Data protection issues on due diligence and disclosure

Data protection issues on due diligence and disclosure

Data protection issues on due diligence and disclosure

The due diligence and disclosure exercises are a critical part of most M&A transactions, involving the compiling and transferring of significant amounts of information about the target business and its employees.

Data protection issues need to be addressed at the start of the due diligence and disclosure exercises, particularly in the light of the General Data Protection Regulation (GDPR) (in force from 25 May 2018).  Transferring personal data has always been subject to data protection law, but the GDPR brings increased penalties for breach of its provisions and more onerous requirements to demonstrate compliance.

Key points for sellers to note are:

  • Dealing with personal data (usually in the form of employee data) is often an issue in an M&A transaction, particularly during the due diligence process and when disclosing against warranties.  The responsibility for holding personal data for the target business, as well as disclosing it to us or to another third party (such as a virtual data room (VDR) provider), rests with you and we will assume that you have all necessary rights to deal lawfully with that personal data under current data protection law.
     
  • Because of the potential sanctions arising from the improper disclosure of personal data you should always consider whether it is actually necessary to provide that personal data or whether general information will suffice.
     
  • Personal data that has been anonymised, so that individuals cannot be identified from it by the recipient, will not be personal data in the hands of that recipient. Therefore, all data should be considered and any personal data which it is necessary to provide should be properly anonymised prior to sending it to us/to your counterparty (or its advisers) or to a VDR provider. For example, uploading blank model contracts instead of specific employee contracts is a sensible option and it may be possible to redact other documents to avoid disclosing personal data.  Please liaise with us before sending any personal data to us, to your counterparty (or its advisers) or to a VDR provider.
     
  • If personal data cannot be properly anonymised (for example, where names are redacted but job titles are left in, so individuals can still be identified) then it is still personal data for the purposes of data protection law.  Personal data can only be disclosed if a lawful basis applies. In the context of an M&A transaction, unless “special category” data is involved (see below) or the information is employee liability information (also see below), it is likely that the most appropriate legal basis for disclosure will be “legitimate interests” (i.e. where it is necessary for the sale of the business or shares to disclose the data to a potential buyer).  When considering processing personal data on the basis of legitimate interests, it is recommended that a legitimate interests assessment is conducted and recorded in writing.  This will involve identifying a legitimate interest, showing that the processing of personal data is necessary to achieve that legitimate interest and balancing it against the relevant individual's interests, rights and freedoms.
     
  • Special categories of personal data (for example health data, data on racial or ethnic origin or data on trade union membership) require particularly careful handling to minimise the risk of enforcement action.  None of the lawful bases for processing special categories of data are applicable in the context of an M&A transaction (save for information that constitutes employee liability information (see below)).  This means that you should avoid uploading or disclosing any special category data as part of the M&A process unless it is anonymised so it no longer identifies the relevant individuals.  Please liaise with us during the course of the transaction before sending any personal data in any of those special categories to us, to your counterparty (or its advisers) or to a VDR provider.
     
  • In the context of a sale of business assets (rather than shares), the TUPE regulations legally oblige the seller to notify the buyer of relevant employee liability information not less than 28 days before the transfer takes place. This information will comprise employee personal data and potentially also special categories of personal data, but it is only a narrow subset of employee data and it does not cover all employee data.  Accordingly, in these limited circumstances there is a lawful basis to process this specific information under the GDPR (even where it includes any special categories of data).  However, in relation to all personal data other than employee liability information, anonymisation or a legitimate interests justification will still be required.
     
  • As far as is possible, individuals should be made aware in advance that their personal data may be disclosed to a potential buyer.  It is unlikely to be practicable to deal with this in the run up to a specific transaction so ideally the target business’s employee, applicant and other relevant privacy notices will refer in general terms to the potential need to transfer personal data in the context of future M&A processes (such as disposals or restructurings).

GDPR is a complex area and this note is necessarily only a short summary.  If you would like legal advice in this area, please let us know.

Contact our experts for further advice

View profile for James WaddellJames Waddell

Search our site