After May 2018, any corporation “established” within the European Union (EU) that processes personal data has to comply with the General Data Protection Regulation (GDPR).1 Noteworthy, the regulation does not only apply to companies within the territory of the EU, but it also covers entities where the processing activities relate to the offering of goods or services to natural persons in the EU or refer to the monitoring of these individuals in the EU. The material scope is, however, limited to “personal data,” which is defined as any information relating to an identified or identifiable natural person.2 Another peculiarity of the GDPR are the heavy fines of up to 20 million EUR or 4% of total worldwide annual turnover of the preceding financial year for non-compliance.3
A recent survey of PwC in the US showed that over half of US multinationals place GDPR on their top data-protection priority, and 68% said they will invest between $1 million and $10 million.4
M&A Transactions & GDPR Compliance of Target Company
Obviously, this harsh and far-reaching legal framework has a strong impact on business transactions, in particular M&A transactions. A company that acquires or merges with a target company has to pay careful attention to the GDPR compliance status. Data compliance issues have considerable weight in the evaluation process of the target company. First, the compliance status of the target needs to be addressed. There are several indicators that show whether the target has demonstrated compliance with the GDPR. One is a designation of a data protection officer (DPO)5; however, a DPO is only mandatory if the core activities of the controller or processor consist of regular and systematic monitoring of data subjects on a large scale or the processing on a large scale of special categories of data (“sensitive data”, i.e. data revealing racial or ethnic origin, political opinions etc.6 ) and personal data relating to criminal convictions and offences. Hence, banks, hospitals and insurance companies are very likely obliged to appoint a DPO.7 Therefore, in the course of an acquisition of a target dealing in these sectors, the designation of a DPO plays a crucial role in determining GDPR compliance. Failure to designate a DPO, where required by law, can lead to administrative fines up to 10 million EUR or up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.8 Having said that, if a company decides not to appoint a DPO, documentation thereof should be kept in the records.
Record of Processing Activities
Another indicator to show compliance is the existence of a record of processing activities, which means that both controller and processor have to keep a record of processing activities. The record for processors has to contain information relating to the name and contact details of the controller and the DPO, the purpose of the processing, information about the data subjects, categories of personal data, the categories of recipients, data transfers to third countries, and a general description of the technical and organizational security measures to protect the data.9 In course of assessing the target company, watch out for the exception for companies employing fewer than 250 persons. These companies do not have to maintain a record of processing activities unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.10 Clearly, the wording of the exception is ambiguous and inaccurate; specifically, it is challenging to assess whether or not the processing is likely to result in a risk. Thus, when assessing a target, it should be insisted that the target keeps a record even though the exception might apply. Consequently, in light of the rigorous fines11, a rejection thereof has to affect the drafting process and the price evaluation of the target.
Data Protection Impact Assessment
Further, certain companies need to carry out a data protection impact assessment. Where the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, the controller has to undertake, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data.12 In particular, this assessment is necessary when, based on automated processing, a systematic and extensive evaluation of personal aspects concerning natural persons, including profiling, is conducted and on which decisions are based that produce legal effects for these individuals. Likewise, an assessment is vital when processing special categories of data on a large scale, or a systematic monitoring of a publicly accessible area on a large scale.13 The Belgian Privacy Commission issued according to Art. 35 GDPR, as one of the first authorities, a list of examples of cases where conducting a data protection assessment is mandatory. This is significant when assessing a target company in these related fields of industries. The so-called draft black list, subject to change, includes types of processing activities, such as processing using biometric or genetic data, processing aimed at evaluating the financial solvency of data subject. Thus, especially, when acquiring companies in the fields of banking, biotechnology and biometrics, the topic of data protection impact assessment has to be addressed properly. In contrast to the designation of a DPO, the size of the company does not constitute an exception for conducting a data protection impact assessment. In addition, in some cases, it is mandatory14, where the assessment results in a high risk and the risk cannot be mitigated by reasonable means, to consult the supervisory authority prior to the start of processing activities. In sum, when assessing the target, it should be ascertained whether the company did or why it did not implement a data protection assessment. This with even more diligence in the above-mentioned industries, a clear documentation of the process is inevitable.
Technical & Organizational Measures
Another aspect of demonstrating compliance is the existence of technical and organizational measures. Controller and processor have to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is in compliance with the GDPR.15 However, the GDPR does not refer to a catalogue of measures that have to be implemented. Technical measures include data protection by design and by default.16 Such measures could comprise of minimizing the processing of personal data, pseudonymising personal data as soon as possible and enabling the data subject to monitor the data processing.17 Organizational and technical measures can have various forms and, thus, have to be assessed on a case-by-case basis. There are no hard and fast rules, but clear documentation of periodic auditing and review procedures should be considered when assessing the target company.
Controller Obligations & Data Subject
The next set of points consists of the obligations of the controller addressed to the data subject. The GDPR compels that where personal data concerning a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with specific information. This information has to include the identity and the contact details of the controller, the contact details of the DPO (if applicable), the purpose of the processing as well as the legal basis for processing, whether the processing is based on automated decision making, including profiling, the recipient or categories of recipients of the personal data and whether the controller intends to transfer personal data to a third country or international organization and the existence of the data subject’s rights comprising of the right to object, to access and to erase.18
Similar information rights are guaranteed where personal data have not been obtained from the data subject. Notwithstanding, the data subject has the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed.19 Independently, the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning the data subject.20 In addition, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. Still, the controller has the active obligation to erase personal data without undue delay where the personal data are no longer necessary for the purpose for which they were collected, the data subject withdraws consent on which the processing is based, the data subject objects legitimately to the processing, the personal data have been unlawfully processed or the personal data have to be erased for compliance with a legal obligation in the EU or Members State law.21 Any single ground is, thus, sufficient to trigger “the right to be forgotten.”
