The scope of the EU General Data Protection Regulation (GDPR) extends to M&A transactions. Sanctions for infringements of data protection rules include, amongst others, a fine of up to EUR 20 million or 4% of worldwide annual turnover. For compliance reasons, it is important to consider data protection requirements as early as possible in the M&A process and to ensure the relevant documentation is in place so as to exclude, or at least minimise, the risk of liability.
Early in the preliminary stages of any M&A transaction, it is generally recommended that clients extend their data protection statements to cover the transfer of personal data to third parties in connection with a disposal of assets, restructuring, merger or sale (“extension of declaration of purpose”). In addition, legal advisers should ensure that rules governing internal data transfer and processing are in place (“data processing agreements”).
The following checklist helps to ensure that the M&A process complies with data protection rules. However, it is not a substitute for specific professional advice. It is important that a professional evaluation and weighting of the requisite individual measures is undertaken and documented. Simply carrying out the actions listed below will not, on its own, result in full compliance and implementation of the GDPR’s requirements. Furthermore, it is necessary to identify the specific role and responsibilities of every person involved in the M&A process (sellers, buyers, advisers, service providers) within the meaning of the GDPR, in order to ensure that the obligations relating to the handling of personal data are determined precisely and complied with.