Switzerland: Data Protection In The Due Diligence Of M&A Transactions

Companies face a challenge when it comes to different compliance rules, with the legal framework applicable to data protection playing an important role in this process. Data protection awareness in Europe may have substantially increased in the past few years but is nevertheless often an underestimated issue. Special attention should be paid to the topic in M&A transactions.

If companies or their assets are transferred in the context of an M&A, the transfer and processing of data may be at issue in various respects and at several stages of the transaction, be it (i) in connection with its preparation (disclosure of information to potential acquirers), (ii) in the context of its completion (actual data transfer (namely in asset deals)) or (iii) in connection with the subsequent integration of the acquired company in the group of the acquirer (use of the target company's data).

This article primarily focuses on the preparatory phase of M&A deals where data protection issues particularly arise in relation to the due diligence process. First it describes the general data protection rules, which have to be considered when setting up a data room. It then briefly shows the potential consequences of a breach of these rules. Finally, it concludes with recommendations how companies can comply with these rules in the due diligence process.

Conflicting interests

The purpose of disclosure and the establishment of a data room is usually the search for potential purchasers or investment partners (the investors). A company discloses financial information, important contracts and other documents to potential investors to provide them with the opportunity to assess contractual risks and the value of the company. It is obvious that, on the one hand, potential investors are interested in information being as comprehensive as possible to decide whether they would like to buy or invest in the target company. The target company, on the other hand, has to abide by data protection rules as well as contractual and statutory confidentiality obligations. As such what information may be disclosed by a company in a due diligence process and at what stage?

Barriers to disclosure of information in due diligence

Confidentiality obligations

When setting up a data room in M&A transactions companies should bear in mind that, in addition to being compliant with data protection rules (see below), they are generally obliged to protect business and industrial secrets as well as further confidential information. Information is considered confidential if it is not publicly known – for example, unpublished financial data, business plans or knowhow not in the public domain. Furthermore, professional secrets and bank secrecy have to be kept and cannot be disclosed in a due diligence process. If a company considers disclosing memoranda provided by third party advisors or consultants (eg a memorandum regarding a new envisaged group structure), the consent of this third party is usually required given that such memoranda regularly contain provisions making their disclosure subject to the author's prior consent.

Swiss data protection rules, on which this article focuses, partly overlap with these general confidentiality barriers. However, they encompass also further data which would otherwise not be protected.

Data protection obligations

The Swiss Federal Act on Data Protection (FADP) aims to protect the privacy and the fundamental rights of persons when their data is processed. It applies to data pertaining not only to natural persons but also – unlike data protection regulations in most other jurisdictions – to legal persons (such as corporations, limited liability companies etc). According to the FADP's article 3 section a, personal data is defined as all information relating to an identified or identifiable person. Hence, in a due diligence process, under Swiss law, personal data is at issue not only when dealing with data of employees and corporate officers but also in the context of processing customer and supplier data. Therefore, a company disclosing its contracts or any other information containing personal data has to be careful not to violate any data protection provisions. Companies should never forget that they do not only have to protect their own data but also data of third parties such as suppliers and customers.

Risk of unjustified data processing

In the context of the preparation of M&A transactions, the risk of unjustified data processing and transfer is substantial. There is a significant risk that data disclosed in a data room is too extensive and/or accessible to too many or to the wrong people. Potential investors may receive more personal information than actually required for the purchase of, or an investment in, a company.

As a fundamental rule, each processing of personal data has to be in line with the principles set out in FADP's articles 4 et seq. That disclosure of company information in a data room and its assessment by the investor have to be qualified as data processing is obvious in view of the legal definition of this term in article 3 section e. Pursuant to this provision, data is processed by any operation with personal data, irrespective of the means applied and the procedure, and in particular by the collection, storage, use, revision, archiving, destruction and namely disclosure of data.

In case of a breach of data protection provisions, affected persons may claim damages, request the surrender of profits and seek compensation for personal suffering. They may particularly also request that (i) their data be corrected or destroyed, (ii) data processing be stopped and (iii) no data be disclosed to third parties. According to the FADP, the claim is related to, and expressly governed by the rules regarding, personality protection according to article 28 et seq. of the Swiss Civil Code. Furthermore, in case of an unlawful disclosure, contractual penalties are often triggered. Finally, the breach of data protection rules may under certain circumstances result in criminal sanctions.

In view of these far-reaching consequences, the parties involved in a due diligence process are well advised to process data only in compliance with the FADP. What does this mean in more practical terms?