During a due diligence, in all these matters, it is crucial to examine whether the target has any internal policies and mechanism to cover these obligation, and the next step is to determine whether those internal policies or structures, in fact, meet the high threshold that the GDPR requests. If not given, internal policies and organizational structures have to be amended and adopted, but depending on the severity of the exposure, it likely has an impact on the due diligence report and the transaction.
GDPR & Consent
A particularity of the GDPR is the strict requirement for obtaining valid consent of the data subject concerning the processing of personal data. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes.22 Consent is especially then freely given if there is a clear balance between the data subject and the controller and the data subject has a genuine or free choice or is able to reject or withdraw consent without detriment. Further, consent is presumed not to be freely given if it does not permit separate consent to be given to different personal data processing operations despite being individually appropriate, or if the performance of a contract is dependent on the consent despite such consent not being needed for such performance.23 For consent to be informed, the data subject should be at least aware of the identity of the controller and the purpose of the processing for which the personal data are intended.24 Additionally to the general requirements of a valid consent, the GDPR sets forth that, if the consent is given in written form that includes other matters, the request for consent has to be introduced in a way which is clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language. The data subject has the right to withdraw the consent at any time. Prior to consent, the data subject needs to be informed of his or her right. Moreover, it should be as easy to withdraw as to give consent.25
Hence, in course of assessing the target, privacy policies and documentation of consents, as well as general terms and conditions (GT&C) of the business, need to be reviewed. In fact, especially GT&C should be reviewed strictly in light of the GDPR. In this context, it is essential to note that the GDPR provisions on consent permit some Member State differences. This includes areas such as the minimum age of consent26, basis of the consent in an employment context27, and rules providing that the prohibition of sensitive data cannot be lifted away by means of the data subject’s consent28. National regulation relating to data protection still remains significant and should always be considered in the analysis.
M&A and Data Transfer
Essential aspects in terms of M&A transactions are the regulations of the GDPR regarding the transfer of personal data to third countries. One way where this can be relevant is if there is a contemplated cross- border data transfer from the acquired company to its new group companies, which are located in third countries. One has to distinguish between the transfer of data that does not require authorization of the supervisory authority and the one that does.
In general, the transfer of data within the EU is free from restrictions. Nevertheless, a lawful processing basis is always necessary to transfer personal data. A transfer of personal data may take place without authorization of the supervisory authority where the European Commission has decided that the third country guarantees an adequate level of data protection.29 The European Commission has confirmed the adequacy level for the following countries: Andorra, Argentina, Canada, Switzerland, Faerore Islands, Guernsey, State of Israel, Isle of Man, Jersey, New Zealand and Uruguay. Further, for the recipients certified under the EU-US Privacy Shield the adequacy level of data protection is confirmed.30 That concludes that, generally, a transfer of personal data within a group company from the EU to the US is not permitted without prior approval of the competent supervisory authority.
In absence of an adequacy decision, the transfer might still not be subject to authorization if there are appropriate safeguards. Such safeguards may be satisfied when the controller or processor and the recipient have agreed upon standard data protection clauses adopted by the Commission or adopted by a supervisory author and approved by the Commission.31 However, generally speaking, these contractual clauses need to be used word-for-word; thus, slight changes are not permitted. Another relevant safeguard are binding corporate rules in accordance with Art. 47 GDPR. These binding internal data protection rules, which have to meet certain requirements set out in Art. 47 GDPR, need to be authorized by the competent supervisory authority. If given, the transfer of personal data within a group of companies, even with third countries, is permitted. Basically, all other transfers of personal data that do not fall within the exceptions of Art.45 et seq. are subject to authorization.
In conclusion, compliance with GDPR does require a structured approach. A documentation of the decision making process relating to GDPR provisions that allow leeway and carry uncertainty, is essential. If your target has not shown any indication of compliance or does not provide the necessary documentation, purchase price changes should be considered. It is recommended to calculate a “margin of safety,” because not only does non-compliance trigger rigorous fines in the future, also procedures that need to be undertaken in order to get compliant (i.e. organizational, technical measures, governance structure) might negatively impact the business model of the target. Issues with intragroup transfer of personal data to a third country after the acquisition of the target need to be addressed and handled properly. A cyber due diligence should reflect all these issues. From a buyer’s perspective specific indemnity clauses relating to data protection breaches should be included in the transactional document to compensate for GDPR non-compliance.
- Regulation (EU) 2016/679 of the European Parliament and the Council.
- Art. 4 No. 1 GDPR.
- Art. 83 No. 5 GDPR.
- Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets.
- Art. 37 GDPR.
- See Art. 9 No.1 GDPR.
- See Guidelines on Data Protection Officers (DPOs), 13 December 2016.
- Art. 83 No. 4 GDPR.
- Art. 30 No. 2 GDPR.
- Art. 30 No. 5 GDPR
- Art. 83 No. 4 GDPR
- Art. 35 No. 1 GDPR.
- Art. 35 No. 3 GDPR.
- See Recital 94 GDPR.
- Art. 24 and Art. 28 GDPR.
- Art. 25 GDPR.
- See in detail Recital 78 GDPR.
- See in detail Art. 13 No. 1 and 2 GDPR.
- See Art. 15 GDPR.
- Art. 16 GDPR.
- Art. 17 GDPR.
- Art. 4 No. 11 GDPR.
- Recital 43 GDPR.
- Recital 42 GDPR.
- Art. 7 GDPR.
- See in detail Art. 8 GDPR.
- See Recital 155 GDPR.
- Art. 9 No. 2 (a) GDPR.
- Art. 45 GDPR.
- See Commission Implementing Decision (EU) 2016/1250 of 12 July 2016.
- Art. 46 No. 2 (c), (d) GDPR.