Many negotiations are conducted before a company is purchased. The negotiations also focus on the company’s data. Data such as customer data, employees, supply contracts, etc. are particularly relevant for risk assessment. But can this highly sensitive data be disclosed during negotiations without notifying the parties concerned?
The purpose of this article is to show the interplay between the company’s interest in keeping the data confidential and the potential corporate buyer’s interest in clarifying the information.
A company acquisition is staggered in several phases. A distinction must also be made between the asset deal and the share deal in the case of a company purchase. Depending on the phase of the negotiations and the type of company purchase, different data protection requirements may apply.
Privacy and personal data
The data protection regulation, which has been effective since May 2018, is intended to protect private individuals from data misuse. The Data Protection Regulation is an outgrowth of the right of personality and informational self-determination. Since a violation of the data protection regulation is punished with serious consequences, the topic is particularly interesting in the case of a company purchase. To this end, it is not unimportant to know what is actually protected by the Data Protection Ordinance and what personal data is.
The law defines personal data as “any information relating to an identified or identifiable natural person […]”. From this definition alone, we still do not clarify what information is and what identified or identifiable natural persons are. The problem is somewhat alleviated by the Federal Data Protection Act. According to this law, personal data is individual information about personal or factual circumstances of an identified or identifiable natural person. This is the first point of contact in the case of a company purchase. A company is not a natural person. A purchase of such a company would therefore not be protected by the data protection regulation. It must be taken into account, however, that the result is that the company is purchased, but this is done on the basis of all company positions. This includes, above all, the natural persons who carry and manage the company. The prospective buyer will have a very great interest in knowing which persons belong to the company and what their qualifications are. Aspects of employment law also play a role here, in particular the right of termination, which is why the prospective buyer will want to assess the overall risk of the transaction.
This raises the question of what data plays a role in a company acquisition that is relevant to the GDPR.
A differentiation between share deals and asset deals can be helpful here.
In a share deal, the seller sells its shares in the target company, which is also called the target. This deal does not raise any data protection concerns. All shares in the company are sold, while the company itself remains in existence. Apart from the sale of the company, no new relevant points of contact under data protection law arise. The data controller according to the GDPR remains the same and the purpose of use remains included.
In the case of the asset deal, all or selected assets of the target are sold to the buyer. More caution is required here, as a different purpose than the original one may be pursued. In this case, personal data may be strongly affected, which is why a balancing of interests would have to be carried out in the individual case. As a point of reference, the obligation to obtain the consent of the data subjects increases the further away from the original purpose the data is processed.
It can also be helpful to distinguish between the phases in the purchase of a company:
In the due diligence phase, the company is to be carefully examined for economic, legal, tax and financial circumstances. Here, however, the negotiations still take place behind “closed doors”. Both the potential buyer and the seller have an interest in keeping a possible company purchase secret. The buyer does not want to communicate the purchase to the outside world until the contracts have been signed. The seller likewise does not want to announce the purchase until the contracts have been signed. This is because the risk of creating an atmosphere of departure within the company is too great. Furthermore, the image of the company can be damaged if the transaction fails. Due to the mutual interest in secrecy, data protection aspects do not yet play a significant role.
The data protection aspect shortly before the conclusion of the contract must be assessed differently. Here, the due diligence has been successful and the company purchase is to be concluded. This gives rise to the great interest in the company’s data in order to be able to finally assess and calculate the risk. Compliance with the GDPR can be very troublesome and time-consuming for both parties. A compromise is to provide the data anonymously. This can be done, for example, by blacking out personal data. It is very important that the blackened data cannot be traced back. Otherwise, there is a risk here that the GDPR will be circumvented. Furthermore, the disclosure of data can be enabled by creating a static file. Here, all important data is transmitted to the potential buyer, but it cannot be traced back to a person. The buyer may nevertheless have an interest in certain data, which is not adequately taken into account by redaction. In this case, a balancing of interests under data protection law must be carried out in each individual case to determine whether the seller’s interest in information outweighs the interest in keeping the data confidential. In any case, a legitimate interest in the disclosure of the data is always necessary.
The risk to stakeholders for a breach of data protection law is very high.
Often, data protection information is disclosed without being aware of whether it is highly sensitive data. A breach of the GDPR can occur quickly and can have serious consequences. Above all, fines of up to tens of millions of euros are imposed for violations. Data protection requirements will also increase in the future, which is why competent advice in this area should not be neglected.