Data protection in corporate transactions - Part 2: What matters from the negotiation phase to the closing of a corporate transaction.
In M&A transactions, comprehensive information on customers, suppliers and employees is transferred from the seller to potential buyers. As far as this information includes personal data, the protection of this data is becoming increasingly important. Especially after the General Data Protection Regulation (GDPR) has drastically aggravated the sanction possibilities compared to the former German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), this also impacts all phases of the transaction process. In the following article I will state the consequences of data protection for transactions starting from the phase of negotiation to the closing. In the first part of my article, I already examined the impact of data protection on the due diligence process.
The phase of negotiation
Once the due diligence phase has been completed, the field has thinned out: from the due diligence round, there is usually only one prospective buyer still in talks. Acquirer and seller enter the next phase – the negotiations. In this phase, the buyer has a still greater interest in information with a higher degree of detail - in particular, additional value-relevant information in order to be able evaluating the purchase price but also warranties with regard to the target company to be considered in the sales and purchase agreement. Value-relevant information may also contain personal data on employees and business partners. At this point anonymized or pseudonymized data is often no longer sufficient and concrete personal data is required instead.
However, also at this stage, the acquirer's interest in information must be weighed against the employees' interest in protecting their personal data. A concrete consent of the individual to a transfer of data is still barely practicable and therefore, a possible recourse to legal enabling bases, in particular Art. 6 para. 1, lit. f GDPR, is essential. Even if the transfer of certain personal data to the acquirer may be necessary for evaluation purposes and thus, generally permissible, concrete personal data in the sales and purchase agreement and its annexes, e.g., lists of salaries or pension commitments, cannot usually be justified. Annexes to the relevant agreements are only permissible in the form of anonymized or pseudonymized lists.
Signing of the sales and purchase agreement
With the signing of the sales and purchase agreement, not only does the legitimate information interest of the acquirer increase further. Specific duties to provide information may also arise, which may even require knowledge of certain personal data. Depending on the type of transaction, this has different consequences regarding the transfer of data:
• Asset deal: In the context of an asset deal, individual assets of the target company are transferred to the acquirer. If this forms a transfer of business („Betriebsübergang“) within the meaning of section 613a of the German Civil Code (Bürgerliches Gesetzbuch, BGB), the employment agreements of the employees concerned are also transferred. Both the seller and the acquirer have a duty to inform the employees of such transfer of business. Therefore, in case the acquirer is in charge of informing the employees about the transfer of the business, it requires in any case the names of the employees and their addresses. In terms of data protection law, the transfer of this data constitutes a relevant data processing within the meaning of Art. 4 para. 2 GDPR.
Unless the respective employee objects to this transfer, the acquirer shall step into the rights and obligations of the respective employment relationship upon completion of the transaction (see below on closing of the transaction). In this case, the planned integration of the target company into the organizational structure of the acquirer also requires the transfer of certain personal master data - for example, in order to record them in a new (payroll) accounting program, to create e-mail addresses and system accesses. Overall, personal data of the employees concerned may be transferred as far as being required for the performance of the employment relationship (Section 26 para. 1, sentence 1 BDSG. In contrast to the data in connection with the duty to provide information pursuant to Section 613a para. 5 BGB, the point in time for the permissible transfer of personal data relevant for post-merger integration and further implementation of the employment relationship is only shortly before the closing of the transaction. In any case, only after it has been ensured that the employee does not object to the transfer.
• Share Deal: With the acquisition of the shares in the target company, the target company remains in existence with all its assets, including its employees. A mere change of shareholders does not result in a change of employer or a transfer of business. Accordingly, there is no corresponding obligation to provide information. However, steps of a post-merger integration can generally also be relevant in the case of a share deal. In order to ensure the smooth continuation of the employment relationship, the correspondingly required data must be transferred. Section 32 para. 1 BDSG is regarded here as justification for a transfer, possibly initially without informing the data subject. In each case, however, it must be weighed up which specific data are actually required for the concrete case.
Closing of the transaction
Closing means that the corporate transaction has been completed. Depending on the complexity, this point in time may be significantly later than the signing date. Which employee data may be transferred, again, depends on whether the transaction has been structured as an asset or share deal:
• Asset Deal: Unless an employee has objected to the transfer of business pursuant to Section 613a BGB, the employment relationships have been transferred to the acquirer. With the transfer of the assets, including such employment contracts, the personal data is also transferred to the acquirer. This is a "transfer" within the meaning of the GDPR. However, upon closing, the acquirer is no longer a "third party", but now is the employer. As such, it is entitled and even obliged to process data pursuant to Section 32 para. 1 BDSG in order to continue the employment relationship properly.
• Share Deal: As described above, there is no change of employer. Only the shares in the target company are transferred from the seller to the acquirer. Therefore, the company basically continues to exist, with regard to the legal relationships of the company, the legal entity remains the same. Thus, the acquirer is also not a “third party” within the meaning of the GDPR. Processing of employee data therefore does not require any justification under data protection law.
Weighing up information obligations and rights to information
Acquirer and seller have an interest in keeping their negotiations confidential, especially in an early phase of the transaction. If the seller as employer were obliged without exception to inform any individual employee of any disclosure of personal data, this would run counter to the need for confidentiality and pose a major risk to the transaction. Nevertheless, the principle of transparency under data protection law, which has been significantly strengthened by the GDPR, must be taken into account.
The GDPR basically provides for information obligations for both the seller and the acquirer vis-à-vis the employee (Art. 13 para. 3 and Art. 14 para. 1 GDPR). The appropriate point in time for informing the employee concerned about the specifically transferred personal data must be weighed up in the overall constellation.
We advise both buyers and sellers on data protection and corporate law throughout the entire process of a corporate transaction. Thanks to strong professional interlocking, we are able to offer tailor-made solutions in all sub-areas. I will be happy to answer any questions you may have.
Maren Bianchini-Hartmann, LL.M. (Fordham University School of Law)