In the contemporary business landscape of Turkey, the role policies regulating the data protection in M&A transactions has gained unprecedented importance, especially in the realm of mergers and acquisitions (M&A). This heightened significance is propelled by the increasing trend of foreign companies entering the Turkish market through acquisitions.
These transactions, which often involve complex data transfers and integration, place data protection at the forefront of strategic considerations. The effective management of data protection concerns becomes crucial, not just as a compliance requirement, but as a pivotal factor influencing the overall success and legality of M&A transactions.
The surge in M&A activity in Turkey, with its unique legal and cultural landscape, presents various challenges and opportunities. The transference and integration of sensitive data, often spanning across borders, necessitates a nuanced understanding of both local and international data protection laws.
As also highlighted in a recent Constitutional Court case, this is particularly critical considering the potential risks and liabilities that could arise from non-compliance or data breaches. In this context, M&A transactions are not just financial or strategic decisions, but also involve careful consideration of data privacy and security, making them key determinants in the valuation and success of such deals.
I. Data Protection Legislation and Rules in Turkey
In Turkey, the keystone of data protection legislation is the Law on Personal Data Protection No. 6698 (the LPDP), which established a comprehensive framework for handling personal data. The LPDP was a significant step towards aligning Turkish law with international data protection standards, particularly the European Union's General Data Protection Regulation (GDPR). Key provisions of the LPDP include the requirement for explicit consent for data processing, data subject rights, and obligations for data controllers and processors.
Under the LPDP, both domestic and cross-border data transfers typically require the prior explicit consent of the data owner. Nevertheless, the LPDP provides exceptions to this requirement, applicable to personal data and personal data of special nature, as outlined in Article 5/2 and 6/3, respectively. For personal data, Article 5/2 allows processing and transfer to third parties without explicit consent in cases:
- Mandated or required by law,
- Necessary to protect the life or physical integrity of a person unable to provide consent,
- Essential for executing services outlined in a contract,
- Required for the data controller to fulfill its legal obligations,
- Publicly disclosed by the data owner,
- Deemed mandatory for establishing, exercising, or safeguarding rights, or
- Necessary for the legitimate interests of the controller, provided it doesn't violate the data owner's fundamental rights and freedoms.
Understanding these rules is crucial for entities involved in M&A transactions, as data protection compliance becomes a critical component of the due diligence process. Non-compliance with the LPDP can result in significant legal and financial repercussions, emphasizing the importance of thorough understanding and implementation of these principles in all business activities involving personal data.
For more detailed information on the LPDP and the principles of lawful data processing, you can refer to ASY Legal's articles on Personal Data Protection in Turkey and 8 Principles for Lawful Personal Data Processing.
2. Importance of Data Protection in M&A Transactions
One of the critical challenges in M&A transactions is securing data in data rooms, which are essential for due diligence processes. These virtual spaces, where sensitive corporate information is stored and shared, are often accessed by third parties, such as potential buyers and legal advisors. This accessibility poses a substantial risk for data breaches, making the security of these data rooms paramount.
In addition to the risks during the due diligence phase, the very nature of M&A transactions, which involve the transfer of ownership and control of companies, inherently implies the transfer of data. This transfer raises significant concerns about data privacy, as the data collected and controlled by one entity (the target company) transitions to another (the acquiring company). Ensuring that this transition complies with data protection laws, especially when dealing with personal data, is a complex and vital aspect of the transaction.
Additionally, during the post-M&A integration phase, aligning the data protection policies of the merging entities is crucial. The acquiring company must not only understand the data protection practices of the target company but also seamlessly integrate these practices within its existing framework. This integration involves reconciling differences in data handling, storage, and processing protocols, ensuring continued compliance with LPDP and other relevant data protection regulations.
Cross-border mergers add another layer of complexity. The LPDP in Turkey addresses cross-border data transfers by requiring explicit consent except under certain conditions. However, a significant challenge is presented by the lack of a definitive list from the Data Protection Board (DPB) of countries deemed to have sufficient data protection measures.
This absence means the exemptions usually allowed under Article 9/2 of the LPDP are not applicable, including those countries subject to the General Data Protection Regulation (GDPR), complicating cross-border data transfers. For more information, please refer to our previous articles on this subject here.
3. Recent Constitutional Court Case Highlights the Importance of Due Diligence
In the realm of mergers and acquisitions,, the significance of thorough due diligence cannot be overstated, particularly when the target company belongs to a high-risk data group. These companies, like hotels, tourism agencies and hospitals, process vast quantities of personal data and are susceptible to data breaches and legal violations. The implications of such breaches become particularly critical in M&A transactions, as they may not have been previously detected by the Data Protection Board. This oversight can lead to substantial challenges post-acquisition, where the new owner might face administrative fines for the predecessor's actions.
A pertinent case illustrating these risks involves a global hotel chain's experience in Turkey. The case, adjudicated by the Turkish Constitutional Court, highlights the complexities and legal ramifications in such scenarios.
a. The Case Overview & Background
The Constitutional Court's decision, dated 12.10.2023 (numbered 2020/7518), published in the Official Gazette on 15.12.2023, revolved around an administrative fine imposed by the Data Protection Authority (the DPA) on a global hotel chain. DPA penalized the chain for failing to ensure data security, consequently infringing on the company's property rights.
