Data Protection in the Data Room: GDPR and M&A
All mergers and acquisitions - M&A - are prefaced by a due diligence process. In most cases, this starts with a discrete investigation, and grows into a major shopping list of documents to be shared. These are typically placed in a virtual data room (VDR), which is an online repository of documents. Due diligence, or DD as M&A lawyers refer to it, generally involves the transfer of significant amount of personal data, and therefore raises some important GDPR questions. In the next few posts we will discuss some of the main data protection challenges, and their solutions. In this post, we’ll look at the lawful basis for the data room. Which data is included? Usually personal data would include: HR data, customer data, vendor data. An obvious solution to this processing would be anonymization. However, that is unworkable. Due diligence is generally a major distraction for the target, and a major out of pocket expense for the acquiror. The added expense and inconvenience of undertaking an anonymization program for various datasets in the VDR is probably not going to happen. Firstly, it can be slow and expensive to organize. Second, it may be effectively impossible, since the classes of data subjects are pretty narrowly defined anyway (eg. employees of Acme Corp, or customer contacts for Acme Ltd). Third, in some cases it would defeat the purpose of the diligence, which could involve, for example, exploring synergies, identifying key clients or personnel and so on. So we remain with the assumption that personal data is being transferred. On what lawful basis is that possible? For non-sensitive data, Article 6(1)(a) consent could be possible, but there are two good reasons to avoid it: one is that it would often negate the secrecy of the transaction, and also because it can be withdrawn at any time which would complicate matters significantly. In some countries there may be a legal obligation to share certain data, which would make Article 6(1)(c) possible. In general, however, it is Article 6(1)(f) legitimate interest which is most relevant. Germany’s DSK issued some guidance, but it is of limited application in most M&A due diligence processes. The ‘legitimate interest’ basis must be adequately documented (you can use the ICO’s LIA). In generally, the legitimate interest is straightforward (say, conducting M&A); the rights and freedoms of the data subjects are usually unharmed, assuming the security and confidentiality are assured. The trickiest part of the test is necessity, on which, more next time.