Part 2a: Due diligence under data protection law
A clean data protection structure now represents a relevant value for buyers of companies with regard to the valuation of the company to be sold in the run-up to an M&A transaction. Since the introduction of the GDPR at the latest, no company can avoid the topic of data protection and the resulting requirements. Deficits in this area quickly lead to a legal risk for the buyer, who may have to invest considerable resources to remedy the weaknesses in the target company’s data protection organization in order to avoid the sword of Damocles of official fines (up to 4% of the previous year’s turnover!). It is therefore essential for a company buyer to identify and, if necessary, reduce the risks as part of the due diligence process. If he ignores data protection deficits, there is a risk that he will be held responsible after the transaction.
The following explanations are intended to provide an initial overview of the topic in order to raise awareness of the importance of data protection due diligence. In this respect, please note that this article does not deal with personal data that is processed as part of the corporate transaction itself, e.g. the collection and processing of personal data for the buyer and the preparation of documents in the data room, including the necessary contracts with the data room operator. The focus here is on the due diligence of data protection risks in relation to the target company and the question of which structural approach the buyer can use to identify and thus reduce these risks.
Asking the right questions
The bottom line is to ask the right questions as part of the due diligence process in order to assess the status quo and the level of data protection in various areas relevant to data protection law. To this end, the existing documentation should first be examined. Attention should be paid to the following points:
- Data protection and deletion concept – The deletion of data in particular (e.g. no CRM with “legacy data”) must be implemented properly; the data protection concept is the starting point and, to a certain extent, the heart of how the topic of data protection is handled and organized in the company. Of course, the processes defined in the concept must actually be implemented, which in turn is part of the audit.
- Processing directory (Art. 20 GDPR) – a frequent source of error, as a directory does not exist or is incomplete, with the result that the company is not even aware of all processing operations relevant under data protection law.
- Data breach concept – this concerns the handling of data protection incidents and the documentation of any data protection incidents from the past; ultimately, the audit must also ensure that the company has appropriate processes and TOMs in place so that data breaches can be detected and to enable the company to respond appropriately.
- Documents on IT and cyber security – e.g. check whether a data security concept (technical and organizational measures) is in place, including recognized ISO certifications if applicable.
- Data processing agreements (Art. 28 GDPR) – Almost every company engages IT service providers who then process personal data on behalf of the target company. Here, it is important to check whether corresponding agreements exist with which the service providers guarantee compliance with certain minimum standards and thus protect the client.
- Documents relevant to data protection law in connection with HR – also a very sensitive area, ranging from dealing with applicants and the practice of on-boarding new employees to the contractual provisions with them. When it comes to employee data protection, care must always be taken to ensure that the information obligations arising from Art. 13 GDPR are fulfilled and that all processes are clean (data protection information on the processing of employee data exists? Concept for handling special personal data in accordance with Art. 9 GDPR? Confidentiality agreements for employees in place? Image consent available, e.g. for publication of photos on website?)
- Checking the website – in particular checking whether the privacy policy has been issued in accordance with the law and in fact covers all processing in connection with the visit to the site; check due to cookie banner / cookie policy
The above points are key areas in connection with data protection and at the same time areas in which omissions and deficits often exist. Depending on the business area in which a company operates, higher requirements must be placed on data protection compliance. The first question to ask is always how responsibilities and accountability for data protection are regulated within the company. It is important to check whether a data protection officer has been appointed, what their duties are and whether they have been duly registered with the supervisory authority. The obligation to appoint a data protection officer should be affirmed in the vast majority of cases. There are numerous other points, such as dealing with authorities (is there a concept for this?) or the topic of conducting employee training in the past and dealing with requests from data subjects.
Conclusion
Data protection and due diligence belong together. A data protection review of the target company is essential for a buyer in order to avoid taking incalculable risks that usually only materialize to its disadvantage after the transaction has been completed, e.g. if products and solutions of the target company are integrated that cannot be marketed under the GDPR or can only be marketed after appropriate changes have been made.
Do you have questions about the typical challenges? Please feel free to contact us.
Outlook
This series of articles provides small and medium-sized companies with an initial guide on how a transaction process can be structured and successfully mastered. To this end, the following articles will present the key topics in the context of an M&A transaction in a compact and practice-oriented manner. In the next article, we will continue with the main topic of “Due Diligence” and my colleague Micaela Schork will provide an overview of IP/IT due diligence.
The author and your usual contacts will be happy to answer any questions you may have!
Sebastian Keilholz, LL.M.
keilholz@tigges.legal
+49 211 8687 153