The issue originated on 08.09.2018, when a data breach in the guest reservation database of a company acquired in 2016 was detected. This breach, affecting 500 million customers' personal data, had remained undetected since unauthorized access began in July 2014. The new owner of the hotel chain reported the breach to DPA in 2019, as it impacted Turkish citizens.
b. DPA's Decision and the Fine
After careful consideration, DPA decided to impose a fine totaling TRY 1,450,000 on the hotel chain. This comprised TRY 1,100,000 for failing to secure data as required by Article 12/1 of the Personal Data Protection Law (PDPL) and TRY 350,000 for delayed breach notification (Article 12/5 of the PDPL). DPA overlooked the hotel chain's argument that the breach predated the acquisition, thus not considering the acquired company as the data controller.
c. Legal Challenges and Court Decisions
The hotel chain contested this fine, arguing several points including the misapplication of the PDPL, insufficient notification of DPA's decision, and the imposition of the fine at the maximum threshold. However, their central claim was that the breaches occurred before the acquisition and during the previous owner's tenure.
As a result, they argued that such penalties should be issued to the party that was responsible at the time of the breach, due to the principle of the individuality of penalties. The hotel chain further argued that they were not late in reporting the breach to DPA, as there are no defined durations or time limits for such reporting and declarations noted in the LPDP.
The Istanbul Anatolian 1st Criminal Court of Peace and subsequently the Istanbul Anatolian 2nd Criminal Court of Peace reviewed the appeal and dismissed these objections, upholding DPA's decision. However, the Courts did not provide adequate reasoning for their judgements and did not even provide any justifications for why the appeal was rejected.
d. The Constitutional Court's Ruling
The case was later referred to the Constitutional Court by the hotel chain. The Constitutional Court, upon its review, underscored the right to property, the necessity for proportionate interventions in such rights, and the need for detailed judgements with reasoning for why a specific decision is given by the relevant courts. The Constitutional Court, therefore, found the lack of a proper assessment of the chain's claims against DPA's decision as a violation of this right. The Court called for a re-trial, emphasizing the need for an effective judicial review of DPA's decisions.
e. Future Implications on Data Protection in M&A Transactions
This case highlights the crucial role of effective judicial review in administrative fine decisions related to data protection. The decision supports long-standing criticisms about the inadequacy of criminal courts of peace in handling such matters, advocating for the involvement of administrative courts instead.
However, it is important to note here that the Constitutional Court's decision does not mean that the administrative fine issued by DPA was illegitimate, as the Court actually finds the fine to be within the parameters of the law. Instead, the Court accepted the application based on the insufficient reasonings and judgements issued by the first instance courts.
The implications of this ruling for M&A transactions are profound and far-reaching. Since the Constitutional Court actually found that fines issued by the DPA to be within the confines of the law, the decision accentuates the critical importance of meticulous due diligence in evaluating the data protection practices of target companies. This is especially pivotal for companies in high-risk data groups, where potential breaches can have significant legal and financial consequences.
The substantial fines imposed in this case serve as a stark reminder of the repercussions that may ensue. Thus, acquirers are compelled to rigorously assess the data security measures of potential acquisition targets. This not only helps in mitigating risks but also ensures strict compliance with data protection laws, safeguarding the acquirer from potential liabilities and fines.
4. Administrative Fines for Data Protection Breaches
The recent Constitutional Court case shows the significant role administrative fines play in data protection violations, which can go up to TRY 10.000.000, depending on the nature of the violation. The Data Protection Authority holds discretionary power in determining the exact amount of these fines, taking into account factors such as the specifics of each case, the nature of the infringement, and the economic condition of the perpetrator, which makes it extremely difficult to contest and revoke.
For M&A transactions, it's critical to be aware that non-compliance with data protection regulations can result in hefty fines. In certain cases, these fines may exceed 3 million TRY per breach or instance of non-compliance. This underlines the importance of ensuring that the target company adheres strictly to data protection laws to avoid such penalties.
The administrative fines are subject to legal challenges, and recent court rulings suggest that some fines imposed by the DPA might not adequately consider the nature of the infringements or the economic conditions of the data controllers/processors. Consequently, there is a growing emphasis on the need for fair and proportionate imposition of fines, ensuring that they reflect the specifics of each case. As highlighted in the previous case review, challenging these fines can be a lengthy process. Even if a fine is contested in court, the fined entity must initially pay and await the court's ruling for any potential reimbursement, presenting significant challenges.
5. Ensuring Compliance During and After M&A Transactions
Due to the risks involved, snsuring compliance with data protection laws during and after mergers and acquisitions (M&A) is crucial to avoid potential administrative fines and legal issues. This involves several key strategies:
- Rigorous Due Diligence: Conduct thorough checks on the target company's data protection policies and practices. This includes reviewing their compliance history, data handling procedures, and any past data breaches or legal issues related to data protection.
- Comprehensive Data Audits: Assess the data being transferred during the M&A process to identify any sensitive or regulated data, ensuring it's handled in compliance with legal requirements.
- Employee Education and Training: Educate and train all individuals who will have access to sensitive data about proper data handling and compliance procedures. This step is vital to prevent accidental breaches or non-compliance.
- Implementing Robust Data Protection Policies: Develop and implement robust data protection policies that align with current legal standards. These policies should be clearly communicated and enforced across the merged entity.
- Regular Compliance Reviews: After the merger, regularly review and update data protection practices to ensure ongoing compliance. This includes monitoring changes in data protection laws and adjusting policies accordingly.
- Engagement with Data Protection Experts: Engage with legal experts or data protection officers to provide ongoing guidance and support in maintaining compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
