Hot potatoes – Data protection in the context of a company acquisition

Defective data protection procedures undermine corporate values – from tarnishing the company’s own credibility (“data protection is important for us”) through necessary remedial measures to jeopardizing the business model. Acquisitions of such companies require caution – or in other words: How to save millions.

In M&As, personal data protection plays a role in many aspects:

In the context of due diligence, the client is focused on the first two points presented below. 
  

Risks arising from breaches of data protection issues have become more prominent, especially since the European General Data Protection Regulation (GDPR) came into force in May 2018. This is primarily due to the possible fines, which are explicitly intended as deterrence and can reach up to 20 million euros or 4 per cent of the group-wide turnover of the company violating the data protection regulations. One of the areas of focus of due diligence is therefore the assessment of the risk of the target having committed any personal data breaches in the past.

 

In addition to the risk of fines, any procedures of the target company that violate data protection laws will have to be stopped. If these are processes that are considered important, it is often impossible to stop them completely. A changeover to data protection-compliant processes, on the other hand, can be costly and may fail altogether. In this respect, due diligence should also focus on the examination of the company- and business-specific core processes for compliance with data protection laws.

 

The purchase of the Starwood Hotel Group by Marriott in 2016 can be cited as an example for “buying” data protection risks along with the acquiree. Due to inadequate security measures, unauthorised persons had been able to access customer data in Starwood's IT systems since 2014, including passport and credit card data. The access, which was still possible after the acquisition, was discovered by Marriott in 2018, and some 339 million customer records were affected worldwide. The UK’s data protection supervisory authority criticised the fact that Marriott's IT infrastructure was taken over without data security being investigated by the acquirer during or after the acquisition and announced that it would impose a fine of 99 million pounds. Finally, in late 2020, after Brexit was completed and in the midst of the coronavirus pandemic, a fine of 18.4 million pounds was imposed on Marriott.

 

The aim of data protection due diligence is therefore to shed light on the organisation of the data protection system of the target company, whereas the depth of the audit depends on the assignment and the time available. In particular, the following issues should be underlined:

 

Intuitive answers to individual questions do not necessarily work in the target’s favour; after all, the fact that there are no data breaches, for example, can also indicate that no attention is being paid to the issue, i.e. the company prefers not to take a closer look at data protection.

 

Although it is not possible to identify with certainty individual personal data breaches during an audit due to time constraints, the investigation does make it possible to assess whether the target has taken measures that could have been considered sufficient to detect a breach in the past – and thus to assess the data protection risks. Nevertheless, this cannot replace a more thorough examination of the effectiveness of the technical and organisational measures taken for data protection and data security purposes.

 

For the purpose of the due diligence process, information is disclosed to third parties – such as buyers, their advisors and banks – and such information can also contain personal data. Data protection rules must be observed also in this case.

 

The starting point is the question whether it is necessary at all to transmit personal data to a third party. Therefore, by aggregating data or by blackening, the personal reference and thus the need to apply data protection requirements may be eliminated.

 

If the transmission of personal data is necessary in a given case, there must be a legal basis justifying such transmission – also on the part of the prospective acquirer. Finally, the potential acquirer would commit a personal data breach if he received and processed data for which there is no legal basis. In most cases, conceivable is only the legitimate interest in the appropriate exploitation of the company's assets and, for this purpose, enabling an examination by prospective buyers. This interest must be weighed against the interests of the data subjects. Therefore, general statements on legitimacy cannot be made; it is rather the justification for the respective individual cases that matters.

 

It is also important to note that special categories of personal data (e.g. health data or information on trade union membership and religious or philosophical beliefs) are particularly protected and generally cannot be processed and transferred on the basis of a legitimate interest of the parties involved.

 

Finally, there are special obligations to provide information to data subjects when personal data are collected, Article 12 et seq. GDPR. In particular, if data are collected from third parties – i.e. if a prospective buyer receives the data from the target and not from the data subject himself – the data subject must generally be informed of this immediately. While the prospective buyer can still invoke derogation provisions, the target would, however, have to inform the data subjects that their data will be transferred to third parties as part of an M&A transaction. In the context of an actual transaction, this is not practical because of the effort involved and it is also undesirable because of the confidentiality that the parties usually want to safeguard. Therefore, (all) companies should include the topic of a potential transmission of personal data in the context of possible M&A transactions in general and without any specific grounds in their data protection policies.

 

Finally, the handling of data collected due to the audit procedure itself – for example, information who viewed which documents in an electronic data room, when, for how long – must be taken into account and implemented as part of the audit planning process.

Personal data breaches can lead to heavy fines or the prohibition of business processes. Therefore, the target’s compliance with data protection laws should be taken into account as part of the assessment of the risks associated with the target. This is all the more urgent the larger the amount and the more sensitive the type of data processed.