M&A and GDPR – possible pitfalls when selling a business

As the GDPR's implementation fades further from the rear view mirror, factoring data protection into a range of business activities, including in M&A, is the new normal. The increased obligations introduced by the GDPR and the inevitable sharing of personal data in M&A transactions mean that those involved in M&A must understand the implications for each phase of the M&A process.

This first article on M&A and data protection will explore how a seller should look at M&A transactions through the lens of GDPR compliance and the steps which should be taken to ensure that, across all aspects of a transaction, due consideration is given to data protection. In a next article, we will explore this from a buyer's perspective.

Divesting? Take care around pre-completion disclosures of personal data

The first step of any M&A transaction will usually be due diligence of the target company (the "Target"). Along with the disclosure of contracts, financial documentation and other information required for a potential acquirer to conduct due diligence, there will almost always be a corresponding disclosure of personal data of a wide range of individuals connected with the business (such as employees, customers, suppliers, creditors or borrowers).

For the seller, as a controller of such personal data, it is critical that this disclosure is lawful and in accordance with the GDPR's data protection principles:

In practical terms, these principles require that the seller ask itself the following questions:



What personal data is being disclosed and why?

The seller must ensure that personal data disclosures are relevant and limited to what is necessary (data minimisation principle).

In practice, analysing and cleansing the personal data through a process of removal, redaction and anonymization of personal data that is not necessary for the purpose, will likely be required to satisfy the minimisation principle. For example, it may be necessary to disclose the employment contracts of senior management, but not of business support staff.

In addition, seller's may consider limiting disclosure of personal data to early bidder pools and phasing access.

What is the lawful basis for disclosure, and how can it be demonstrated to a regulator that it has been considered?

The seller must disclose personal data lawfully (lawfulness principle).

A seller must satisfy itself that the proposed disclosure falls within one of the lawful bases set out under article 6 of the GDPR. In most cases, the disclosure in M&A transactions will be lawful as it is necessary for the purposes of the "legitimate interests" pursued by the seller (i.e. the sale of the business), however where this legitimate interest is overridden by the interests or fundamental rights and freedoms of the individual, the disclosure will not be lawful.

In practice, where disclosing on the basis of legitimate interests, a seller will be required to carry out a documented "legitimate interest assessment" in order to ensure that the legitimate interests basis is properly fulfilled. This document can subsequently be used to demonstrate compliance to a regulator if required.

What do I need to do to protect the personal data which is disclosed?

The seller must use appropriate technical and organisational measures to ensure personal data is disclosed securely (integrity and confidentiality principle).

In practice, a seller should:

  • include appropriate data protection obligations on bidders and other involved parties in NDAs and transaction documentation;

  • ensure that any transfers to bidders outside of the EEA are subject to appropriate safeguards; and

  • only use secure and reliable data room providers and encrypt date where necessary.

Are the affected individuals aware that we are disclosing their personal data?

The seller must disclose personal data fairly and in a transparent manner (fairness and transparency principle).

For obvious reasons, in the context of a confidential M&A transaction, a stand-alone notification to data subjects of the proposed disclosure of their personal data may be undesirable if not impossible.

In practice, an explanation in the seller's privacy notice that personal data may be disclosed in the context of the sale of all or part of the seller's business should be sufficient notification to any affected individuals. The seller must therefore satisfy itself that its existing notices include notifications which cover the proposed disclosure and that such notices have been communicated to the affected individuals in accordance with the GDPR. You can future proof your position now by assessing your current privacy statement in advance of any future M&A opportunity.