A recent GDPR seminar attended by members of our team inspired us to share our thoughts on how the new European legislation on data protection would affect the M&A transactions. The GDPR implications on M&A deals would certainly go beyond the borders of the EU given the extraterritorial application of the Regulation.

Privacy "by design" and "by default" applied to the due diligence process

The GDPR requires from organizations to ensure that any new projects involving personal data are planned and implemented from the start (by design) with due attention to the data protection legislation. In addition, any such activities should, by default, ensure that only personal data necessary for each specific purpose of the processing is processed.

These principles naturally apply to the planning and the implementation of the due diligence process prior to a transaction. A data room may contain various personal data related to employees, customers or other third parties. Populating such data room must be made with due attention. For example, erasing names and passport details from contracts may not be sufficient in the case of key employees which are easily recognizable by their position within the target entity. A safer solution would be to obtain each key employee's informed and unambiguous consent and to redact any personal data to the maximum possible extent corresponding with the purposes of the due diligence. Uploading blank model contracts would remain a best practice in the case of "non-key" employees having no specific clauses in their employment agreements.

Disclosing customer data may be avoided by providing standard contracts and aggregate data in the form of analytics tables etc.

An equally important aspect is employing the services of a reliable data processor to host the virtual data room. The data processing agreement should contain, among others, detailed commitments to data security and full erasure of any personal data when no longer needed.

GDPR compliance of the target entity becomes an important aspect of the due diligence

This is particularly true for mergers and acquisitions of B2C businesses and companies processing special categories of personal data.

Any due diligence process should identify the types of personal data processed by the target entity and the lifecycle of such data within the organization. Assessment of the legal grounds for processing and the existence and implementation of adequate privacy policies and procedures should be then made. Other important aspects to be verified during the due diligence are, among others, the existence of data protection officer, records of processing activities and other documents demonstrating compliance with the GDPR and the technical and organizational security measures implemented.

Given that some aspects of the GDPR compliance review require more and specific technical knowledge, the involvement of IT specialist/s in the buyer's due diligence team is likely to become quite common in the future.

Impact on the purchase agreement

The GDPR is likely to impact the drafting of the purchase agreement. Reps and warranties should include matters such as disclosure of previous data breaches, pending compliance investigations and any other issues identified during the due diligence. The indemnification provisions, including liability caps, should be drafted with regard to the significant fines for non-compliance, potential liability for third-party actions (data processors) and limitation periods. The conditions to closing and the covenants may include specific actions addressing non-compliance issues and ensuring ongoing compliance.

Signing, Closing and Post-Closing

Post-closing integration of buyer's and seller's information systems is a major compliance matter, particularly when companies with significant data assets are involved. Although most forms of data integration between Signing and Closing would be restricted by the applicable "gun jumping" rules, this process should be planned well before the clearance of the transaction. Buyers should mind that once the deal has taken place they must still comply with the privacy policies established by the seller when processing seller's data. This means that the implementation of any new processing activities involving the target's data may require new consents and privacy notices even if such activities are already covered under the buyer's policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.