General data protection principles

Personal data may only be processed lawfully, in good faith and in a proportionate manner. As a general rule no more information than is absolutely necessary should be disclosed in a data room, and a company managing a data room is well advised to disclose information gradually. The relevant test will always be whether the other party really needs to know the information at the current stage.

Furthermore, personal data may only be processed for the purpose indicated at the time of collection – which is evident from the circumstances or provided for by law. The collection of personal data and in particular the purpose of its processing must be evident to the data subject.

The consent of the data subject leads to a lawful or justified processing of data. However, it has to be considered in this context that such consent is valid only if given voluntarily upon the provision of adequate information. Additionally, consent must always be given expressly in case of processing of sensitive personal data or personality profiles (see below).

Cross-border disclosure is only permitted if the privacy of the data subject is adequately protected by the recipient. If there is no statute providing for adequate protection, the parties have to ensure such protection by entering into respective contractual provisions. If no such adequate protection is guaranteed, personal data may in principle only be disclosed abroad with the consent of the data subjects.

Possible justifications

If the above-mentioned data protection principles are breached the processing is unlawful, unless it is justified by (i) the consent of the affected party, (ii) an overriding private or public interest or (iii) statutory law (article 13 para 1 of the FADP).

In case of disclosure of sensitive personal data (including religious, ideological, political or union-related views or activities, health, racial origin, social security measures and administrative or criminal proceedings) or personality profiles (which are defined as a collection of data permitting an assessment of essential characteristics of the personality of a natural person) to third parties, a justification is always required. Additionally, a party receiving sensitive personal data or personality profiles is obliged to inform the data subject of the collection.

Justification based on statutory law or overriding public interest is not necessarily readily apparent or available in the case of disclosure in a due diligence. Therefore, we will focus hereinafter on the justification by consent of the affected party and the overriding private interest.

As mentioned above, an affected person may only give valid consent, if it is based on appropriate information and given voluntarily. Precautionary general consent to data processing included in general terms and conditions to a contract is usually insufficient to meet these two criteria. The provisions in general terms and conditions are often vague, and any approval included in them is considered involuntary, because they are usually not negotiable.

There is usually a broad range and number of documents in a data room. Obtaining the individual consent of each and every single party involved is in most M&A transactions barely or in some cases not at all feasible. First of all, the timeframe is usually very tight. Secondly, the risk of an affected party not responding is rather high and may result in uncertainty regarding the lawfulness of the intended disclosure. Finally, the transaction is usually only known to a very limited circle of persons interested in its strict confidentiality. This circle privy to the transaction could be undermined if a large number of consents of third parties needed to be obtained.

As regards the justification of an overriding private interest, the FADP's article 13 para 2 lists certain examples which may possibly justify the unlawful processing of data. For instance, a person processing data may be considered as having an overriding interest if the personal data is processed by such party in direct connection with the conclusion or the performance of a contract and if the personal data is that of a counterparty. Parties involved in an asset deal or company transfer may, according to the predominant opinion of legal doctrine,

invoke this justification reason because the contract's continuing performance by the acquirer is in the interest of all involved parties. However, the company disclosing data has to carefully weigh up its disclosure interest against the privacy interest of the affected data subject. This often leads to substantial uncertainty. Taking appropriate measures to live up to the above-mentioned data protection principles becomes all the more important.

The Commissioner's recommendations

The Swiss Federal Data Protection and Information Commissioner issued guidelines regarding adequate data protection in the context of M&A in 2010, expressly setting out measures to comply with the FADP. With respect to the due diligence process, these guidelines include:

  • Personalised data shall not be physically transferred to potential investors or their advisors. These parties shall merely be given the possibility to see information on site or in a data (information) room.
  • The selection of potential investors granted access to a data room shall be strictly limited to those persons with an actual interest in the company's acquisition.
  • Only a restricted group of persons shall be allowed to access the data room. These persons have to contractually agree to not further use and to destroy the received information in case of a possible failure of the negotiations.
  • The disclosed information shall be limited to what is really necessary and shall be reduced to the amount justified in view of the weighing of interests. Furthermore, data should be anonymised or aggregated so no person can be identified.
  • The extent of provided personal data shall be appropriate to the stage of the transaction process. The more advanced the process is, the more information may be disclosed. If the conclusion of a transaction contract gets closer and becomes more likely, more data may be disclosed.
  • In order to have additional security, non-disclosure agreements (NDAs) with explicit data protection clauses shall be concluded pursuant to which potential investors and their advisors shall be obliged to comply with data protection regulations.
  • Specified statutory professional confidentiality provisions need to be unconditionally complied with.

