When conducting a Due Diligence followed in M&A (Mergers & Acquisitions), among other things, personal data included in the documents of the parties involved are processed. The personal data usually belong to third natural persons (or even partnerships in whose name the name of the current partner appears). When checking these documents, it is necessary for companies to comply with the GDPR requirements regarding the protection of personal data, as well as to keep relevant documentation already from the beginning of the procedures, in order to mitigate or reduce their risk and liability as much as possible, taking into account that among other things the documents usually include critical financial data of the subjects concerned.
The main steps that companies must follow during an M&A, assisted by the necessary specialized legal support, include:
- Collecting the documents to be reviewed through due diligence and mapping the categories of data included in them.
- Checking whether the data subjects have been properly informed of the purposes for which their personal data is processed.
- Introduction of pseudonymization or anonymization techniques, where feasible.
- The conclusion of a data processing contract between the parties, including data protection conditions at the start, duration and end of the P&A, the purposes of the processing and the adoption of appropriate conditions regarding any transfers to third countries or the signing of appropriate EU Standard Contractual Clauses (SCCs).
- Selecting a data room that provides appropriate security guarantees for data protection and entering into a Data Processing Agreement (DPA) with the company that holds the licence to use it.
- Informing data subjects about the processing of their personal data when signing the sale/transfer and transferring the data to the new company.
- Transfer of personal data to the buyer for business continuity purposes.
- Adopting appropriate Policies and entering into appropriate data processing agreements with the buyer regarding the personal data collected by M&A.
The above steps and the drafting of appropriate legal documents can form the foundation for building a strong data protection framework at all stages of Due Diligence.
However, the execution of the above steps will not in itself lead to full compliance and implementation of the GDPR requirements at a substantive level: a prerequisite for companies involved in M&A is also the internal adoption of compliance measures to meet data protection proxies.