M&A transactions involve complex legal risks, especially during due diligence when competitively sensitive information and personal data are exchanged. Improper handling may lead to competition law violations like gun jumping and data privacy breaches. To reduce these risks, companies should implement clean teams, limit access, secure data rooms, use NDAs, and involve legal advisors early. These practices help ensure compliance and support a smooth M&A process.
Mergers and acquisitions (“M&A”) are intricate processes involving a multitude of legal, financial, operational, and strategic considerations. A particularly sensitive phase in M&A transactions is the due diligence and negotiation stage, during which parties frequently share competitively sensitive information, trade secrets, and personal data. If these exchanges are not handled properly, they may result in significant legal and regulatory consequences.
This article outlines the typical competition law and data privacy risks encountered during the pre-M&A phase and provides best practice recommendations to mitigate such risks.
Competition Law Perspective
Under Article 7 of the Act on the Protection of Competition No. 4054 (the Act), the merger of two or more undertakings, or the acquisition of direct or indirect control over all or part of one or more undertakings by one or more undertakings or by one or more persons who currently control at least one undertaking, through the purchase of shares or assets, through a contract or through any other means shall be considered a M&A transaction, provided there is a permanent change in control.1 In due diligence, parties may exchange confidential information with each other. Information exchanges can potentially restrict competition, particularly when they provide businesses with knowledge of their competitors' strategic plans2 and it may result with competition law violations and penalties when not dealt with appropriately.
For instance, in a case reviewed by the U.S. Federal Trade Commission (“FTC”), the CEOs of merging firms shared confidential details about price floors, discount strategies, growth plans, and performance metrics. While the FTC did not oppose the merger itself, it concluded that the exchange of competitively sensitive information reduced uncertainty between competitors and risked anticompetitive coordination. In another case, both the merger and the information exchange were scrutinized because the FTC noted that both companies competed against each other in a concentrated market and information exchange had the potential to harm competition in the interim period before the merger.
Therefore, FTC stresses caution during due diligence and pre-merger negotiations to reduce competition risks.3 FTC also underline that pre-merger information exchange may lead to gun jumping.4
Data Privacy Perspective
In M&A deals, huge amounts of data including personal data of employees, customers, and business partners can be exchanged, and therefore data privacy is a relevant compliance factor. Data protection laws put crucial requirements on processing personal data and non-compliance will attract regulatory sanctions and legal disputes.
Personal data processing in the due diligence stage may generally base on the legal ground of necessity of data processing for the legitimate interest of the data controller. However, this ground should not be interpreted as a general and unlimited authorization to excessive data processing. In this context, it is mandatory to conduct a balance test by comparing the fundamental rights and freedoms of the person with the legitimate interest of the data controller. Additionally, all activities pertaining to the processing of personal data should be consistent with the data protection principles, which imposes the purpose and storage limitation, integrity and confidentiality, data minimization and proportionality principle.5
Pursuant to the rules on the protection of personal data, data subjects (persons whose personal data are processed) must be informed. In addition to this, legal grounds must be assessed very accurately. If there are issues that require explicit consent, it must meet the criteria of being based on information, being related to a specific subject and being given with free will, which are the crucial elements of explicit consent under Turkish data privacy law.
If personal data is not properly secured during the due diligence process, it may lead to data breaches and unauthorized access. Additionally, M&A deals that includes cross-border data transfer could violate international data transfer standards. Therefore, it is important to comply with the data protection regulations.
Best Practices in Risk Management
To effectively address competition and data protection concerns during M&A transactions, the following best practices are recommended:
- Clean Teams
The parties should establish clean teams consisting of third-party consultants and a limited number of individuals while implementing measures to restrict the dissemination and use of this information within their businesses. It is important that the clean teams must not include personnel responsible for competitive planning, pricing or strategy.6
- Raising Awareness
In order to reduce competitional law or data privacy risks, employees with access to competitively sensitive information and personal data should be alerted. Awareness trainings should be provided periodically.
- Access Limit and Data Minimization
The access of the people involving with competitively sensitive information, personal data and trade secrets must be limited. Additionally, sharing the lowest possible information necessary for conducting the transaction considering the data privacy and competition risks are essential to curtail risks of compliance with implications to market forces. It is advised that clean teams may use the information on a need-to-know basis and in an aggregated manner.7
- Non-Disclosure Agreements (“NDAs”)
NDAs need to define what would be regarded as confidential information and how the information is to be used in and out of the context of the M&A process. This legal protection plays an essential role in guaranteeing data confidentiality, trade secrets and competitively sensitive information.
