Turkish Law Blog
Privacy Issues in M&A Transactions & GDPR
Introduction: A look at the relationship between M&A phases and privacy law
Data protection and other privacy issues have been overlooked and underestimated for a long time and were thereby not at the top of M&A to-do list up until recent years. But after GDPR entered into force, the companies that are parties to M&A transaction started to pay more attention to data protection issues among other things considering the fact that the target company discloses various documents to the buyer company in M&A transaction and an inevitable privacy concern takes place as a result of this disclosure.
It goes without saying that intimidating amount of administrative fines in GDPR and other sanctions therein, has an immense effect on the companies falling under the GDPR and their compliance process. In this study, we tried to figure out the data issues that might be an impediment in front of each M&A phases.
Of course, it is important to mention that the data privacy matters take place depending on the structure of the M&A, for example if the matter is a share deal then probably there would be not any data transfer but in the case of an asset deal, then the parties must be careful on the data privacy. We will also scrutinize the matter by considering the possible data issues and GDPR.
A - Data Privacy Law for M&A
Taking into account applicable law and compliance level of target company will ultimately drive the possible cost of unforeseen consequences of M&A down. To drive these costs down, both parties of the transaction should take some measures by starting from the first step.
Step 1- Measures to be taken for Data Room
During the transaction, the target company populates various contracts, like employee contracts, financial contracts, and other documents into the Data Room, which are helpful for the buyer company to analyze and evaluate its risks. It goes without saying that this is one of the risky phases of the transaction in terms of data privacy by leading the huge disclosure. Recently, Data Room is established as a Virtual Data Room through an online service provider mostly based in a foreign country, thereby doubling the privacy concern as a consequence.
Considering the all above, it is obvious that the privacy issues will come up along the way and thus, it is so crucial to pay attention to applicable law and take some measures especially while populating the documents in Data Room.
Avoid disclosing sensitive data: Firstly, we can mention that the target company should avoid putting sensitive personal data in Data Room, unless it is particularly required otherwise. This measure has high importance since the sensitive data is subject to more restricted regulation compared to other ones. Thus, avoid disclosing sensitive data will considerably decrease the data protection risks.
Creating anonymized & statistical tables: The target company should create anonymized and statistical tables, if possible. Mostly the target company disclose its employees list including their wages, positions, etc. in the scope of transaction. In this process, creating the tables giving only statistical and anonymized information will be a highly recommended way to protect the rights of data subjects.
Of course, we should highlight that personal data can only be deemed as anonymized data where it is not possible to determine the data subject's identification by bringing the other information together in the Data Room. Thus, sometimes the implementation of this advice can be harder than its looks, yet this is a still helpful way to provide high protection to data subjects and decrease the data protection risks.
Template Employee Contract: If you are the target company, sharing a template representing your standard employee contract in the Data Room can be a better idea than sharing all your contracts for both parties. Because putting all employee contracts in Data Room by expecting the examination of all will cause a huge workload on behalf of the buyer company and besides that it increases the data protection risks for the target company. Please bear in mind that this section can also be applicable for standard customer or partner agreements, as far as it is possible.
Restricting and Monitoring Access: It goes without saying that confidentiality is one of the essential bases of whole M&A procedure therefore confidentiality must be considered from the first step until the end. Thus, the target company should grant access to limited people for Data Room, and they should also be monitored by the target company. Furthermore, forbidding or restricting to get copy of the documents in Data Room and binding all persons who have access to Data Room by confidentiality can be a few examples to this section.
Step 2 – Forecasting for Liability and Expenses
Understanding applicable law: Firstly, the buyer company should be informed about the applicable law and all the material or non-material liabilities therein, to avoid unforeseen consequences.
Secondly, the buyer should figure out the data protection compliance level of the target company. Where a non or semi-compliant target company is a part of M&A transaction, facing with the administrative fines and detriment to its reputation can be just the few implications that the buyer may have to face with.
Furthermore, if the personal data is considered as a fundamental driver of M&A, the buyer company should examine the target company’s compliance and security level in detail. Because if the target company has failed to meet the requirements, this failure might lead some negative consequences on the buyer company, like non-use of the data after the transaction. Moreover, in such a situation, the target company might be in a position where it should present extra effort and money for the compliance of coming database especially where the buyer and target have not signed any cost-sharing agreement.
As we mentioned foregoing the buyer company should be informed about the applicable law and the competition law is just one of the front runners where the target company has a gross database by its very nature, e.g. an online marketing company or social media company. In such a situation, the competition authorities might intervene in the transaction since the transaction can make the buyer capable to dominate and foreclose the other small- medium competitors by using these integrated databases.
During the transaction, it goes without saying that integrating database is not the easiest part of M&A, in particular where the database will be integrated through a cross-border transfer. In such a case, the differences between the applicable laws of the countries can be a risky impediment for your transaction so consulting your legal adviser in this step is crucially important. On the other hand, integration is also a hard part of transaction because of the IT problems; integrating a database can require significant IT expenses on the buyer company especially if the target did not exercise due care related to this matter.
