Mäkitalo Attorneys Ltd, Paul Durac, Associate
IMPORTANCE OF DATA PROTECTION IN ACQUISITIONS – FROM MULTIDIMENSIONAL REGULATION TO A PRACTICAL TOOL
The General Data Protection Regulation (GDPR) came into force in 2018. The GDPR changed the business playfield in a way whose full extent many have yet to comprehend. In acquisitions, the processing of personal data must already be taken into consideration in the due diligence phase, even more than before. The GDPR does not differentiate between acquisitions and business in general, and the same conditions and obligations apply for both. This article covers the main issues to consider in terms of data protection specifically for business acquisitions.
How and on what principles is personal data processed?
At the core of processing personal data is the requirement for a lawful basis for the processing. Article 6 of the GDPR defines several principles for processing, of which only one is practically applicable in acquisitions: the data subject’s consent. A data controller must always have a valid lawful basis for processing personal data. However, the criteria defined in the GDPR, such as the statutory obligation of the controller or the legitimate interest of the controller or the third party, cannot be relied on as a lawful basis for processing personal data in acquisitions. Accordingly, in these cases, the data subject’s consent is the only reasonable and practical basis. In acquisitions and especially in their due diligence phases, the seller transfers employees’ or management’s personal data to the buyer. For this to take place in compliance with the GDPR, the data subject’s consent must be acquired before transferring any data.
However, the GDPR offers other, additional mechanisms to further safeguard the disclosure of personal data. Before any due diligence process or other tasks regarding the acquisition are commenced, parties must draft and sign data protection agreements. These agreements agree on how the personal data may be transferred only by predefined means; only agreed upon personal data is transferred (for example name, contact information, position in the organization); and how confidentiality obligations are determined throughout the life cycle of the acquisition process.
Is processing and transferring the personal data necessary?
One of the main principles of the GDPR is data minimization. In all activity, including the processing of personal data, an assessment must be made to determine if it is necessary to process the personal data, on what basis the personal data is processed, and to what extent the personal data must be processed. The principle is simple: if it is not absolutely necessary to process a specific item of personal data, do not process it. The same basis applies in acquisitions, and parties must also consider if the processing of personal data is necessary to begin with to complete the acquisition.
In acquisitions, the redacting of personal data is a customary and commonly used method to tackle personal data issues. The seller may avoid sharing or transferring the personal data against the GDPR by redacting all information which can be used to identify a person from the documentation. As mentioned above, especially in the due diligence phase of the process, documents might often include the seller’s employees’ personal data, such as names and contact information, for example. It is then necessary to consider whether the information is required for the whole due diligence and acquisition process at all. On the other hand, it is clear that publicly available information, such as (usually) company management’s names and positions, can be freely transferred. Nevertheless, in acquisitions, as well as any other situations where personal data is processed, the premise should be that no personal data is transferred or processed unless it is paramount regarding the acquisition or any other process pertaining to business in general.
Data protection and completing the acquisition
When the acquisition is realized, the employees’ personal data can be officially transferred to the buyer, along with the responsibility for the personal data registry. From this point forward, the buyer is obligated to take care of processing the personal data of the employees who have become a part of the buyer’s organization due to the acquisition. The buyer is also obligated to sufficiently update the registries and other documentation. The seller may still have access to the transferred personal data if, for example, the obligation to pay salaries is not yet transferred to the buyer. In this case parties must make an adequate data processing agreement that covers the whole transitional stage.
Data protection and privacy are often seen as a part of compliance. Although this is technically true, data protection must be viewed as its own separate part in business. Data protection does not only mean data privacy policies on the company’s website. It is a multidimensional system which can, however, be implemented simply and with small effort, as long as it is already accounted for during the early stages of any business activity. Ignoring data protection in acquisitions is an equal risk among others, and it is clear that preparing a clear plan and data protection measures is in the interest of both parties, rather than risking sanctions amounting to millions of euros.
Zapflow by Mandatum on Mandatumin ja suomalaisen Zapflow-ohjelmistoyhtiön rakentama digitaalinen ekosysteemi. Pääomasijoittajille ja muille alan toimijoille suunnattu ekosysteemi mahdollistaa koko sijoitustoiminnan hallinnan yhden alustan kautta. Sen kautta onnistuu niin hankevirran hallinnointi, kohdeyhtiöiden seuranta, rahoituskierrokset ja portfolioyhtiöiden raportointi kuin asiantuntijapalveluiden hakeminen ja yhteistyö eri sidosryhmien kesken.