- Data Room Management and Data Security
In situations where data rooms are utilized, it is important to check the security of the room. Data used in the process need to be made available to only a limited and pre-approved group of users to limit the access. Additionally, the data rooms service can be outsourced to third party companies. In this case, parties need to design the relationship for the transfer and security of personal data.8 All parties need to take appropriate technical and organizational measures to protect such data at hand.
- Destruction
Once the phase is completed, destruction requirements must be complied with. Guideline prepared by Personal Data Protection Authority9 sets a good example of destruction techniques of personal data.
- Legal and Compliance Checks
Early involvement of legal and compliance professionals and periodic checks will assist in the identification of potential data privacy and competition law risks.
Conclusion
Pre-M&A risks need to be effectively planned and managed. Through the adoption of best practices companies can limit risks and enjoy a smoother M&A process. An understanding and careful application of the legislation and best practices is essential to ensure the legal and commercial success of the transaction. Last but not least, compliance with competition law and personal data protection legislation should become a corporate culture to mitigate risks of violation.
With thanks to Derya Vural for her contribution.
References
Avoiding Antitrust Pitfalls during Pre-Merger Negotiations and Due Diligence. (2018, 03 28). Retrieved from Federal Trade Commission: https://www.ftc.gov/enforcement/competition-matters/2018/03/avoiding-antitrust-pitfalls-during-pre-merger-negotiations-and-due-diligence
Avoiding Antitrust Pitfalls during Pre-Merger Negotiations and Due Diligence. (2018, 03 28). Retrieved from Federal Trade Commission: Federal Trade Commission
Calay, N., & Akman, O. (2022, 12 30). Birleşme Devralma Süreçlerinde Due Diligence Aşamasının Kişisel Verilerin Korunması Hukuku Paralelinde Değerlendirilmesi. Kişisel Verileri Koruma Dergisi, 4(2), pp. 19-33. Retrieved from DergiPark: https://dergipark.org.tr/tr/download/article-file/2744488
Communiqué No. 2010/4 Concerning the Mergers and Acquisitions Calling for the Authorization of the Competition Board. (n.d.). Retrieved from Rekabet Kurumu: https://www.rekabet.gov.tr/Dosya/2010-4-sayili-teblig-20231107142912073.pdf
Federal Trade Commission. "Avoiding Antitrust Pitfalls during Pre-Merger Negotiations and Due Diligence. (2018, 03 28). Retrieved from Federal Trade Commission: https://www.ftc.gov/enforcement/competition-matters/2018/03/avoiding-antitrust-pitfalls-during-pre-merger-negotiations-and-due-diligence
Guidelines on Horizontal Cooperation Agreements. (n.d.). Retrieved from Rekabet Kurumu: https://www.rekabet.gov.tr/Dosya/guidelines/7-pdf
Kişisel Verilerin Silinmesi, Yok Edilmesi veya Anonim Hale Getirilmesi Rehberi. (2025, 04). Retrieved from Kişisel Verileri Koruma Kurumu: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/bc1cb353-ef85-4e58-bb99-3bba31258508.pdf
Köse, H. (2023, 10 23). Rekabet Hukukunda Bilgi Değişimi. Retrieved from Rekabet Kurumu: https://www.rekabet.gov.tr/Dosya/milliyet-rekabet_2023-10-23_1904210500_1854258081_0-20231023150412822.pdf
Footnotes
1. (Communiqué No. 2010/4 Concerning the Mergers and Acquisitions Calling for the Authorization of the Competition Board)
2. (Guidelines on Horizontal Cooperation Agreements)
3. (Avoiding Antitrust Pitfalls during Pre-Merger Negotiations and Due Diligence, 2018)
4. (Federal Trade Commission. "Avoiding Antitrust Pitfalls during Pre-Merger Negotiations and Due Diligence, 2018)
5. (Calay & Akman, 2022)
6. (Avoiding Antitrust Pitfalls during Pre-Merger Negotiations and Due Diligence, 2018)
7. (Köse, 2023)
8. (Calay & Akman, 2022)
9. (Kişisel Verilerin Silinmesi, Yok Edilmesi veya Anonim Hale Getirilmesi Rehberi, 2025)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
