The complexity of corporate transactions, whether through share deals (share acquisition) or asset deals (transfer of assets), requires thorough legal and economic analysis. Data protection plays a key role here, as potential buyers must know exactly the “product” in transactions that require high investments in order to avoid uncertain investments. This analysis process covers all aspects, from economic to tax and financial matters, with personal data, such as information about employees and customers, i.e. playing a central role.

Obtaining consent is a possible safeguard when handling data of any kind, but this is often impracticable in the area of M&A in view of increasing administrative costs and the possibility of revocation at any time. Abstract advance consent to employment contracts is largely ineffective in accordance with applicable law. Participants in company acquisitions therefore often resort to the alternative of “legitimate interests,” although the balancing of these interests varies depending on the phase of the transaction.

Specific measures are taken to meet the interests of entrepreneurs: The exchange of data is only carried out to the minimum extent necessary, accompanied by confidentiality agreements between the parties and the guarantee of sufficient security through technical and organizational measures. Despite these measures, the information obligations of the person responsible often clash with business interests. Pursuant to Article 13 (3) GDPR, the controller is obliged to inform data subjects of the changed purpose before further processing, although these requirements may overlap with the confidentiality obligations and confidentiality interests of the participating companies, in particular as company acquisitions are prepared confidentially and in camera.

Successful planning of company acquisitions in compliance with the GDPR requires a structured and comprehensively documented approach. Each phase of the transaction should be carefully recorded and accompanied by experienced advisors to minimize the risk of fines. Strict compliance with the GDPR is critical, as breaches can result in significant financial and legal consequences that could jeopardize the success of a company takeover.

In particular, customer data, which is now regarded as valuable assets for potential buyers, deserves particular attention. The customer base often represents a company's most valuable asset and must therefore be given particular consideration when making company acquisitions.

One of the basic phases of company acquisitions is due diligence, in which the target company is subject to a comprehensive audit. In addition to economic and legal aspects, potential violations of the General Data Protection Regulation (GDPR) must also be analysed and assessed here. These can have significant legal and financial consequences.

Legally compliant processing of personal data is of paramount importance throughout the transaction process. According to the GDPR, any processing must be based on a valid legal basis, whether through the consent of data subjects or a legitimate interest in accordance with Article 6. Violations of the GDPR can be punished with significant fines, which is why a careful risk assessment is essential.

The choice between a share deal and an asset deal has an impact on the data protection strategy. While shares are purchased in a share deal, individual assets are transferred in an asset deal. The data protection strategy must be adapted to the chosen form of transaction in order to meet the data protection requirements.

The corporate transaction goes through several phases, from due diligence to contract negotiations to the conclusion (closing) of the contract. In each of these phases, the parties must ensure that the processing of personal data is carried out on a legally secure basis. Comprehensive documentation in accordance with the GDPR, in particular Articles 24 and 32, is essential.

Balancing information requirements with contractual interests is a key challenge during due diligence. The compatibility of purposes in accordance with Article 6 (4) GDPR must be taken into account in order to adequately protect the rights and freedoms of data subjects.

In order to ensure data protection during due diligence, it is advisable to define a data protection concept in advance. This includes implementing technical and organizational measures to ensure the security and integrity of personal data in accordance with the requirements of the GDPR.

In view of the complex data protection requirements for company acquisitions, it is crucial that each contracting party develops clear ideas about data processing and sets them down in written agreements. This is the only way to minimize potential risks and ensure data protection throughout the transaction.

In the world of mergers & acquisitions (M&A), maintaining confidentiality and concluding appropriate agreements is crucial. Managing Directors and Board Members must maintain strict secrecy from the shareholders and shareholders of the participating companies. Sensitive business data may not be made available in the data room or disclosed to the potential buyer without internal authorization.

Prior to any discussion or exchange of information, the managing directors and board members conclude a confidentiality agreement, in particular with regard to the trade secrets of the target company. This agreement clearly defines the group of persons who have access to confidential information and, where appropriate, sets out separate confidentiality obligations.

As part of M&A transactions, there is no order processing in accordance with Article 28 of the General Data Protection Regulation (GDPR), as there is a lack of authority to issue instructions. However, it is examined whether there is joint responsibility in accordance with Article 26 (1) GDPR, based on a joint decision on the purpose and means of data processing.

Data processing in accordance with the GDPR starts with the preparation of personal data for the data room, regardless of whether it is structured electronically or physically. Before data is provided, it is carefully checked whether there is a sufficient legal basis in accordance with Article 6 GDPR and whether the functions and relationships of the joint controllers have been disclosed to data subjects in accordance with Article 26 (2) GDPR.

The lawfulness of data processing is of central importance when buying a company. Three relevant legal bases of the GDPR must be observed, with Article 6 (1) sentence 1 lit. f GDPR being used most frequently:

Article 6 (1) sentence 1 lit. a GDPR:

Consent is often impracticable for future transactions. Obtaining consent from many people is not feasible due to the confidentiality of due diligence.

Paragraph 6 (1) sentence 1 lit. b GDPR:

This basis rarely applies, as the disclosure in the M&A process is not made to fulfill the contract with the person concerned.

Article 6 (1) sentence 1 lit. f GDPR:

This basis is decisive in most cases. Buyers and sellers have a legitimate interest in the transaction, such as increasing competitiveness.

Asset or share deal?

Depending on the transaction model (asset or share deal), buyers and sellers have information obligations vis-à-vis the persons concerned:

Share deal:

Here, the original person responsible remains and there is no obligation to provide information.

Asset deal:

In the case of an asset deal, the person responsible changes and a new legal basis for data processing is required.

Timing of data processing and information requirements

When balancing interests in accordance with Article 6 (1) sentence 1 lit. f GDPR, the time of data processing is decisive (before signing, between signing and closing, after closing) as well as the scope and access rights to the data.

Information requirements under Art. 13 GDPR and 14 GDPR must be observed, in particular when collecting personal data directly and indirectly as part of a company takeover. The selection and preparation of data in the data room should be carried out carefully in order to comply with the principle of data minimization and only provide relevant data for the transaction.