Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. June 2019
  6. Data protection in M&A deals – at crossed purposes?

Data protection in M&A deals – at crossed purposes?

Corporate briefing: data protection rules impact on the due diligence process in corporate sales or disposals, and steps should be followed to ensure that personal data are handled appropriately
17th June 2019 | Sophie Graham

Whether acting for the buyer or seller in a sale or disposal, one of the most crucial tasks is the due diligence (DD). It enables the buyer to find out as much as possible about the target (to support its pricing and consider risk allocation), and the seller to disclose as much as possible (to hold the agreed price, qualify the warranties and deal with risk allocation). Depending on the business, the information given could major on employees, customers, suppliers and include much personal data about individuals. 

Whether it is an asset purchase, or the purchase of a company, the data protection principles set out in the GDPR and the Data Protection Act 2018 apply to the entire timeline of a deal, from inception to completion and integration. Both sides need to pay particular attention to ensure ongoing compliance with those principles throughout the transaction, meaning personal data must be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for a specified, explicit and legitimate purpose;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • processed in a manner that ensures appropriate security. In addition, there is the overarching principle that the controller must demonstrate compliance (the accountability principle).

Pitfalls and protections

This presents a problem for the seller, as it will first have to consider whether it has notified its data subjects of the possibility that their data will be transferred to potential buyers, and its legal basis for doing so. The first port of call would be to check the seller’s privacy notice and its contracts of employment – do they mention that personal data may be transferred in merger, acquisition or change of control? 

Absent notification, transferring data without the subjects’ knowledge could breach article 13 of the GDPR (information to be given to the data subject at point of collection). 

While signing a non-disclosure agreement (NDA) with the purchaser is prudent in order to ensure confidentiality of information passed between seller and buyer, data subjects will rarely be parties to the NDA or notified of its existence. Nonetheless, as well as carefully defining and protecting confidential information, the NDA should have GDPR compliance undertakings, and include an indemnity from the buyer in the event of a data breach.

Going back to the purpose limitation principle, personal data should not processed in a manner that is incompatible with those purposes. In other words, a data controller should not inform a data subject that their data will be used for one purpose, and then use it for another (unless that use falls within an exception such as the data subject having given consent to the further processing).

Given it will not be feasible or commercial for the seller to notify its data subjects of the possible deal, the seller needs to keep a record of why it would be disproportionate to inform individuals (for example, it would breach its confidentiality obligations under the NDA), and balance the seller’s legitimate business interests being to provide this information for the sale, and if possible, argue that such a transfer would not be outside the individual’s reasonable expectation.

Recipients of personal data in corporate transactions who become data controllers (e.g. the buyers) can rely on the article 14(5) notification exception until completion of the transaction, on the basis that notifying individuals regarding the processing of their personal data would defeat the objectives of the processing.

The seller should also be data mapping to identify what data it intends to transfer, any special category data, the purpose of processing, the legal basis relied on for processing, the recipients of the data, whether it is outwith the EEA (the legal basis for doing so), and, where possible, time limits for keeping the data and security measures taken. 

There will be some information the seller can disclose in order to comply with a legal obligation, for example TUPE. However a difficulty presents itself if special category data are disclosed. Article 9 of the GDPR sets out the limited grounds for transferring special category data. If the seller cannot find an article 9 ground to rely on, such information should not be transferred until the sale has completed (although technically, if a company, as opposed to its assets, is the target of the sale, the personal data stay in that same entity). 

Practical steps

So here are some basic recommendations to bear in mind during the DD process and indeed throughout the transaction:

  • When possible (almost always these days), data rooms should be used to manage the DD. That way the seller can limit access to the documents to read/view only, unless permission to copy is given to specific visitors. 
  • Sellers should also ensure there is a data processing agreement with the data room site. 
  • Anonymise employee, customer and supplier data, generally by redaction.
  • Pseudonymisation of personal information to make it impossible to identify the data subject in question without additional information – which must be held separately from the pseudonymised data and must have sufficient security in place to ensure the personal data are not attributed to the data subject.
  • Aggregate salary data so that individuals’ salaries are not identifiable.
  • Use sample contracts rather than copies of actual signed contracts.
  • Compile summary information in relation to disputes or commercial and personal data.

Usually, once the transaction has completed, it will be up to the buyer to notify the data subjects and update any privacy notices.

However, in the disappointment which often follows a “no deal”, the seller must recover the personal data as best it can and ensure no further access to the data room (or that personal data made available outside the data room environment are recovered).

The Author

Sophie Graham, solicitor, Wright, Johnston & Mackenzie LLP
Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • Book reviews
  • Reading for pleasure
  • People on the move

Perspectives

  • Opinion: Mark Leiser
  • Profile: Edward Sakala
  • President's column

Features

  • The menopause: the new protected characteristic?
  • The clinical psychologist as expert witness in family law
  • A worthwhile job
  • All litigants are equal... but some more so?
  • Children Act: the results are in
  • The UNCRC: in our stride, or a giant leap?
  • Power in the land

Briefings

  • Young lawyers and the retention issue
  • Domestic abuse cases on the way
  • Data protection in M&A deals – at crossed purposes?
  • When recognition is not enough
  • Strictly by the book?
  • Short pay?
  • Scottish Solicitors' Discipline Tribunal
  • Freed from chains?
  • About a planet
  • Public policy highlights

In practice

  • Tradecraft – one solicitor's experience
  • Dear employer...
  • Team building – for the Foundation?
  • Accredited paralegal practice area highlight: conveyancing
  • Accredited Paralegal Committee profile
  • What's new for paralegals?
  • Ask Ash
  • Managing the risk of workplace stress
  • Appreciation: Iain Alexander Macmillan
  • Revealed – by your AML certificates

In this issue

  • Why legal tech still needs a human touch
  • New partner? Time for a financial review
  • Client capture: a “people” platform

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited