Transparency is a data processing principle (GDPR Article 5(1)(a)), and the GDPR Chapter III obligations stem from that principle. Processing of personal data as part of M&A due diligence must be disclosed to the data subjects, and this can be done through a privacy policy or privacy notice in accordance with articles 12-14. So if your privacy policy currently contains language to the effect that personal data may be processed in connection with a merger or acquisition or similar transaction, this transparency requirement may be fulfilled. However, there is significant nuance and opportunity to endless privacy policy language. For example, personal data may be processed in connection with an acquisition, and that includes many different steps. Data may be transferred to a potential acquiror as part of their due diligence. That is pursuant to a legitimate interest of the target being acquired. What is the status of the acquiror? They are not a processor, since they are not processing on behalf of the target. Are they joint controllers? This is very improbable, as the acquiror and target do not determine the means and purposes of processing together. The acquiror must then be an independent controller, in which case the acquiror has its own transparency obligations. How is an acquiror to inform the data subjects, say the personnel of the target, that it is processing their data? Once the transaction is made public, this is clearly doable. What is to be done before it is public? A few alternatives are suggested. One is that the acquiror rely, for now, on Article 14(5)(b) – namely where providing the information would likely make it impossible or seriously impair the achievement of the processing objectives. WP29 (in Opinion 260, para 58, p.28) writes: “To rely on this exception, data controllers must demonstrate that the provision of the information set out in Article 14.1 alone would nullify the objectives of the processing.” This is a very high bar indeed. GDPR speaks of making it likely to impair the objectives of the processing, not of nullifying the processing. It may however be argued that were the acquiror to publicize to the data subjects that it is conducting due diligence on, for example, their performance, then the target would cancel the transaction. The other is that the acquiror rely, for now, on Article 14(5)(d), and requires the use of the acquirors legal counsel or other professionals. This must be based in member state law for example, which in general exists and bind lawyers, accountants and others. Much of the due diligence in M&A is conducted by lawyers and accountants, and use may be made of their statutory duties of confidentiality in order to enable an effective due diligence involving personal data, without announcing it to the data subjects. Of course, as soon as the negotiation or transaction is no longer confidential, data subjects must be notified of the processing, with all the ramifications.
* * * * * Reminder: this isn't legal advice. To subscribe, click here. #Coronavirus #GDPR, #DPO, # DataProtectionOfficer Photo credit: Pawel Chu
, Unsplash