Step 3 – Data Protection within the context of the Agreements
Share and Purchase Agreement & Transitional Agreement
Share and Purchase Agreement: It goes without saying that personal data is one of the values of the companies, especially for the companies operating in a B2C structure. Thus, in the signing phase, the parties should define and explain the all values as well as the data privacy risks in SPA through the representation and warranties like, IT assets and other values, detection results for compliance level, vulnerabilities, active claims and investigations if any, indemnities and remedies, maybe even assumptions and etc.
Transitional Agreement: There is always likely that the target company can continue processing data on behalf of the buyer after the closing since these are the long-term transactions and might take time. Thus, the parties should sign transitional agreements after closing phase to set out the data processing. The buyer company must ensure the data protection as a data controller in this case.
B- General Data Protection Regulation (GDPR)
As we all know, the administrative fines laid out in GDPR are significantly high and the companies falling under the GDPR must be careful in case of the transaction including personal data. Thus, we tried to explain the possible situations in M&A that you have to consider GDPR.
Controller: In the first place, the companies falling under the GDPR, as well as the parties to M&A, should identify all subjects involved in transaction to ensure the obligations and responsibilities as to GDPR. Because GDPR assigns different obligations and responsibilities to different roles so it is important to clarify the roles to avoid making mistakes. In this scope, for example, both the target and the buyer are most likely the data controller under GDPR as they are deciding the purpose and means of data processing. In this point, we should refer to Art. 26 of GDPR - ‘Joint Controller’ since in this case, the buyer and the target will most likely be the joint controller.
Processor: Mostly, a buyer or a target gets services from an advisor during M&A, e.g. this might be a law firm or a consulting firm, then the advisor most likely is the processor in this case since the advisor processes data on behalf of the controllers. Besides that, if M&A has been executing through a virtual data room then the data room provider is also the processor as to GDPR.
Lawful Basis: As we mentioned in the first section, a target company shares many documents including personal data while populating documents into data room. This means that the target company have to base one of the appropriate lawful bases in Art. 6 of GDPR. In this case, explicit consent, legitimate interest and performance of a contract would be the front runners.
Consent: In fact, ‘consent’ is not an appropriate option in M&A due to a few reasons. Firstly, M&A is generally executed in confidentiality by considering the commercial effects so getting consent will inevitably distort the confidentiality of the process.
Secondly, following up a consent procedure is not the easiest thing especially in case of a large-scale M&A, since the target company must reach to each data subjects.
Finally, a significant part of the documents in Data Room mostly consists of the employee contracts and ‘consent’ is not a plausible basis if there is an imbalance between the data subject and the controller. Thus, it is always a risk for the company to proceed basing on the employees’ consents. However, we have to mention that in case of a special categories data subject to Art. 9, explicit consent can only legitimize the process in this situation.
Legitimate Interest: Legitimate interest can be a legal ground in M&A. Both the target company and buyer company have the interest on transferring the data since the buyer needs the documents to evaluate the risks and values whereas the target company needs to send the documents to buyer company for proceeding the M&A. However, in the case of the legitimate interest is the legal ground for processing, there must be a balance between rights and freedoms of the data subject and the companies’ legitimate interest. It means that the companies’ legitimate interest ends where the data subjects’ rights start.
Performance of a Contract: This one also can be a legal ground if the contract requires the transfer of the personal data for the performance of the contract. For example, if customer contract must be transferred to the buyer for the performance of the contract so this basis can be a legal basis. However, the transfer must be limited to personal data which are required for the evaluation so some measures, like anonymization or pseudonymization have to be taken while transferring the data.
In a nutshell, in M&A procedure, firstly, the buyer company should be informed about the applicable law considering that the transaction might be subject to different jurisdictions.
The buyer should carefully examine the compliance level and risks related to data privacy of the target company in order to avoid facing with the unforeseen IT expenses.
During the due diligence process, the target should disclose the data in accordance with the purpose and the disclosure must be proportionate. Besides that, all the reasonable measure must be taken while populating the documents into the Data Room.
Reps and warranties in SPA must be written by considering the data privacy situation of the target company including risks, values, detections, claims and investigations and etc.
After closing, the buyer should be careful on the data integration and once the target is still processing data on behalf of the buyer, the transitional agreement must be signed for the data processing.
 Marriott International, the international hotel group is to be fined almost £100m by the Information Commissioner’s Office for negligence in the course of an acquisition procedure completed in 2016. (https://www.pwclegal.be/en/news/inadequate-data-protection-due-diligence-in-m-a-transactions-can.html)
 Please bear in mind that remote access granted to a third-party country is also considered as a cross-border transfer.
 Unfortunately, there are a few misunderstandings about ‘consent’. Firstly, most people think that ‘consent’ is a general basis compared to remaining ones in Art.6 so that their approach leads a misunderstanding as following “trying to get consent from the data subject should be the first option for data processing”. The second misunderstanding is “even where you have a lawful basis other than consent, you should still get consent, if possible, to be on the safe side”, however, these are huge mistakes.
‘Consent’ is not a general lawful basis so the remaining ones in Art.6 are not exceptional. Thus, if you have a lawful basis other than consent, you have to base on the relevant basis for data processing, otherwise your process will be illegal as the recital of GDPR says. Because, in such a situation, getting consent will manipulate the data subject by making him think that if he does not give his consent, you will not process his data, but the truth is you will process the data in any way.