, explicit and legitimate purpose;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
• processed in a manner that ensures appropriate security. In addition, there is the overarching principle that the controller must demonstrate compliance (the accountability principle).

Pitfalls and protections

This presents a problem for the seller, as it will first have to consider whether it has notified its data subjects of the possibility that their data will be transferred to potential buyers, and its legal basis for doing so. The first port of call would be to check the seller’s privacy notice and its contracts of employment – do they mention that personal data may be transferred in merger, acquisition or change of control? 

Absent notification, transferring data without the subjects’ knowledge could breach article 13 of the GDPR (information to be given to the data subject at point of collection). 

While signing a non-disclosure agreement (NDA) with the purchaser is prudent in order to ensure confidentiality of information passed between seller and buyer, data subjects will rarely be parties to the NDA or notified of its existence. Nonetheless, as well as carefully defining and protecting confidential information, the NDA should have GDPR compliance undertakings, and include an indemnity from the buyer in the event of a data breach.

Going back to the purpose limitation principle, personal data should not processed in a manner that is incompatible with those purposes. In other words, a data controller should not inform a data subject that their data will be used for one purpose, and then use it for another (unless that use falls within an exception such as the data subject having given consent to the further processing).

Given it will not be feasible or commercial for the seller to notify its data subjects of the possible deal, the seller needs to keep a record of why it would be disproportionate to inform individuals (for example, it would breach its confidentiality obligations under the NDA), and balance the seller’s legitimate business interests being to provide this information for the sale, and if possible, argue that such a transfer would not be outside the individual’s reasonable expectation.

Recipients of personal data in corporate transactions who become data controllers (e.g. the buyers) can rely on the article 14(5) notification exception until completion of the transaction, on the basis that notifying individuals regarding the processing of their personal data would defeat the objectives of the processing.

The seller should also be data mapping to identify what data it intends to transfer, any special category data, the purpose of processing, the legal basis relied on for processing, the recipients of the data, whether it is outwith the EEA (the legal basis for doing so), and, where possible, time limits for keeping the data and security measures taken. 

There will be some information the seller can disclose in order to comply with a legal obligation, for example TUPE. However a difficulty presents itself if special category data are disclosed. Article 9 of the GDPR sets out the limited grounds for transferring special category data. If the seller cannot find an article 9 ground to rely on, such information should not be transferred until the sale has completed (although technically, if a company, as opposed to its assets, is the target of the sale, the personal data stay in that same entity). 

Practical steps

So here are some basic recommendations to bear in mind during the DD process and indeed throughout the transaction:

• When possible (almost always these days), data rooms should be used to manage the DD. That way the seller can limit access to the documents to read/view only, unless permission to copy is given to specific visitors. 
• Sellers should also ensure there is a data processing agreement with the data room site. 
• Anonymise employee, customer and supplier data, generally by redaction.
• Pseudonymisation of personal information to make it impossible to identify the data subject in question without additional information – which must be held separately from the pseudonymised data and must have sufficient security in place to ensure the personal data are not attributed to the data subject.
• Aggregate salary data so that individuals’ salaries are not identifiable.
• Use sample contracts rather than copies of actual signed contracts.
• Compile summary information in relation to disputes or commercial and personal data.

Usually, once the transaction has completed, it will be up to the buyer to notify the data subjects and update any privacy notices.

However, in the disappointment which often follows a “no deal”, the seller must recover the personal data as best it can and ensure no further access to the data room (or that personal data made available outside the data room environment are recovered).