In the second quarter of 2020 alone, investors completed €563.6 billion worth of mergers and acquisitions (“M&A”) in the European Union (“EU”). It is clear that even such global disruptions as the COVID-19 pandemic do not disturb this sector and the positive growth of deals volume remains. However, this process has undoubtedly been altered by the entry into force of the General Data Protection Regulation (“GDPR”) in 2018, which has set new data protection standards in the EU. For compliance reasons, it is important to consider data protection requirements as early as possible in the whole M&A process, therefore, data security has quickly become a top priority of the due diligence process.
An M&A transaction is structured either as a share deal, as an asset deal, or as a combination of both. In any deal, a plurality of data flows will be exchanged between the parties, including personal data. The amount of personal data will vary depending on the object of the transaction. The main issue for the potential buyer is to put GDPR on the due diligence checklist and verify whether the target company complies at least with the basic principles of GDPR. The checklist shall assess the governance and decision-making process on the processing of personal data, the awareness training, the notifications to the supervisory authorities, the appointment of a DPO, the roles and responsibilities regarding the processing of personal data, implementation of data subjects’ rights, data transfers, technical and organizational security measures, etc.
The main issue for the potential buyer is to put GDPR on the due diligence checklist and verify whether the target company complies at least with the basic principles of GDPR.
The next step is to decide how to share the information during the due diligence process. One of the most commonly suggested cases is to set up the virtual data room. When using such virtual data room, it shall be used no more personal data than necessary to achieve the purpose, sign non-disclosure agreements, apply security measures and technical restrictions to the processing, use data anonymization, pseudonymization, the agreement on how data will be deleted or will be returned after the due diligence process is finished, and other measures which ensure the compliance with GDPR.
At the same time, it is a crucial thing to remember that personal data is data about data subjects, and they have their rights under GDPR. The privacy notice to data subjects is the issue that shall not be forgotten. In case if the requirements set forth by Articles 13 and 14 of GDPR is not followed, it means that the sanctions for infringements of data protection rules may be applied, amongst others, a fine of up to EUR 20 million or 4% of worldwide annual turnover may be imposed.
European Data Protection Board following the announcement of Google LLC’s intention to acquire Fitbit reminds that the parties of the proposed merger have their obligations under the GDPR and they have to conduct a full assessment of the data protection requirements and privacy implications of the merger in a transparent way. It means that despite the size of M&A, the data security and compliance with GDPR shall be a priority for both parties of such transactions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances
Prepared by attorney at law Loreta Andziulytė and assistant attorney at law Milda Šlekytė