Given the large amount of data processed during an M&A transaction in Germany, the question of a data protection-compliant design of the transaction process is raised in accordance with the General Data Protection Regulation (GDPR).
In the absence of special provisions in the GDPR for M&A transactions, the same principles apply here as for any other data processing. The GDPR applies as soon as the purchasing or the selling company is based in the European Union.
Due to its extraterritorial effect, the GDPR must also be taken into account in corporate transactions in which the participating companies are based outside the EU. This is usually the case if the company to be sold offers its goods or services within the European Union and personal data are processed within that scope.
When the potential contracting parties get to know each other for the first time, they often prepare a so-called term sheet. This is when personal data is processed for the first time. In most cases, buyer and seller start talks in which the conditions and the tools used for the transaction are agreed upon. By entering into such negotiations, the parties involved already share responsibility for the processed data as defined by Art. 26 of the GDPR.
If the parties involved have appointed a data protection officer, the latter must be involved in the data protection-relevant issues right from the beginning.
Before an interested company starts Due Diligence, the parties should agree on the allocation of liability in case of a data breach. This is because although the seller side discloses the majority of the data, both are initially jointly and severally liable. In addition, unlawful transfer of data to third parties must be prevented by clarifying the conditions for involving external service providers from the outset, for example regarding the establishment of virtual data rooms for performing Due Diligence.
The buying company usually has to inform those concerned about the processing of their personal data in accordance with Art. 14 GDPR at the beginning of the transaction process. This often conflicts with the interests of the transaction participants to carry out the company purchase confidentially. It becomes particularly problematic when legal requirements oblige the parties to keep the negotiations confidential (e.g. through the Securities Trading Act).
After a completed Due Diligence, the question often arises as to how to deal with uncovered gaps in the implementation of the GDPR in the object of the transaction and the associated liability risk. In addition to a reduction of the purchase price, consideration should be given to an exclusion of the buyer's liability for any resulting damages.
The type of transaction agreed upon determines which data protection procedure of the buyer after signing is appropriate. In the case of a Share Deal, the buyer only has to inform affected parties again about data processing if this data is to be disclosed again as part of a corporate integration. On the other hand, in the case of an Asset Deal, the affected party must be informed as the data processing is carried out by a legally different company.