Data protection in corporate transactions - Part 1: Due diligence
Due diligence: What to look out for in data protection
In the course of a corporate transaction, comprehensive information about customers, suppliers and employees is regularly transmitted from the seller to interested parties. In the past, this often took the form of unfiltered and unredacted documents containing a large amount also of personal data. In the meantime, however, the protection of employee data has become comprehensively important. The General Data Protection Regulation (GDPR) has once again drastically tightened the sanction options compared to the German Federal Data Protection Act (BDSG). In the event of a breach, fines of up to EUR 20 million or four percent of the global annual group turnover are now the threat. Considering this, preparing and carrying out a transaction without taking data protection regulations into account would be grossly negligent.
In transactions, very different interests, rights and obligations clash: On the one hand, the seller has the right to sell his business organization or parts of it and, in this context, to provide interested parties with all important and value-relevant information. Potential buyers, on the other hand, need comprehensive information about the company at sale in order to be able to evaluate its significance and value in their own business context. Last but not least, employees have the right to determine and dispose of their own personal data.
What parameters to consider during due diligence
In particular, the following factors must be taken into account to consider the type and scope of data transmission:
• What type of transfer is involved: Share or asset deal
• In which phase the transaction is: (i) due diligence, (ii) negotiations until signing (purchase agreement with attachments), (iii) signing until closing, in particular in preparation for post merger integration.
• In what form the data is exchanged: in a physical or digital data room, with or without copying capability.
• To whom the data is transferred: to addressees with or without an obligation to professional secrecy; within or outside Europe?
The focus in this part of the article is on performing the due diligence, the first transaction phase. Here, there is often still a larger circle of addressees to enable several prospective buyers to examine the company in the context of a bidding auction. As a rule, it is not known which interested party will ultimately win the bid or whether a contract will be concluded at all. Precisely because this is the case, special care is required regarding employee data protection.
Basic principle of data protection
In data protection, the principle applies - prohibition with reservation of permission – therefore, any collection, processing or use of personal data requires either the consent of the data subject or a legal justification.
As a general rule, it is barely feasible to obtain the consent of the employees concerned. Often, a large number of individuals are involved. The consent of each individual must be informed and voluntary, and the voluntary nature is overall questionable because of the dependency relationship with the employer. The confidentiality of the transaction, especially at this early stage, may be particularly jeopardized as a result. Due to the employee's ability to revoke consent at any time for the future, this option also does not provide a reliable basis for the transfer of data.
As a result, a balancing of interests shall take place at this point within the test of lawfulness of processing of Art. 6 (1) f GDPR -.
"... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…".
For the commensurability test, it shall be taken into account which data are required for the company valuation; pure interest of the buyer beyond has no justification purpose. Protective measures and information obligations vis-à-vis the data subjects shall be taken into account, including special confidentiality agreements and the obligation to delete all data if the transaction fails.
Data of the members of the board of management or managing directors
The key terms in the employment contracts of board members and managing directors are usually of such central legal and economic importance for the potential buyer that even in the due diligence phase, in addition to the names of the board members or managing directors, in particular their annual compensation, bonuses, any pension commitments or any post-contractual non-competition clause can be made available to the interested parties.
In addition, board members and managing directors will often also have a strong personal interest in the transfer of their names or are actively involved in the transaction.
At least in smaller and medium-sized companies, a potential buyer will also have a strong interest in senior executives or other employees with key functions and will in any case request the essential data of their employment contracts, such as qualifications, contract terms, notice periods, remuneration structure, bonuses, pension obligations or post-contractual non-competition clauses. Unlike in the case of members of the management, however, at this point there will be no need for the prospective buyer to view the respective employment contracts or even the personnel file, but rather documents containing aggregated data. For insight into the personnel file, the employee concerned must give his written consent.
Information on other employees may regularly only be provided in anonymized or pseudonymized form, as their transmission by name will hardly be necessary for the company valuation. Anonymized salary lists and pension provisions are very important sources for potential buyers for the economic assessment of a company. However, especially in the case of small to medium-sized companies, there is often a risk that the reference to individual persons can still be determined. The lists would then not be considered to be anonymized. Therefore, if anonymization is not possible due to the size of the company, it should be examined whether only the advisers are given access to such data and they can prepare corresponding reports without stating names and without the possibility of drawing conclusions about individual employees. Especially, if a large number of interested parties still has access to the data room, access to other personal data should be restricted as far as possible.
Weighing up different interests
Sellers, buyers and employees have different interests. In this context, the protection of personal data is receiving more and more attention; on the other hand, information about employees is an important factor influencing the valuation. This constellation shall be carefully analysed in the run-up to a transaction and weighed up which personal data should be transferred at what point in process. Overall, only data that is actually relevant may be transmitted.
We advise both buyers and sellers on data protection and corporate law throughout the entire process of a corporate transaction. Thanks to strong professional interlocking, we can offer tailor-made solutions in all sub-areas. I will be happy to answer any questions you may have.
Maren Bianchini-Hartmann, LL.M. (Fordham University School of Law), Rechtsanwältin | attorney-at-law (New York)
For part 2 see:
Data protection in mergers & acquisitions transactions: What matters from the negotiation phase to the closing of a corporate transaction