GDPR considerations in M&A transactions
Europe’s new General Data Protection Regulation (GDPR) came into force on May 25 and introduced unified EU rules on personal data protection. As nearly all companies obtain, store and/or process information about their business partners, customers, potential customers and employees, GDPR will have henceforth impact on M&A transactions, especially in light of the extraordinarily high fines that may be imposed for non-compliance.
From an M&A perspective, the scale of GDPR’s impact will depend on the characteristics of the business of the relevant target. Companies focusing on B2C business will more likely be in the possession of significant quantities of personal data, because their business largely depends on the company’s access to its customers. The more complex and detailed information a target company has about its customers, the better the chances that it can use them for its business. The more such information is collected and processed, the greater the risk of either non-compliance, or that a so-called data protection incident – for example data leakage – occurs.
DUE DILIGENCE
Since the adoption of GDPR, non-compliance by a target company has started to purport a risk for a buyer considering the potential fine amounts involved.
Hence a thorough review of the legal basis of the use of personal data, the existence of adequate internal privacy policies and the communication of various aspects of the data processing is required. The potential buyer will also need to identify the internal processes, action plans and possible GDPR related past or contingent breaches of the target company. Understanding the exact nature and puzzles of the target company’s business is also crucial, in order to identify the scope and type of the data that the target company stores or processes.
As such, the due diligence request list should include specific requests for information and documents in relation to the GDPR compliance of the target company.
In addition to the above, IT due diligence will likely play a more important role given that IT systems have an essential role in data protection, as the level of IT defence is already a key factor. From a compliance point of view, a secure and well-designed IT system will represent a remarkable value at a target company. From a business point of view, the integration of a more complex system of the acquired business with the acquirer’s business could cause additional costs and more technical difficulties.
TRANSACTION DOCUMENTS
A buyer is advised to negotiate more sophisticated representations and warranties (R&W) that should explicitly cover, for example, that the target company collects only personal data for which the company has an appropriate legal basis, which are absolutely required for the given purpose, and the data subjects are well informed. Another possible R&W could be that the data is stored only as long as absolutely required, and the data subjects are given the possibility to request correction or deletion of their data, and that such requests are actually and swiftly complied with. Further, R&W could also be negotiated to the effect that there are no and have not been any GDPR related investigations that could adversely affect the company.
If the due diligence review reveals that the target company does not comply with GDPR, it may affect for example the purchase price, as the buyer will need to invest into bringing the company into compliance after the closing of the transaction. In the case of identified possible breaches, adequate indemnities should also be included in the transaction documents.
As most CEE countries have not yet adopted the laws which are necessary to actually operate the GDPR system, it is still unclear whether additional local tasks or other burdens will be imposed on companies. Whereas it will not be feasible for the buyer to cover this risk in the sale and purchase contract of a currently pending acquisition, the buyer should still take it into consideration in its own business calculations when acquiring a localised company.