Practical recommendations to mitigate data protection issues

What do the Commissioner's recommendations mean? How can they help avoid or at least mitigate data protection issues?

According to the first recommendation, companies should prohibit the copying, saving and printing of documents from the data room to prevent confidential information spreading. This may be somewhat cumbersome for the potential investor and its advisors but adequately supports data protection.

With respect to recommendations two and three, data rooms nowadays are predominantly established as online platforms (virtual data rooms). The customary technical security standards to preclude unauthorised persons from gaining access to digital data shall, of course, also apply to such data rooms. Hence, companies have to ensure that the access to the online platform is strictly password protected. To avoid further issues and efforts connected to international data transfers, it seems advisable that the server of the online platform not be located in a jurisdiction whose legislation does – from a Swiss perspective – not guarantee adequate data protection (for instance the USA, India, Japan or China).

Furthermore, the access to the data room should be strictly limited to those persons who really need to assess the documents (need-to-know-principle). The group of persons, to whom access is granted, should be kept as small as possible. Additionally, such persons must have a current and genuine interest in the due diligence.

It goes without saying that every single person granted access to a data room should be expressly obliged to (i) use the information in the data room only for the purpose of due diligence, (ii) not disclose information to any third party (iii) not print or copy documents from the data room and, (iv) take appropriate measures that, when logged in to the data room, no other person may access the relevant computer or other communication device.

In case the transaction negotiations fail, the persons granted access to the data room should agree to destroy all received information including their due diligence results. Very often, data room providers prepare data room rules setting out all these obligations and request each user accepts these rules before accessing the information by their first login.

Recommendations four and five provide that never more information than absolutely necessary should be disclosed. Instead of fully holding back documents from the data room, this requirement may also be fulfilled if personal data set out in such documents is anonymised or blackened. Companies may then at later stages of the transfer negotiations, when the deal is more likely to be concluded, disclose less blackened documents, if required. When blackening information, no individual – natural or legal – person may be identified. In the early stages of a deal, contracts with the top management should be blackened in a way that not even the CEO may be identified. A step by step disclosure allows to forgo the disclosure of personalised data from the outset and ensures that rather only general information is disclosed in the initial phase.

Customer, supplier and in particular employee data should – at least in the initial phase of the due diligence – be disclosed only in an abstract way. Therefore, no individual data of employees, for example, but rather only their number, average age and salary or percentage of women and university graduates etc should be disclosed. Last but not least, one may consider to disclose more sensitive information only upon specific request.

Referring to recommendation six, the following can be noted: to keep a possible M&A transaction in the preparatory phase strictly confidential, protect business and industrial secrets as much as possible, and comply with the above data protection principles, it has become standard that target companies sign confidentiality agreements/NDAs at the outset of the transaction process, before starting the due diligence. In general, these agreements contain provisions regarding the storage, return or destruction of information and are secured by a contractual penalty for non-performance. Furthermore, the agreements usually provide that accessed information shall not be forwarded by the recipient to any third party and exclusively used for the evaluation and assessment of the target company. Commonly, the agreed non-disclosure duty and confidentiality obligation, respectively, shall survive both (i) in case a transaction contract between the parties is concluded and (ii) in case the parties discontinue to proceed with the transaction.

Considering that virtual data rooms may regularly be accessed from everywhere in the world, and because in international transactions parties and advisors in various jurisdictions need to assess the disclosed information, disclosure is often considered an international data transfer. Accordingly, if jurisdictions are involved which do not guarantee an adequate data protection level, respective contractual guarantees have to be entered into.

In case information is protected by statutory confidentiality provisions (see the seventh recommendation) or other highly sensitive information needs to be disclosed, it may be considered to use the concept of 'advisors only disclosure', also known as clean team approach. The advisors have to undertake that they will convey to their client no details of the reviewed documentation but only generic information.

Summary and conclusion

The protection of personal data and compliance with the respective legal framework has – at least in EU jurisdictions and Switzerland – become an important and sensitive topic, especially when it comes to M&A and particularly due diligence. As Swiss data protection provisions protect not only data of natural but also legal persons, good M&A practice requires that disclosure of personal data, not only of employees but also of customers and suppliers, is only made lawfully, ie in line with the applicable data protection rules.

Needless to say, that the obligation to protect data does not end with the due diligence but also extends to the completion of the M&A transaction.

Sufficient human resources and time have to be reserved so the transaction and particularly the due diligence process can be diligently planned and structured in a way which is compliant with the relevant rules and which secures the right of personality of all involved data subjects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.