The complexity of corporate transactions, whether through share deals (share acquisition) or asset deals (transfer of assets), requires thorough legal and economic analysis. Data protection plays a key role here, as potential buyers must understand exactly what they are acquiring in transactions involving high investments, to avoid uncertain investments. This analysis process covers all aspects, from economic to tax and financial matters, with personal data, such as information about employees and customers, playing a central role.

Obtaining consent is a possible safeguard when handling data of any kind, but this is often impracticable in M&A due to increasing administrative costs and the possibility of revocation at any time. Abstract advance consent to employment contracts is largely ineffective in accordance with applicable law. Therefore, participants in company acquisitions often resort to the alternative of “legitimate interests,” although the balancing of these interests varies depending on the phase of the transaction.

Specific measures are taken to meet the interests of entrepreneurs: the exchange of data is only carried out to the minimum extent necessary, accompanied by confidentiality agreements between the parties and the guarantee of sufficient security through technical and organizational measures. Despite these measures, the information obligations of the person responsible often clash with business interests. Pursuant to Article 13 (3) GDPR, the controller is obliged to inform data subjects of the changed purpose before further processing, although these requirements may overlap with the confidentiality obligations and confidentiality interests of the participating companies, particularly as company acquisitions are prepared confidentially and in camera.

Successful planning of company acquisitions in compliance with the GDPR requires a structured and comprehensively documented approach. Each phase of the transaction should be carefully recorded and accompanied by experienced advisors to minimize the risk of fines. Strict compliance with the GDPR is critical, as breaches can result in significant financial and legal consequences that could jeopardize the success of a company takeover.

Customer data, now regarded as a valuable asset for potential buyers, deserves particular attention. The customer base often represents a company's most valuable asset and must, therefore, be given special consideration when making company acquisitions.

One of the basic phases of company acquisitions is due diligence, in which the target company is subjected to a comprehensive audit.
In addition to economic and legal aspects, potential violations of the General Data Protection Regulation (GDPR) must also be analyzed and assessed here. These violations can have significant legal and financial consequences.

Legally compliant processing of personal data is of paramount importance throughout the transaction process.
According to the GDPR, any processing must be based on a valid legal basis, whether through the consent of data subjects or a legitimate interest in accordance with Article 6. Violations of the GDPR can result in significant fines, which is why a careful risk assessment is essential.

The choice between a share deal and an asset deal has an impact on the data protection strategy. While shares are purchased in a share deal, individual assets are transferred in an asset deal. The data protection strategy must be adapted to the chosen form of transaction in order to meet the data protection requirements.

The corporate transaction goes through several phases, from due diligence to contract negotiations to the conclusion (closing) of the contract.
In each of these phases, the parties must ensure that the processing of personal data is carried out on a legally secure basis. Comprehensive documentation in accordance with the GDPR, particularly Articles 24 and 32, is essential.

Balancing information requirements with contractual interests is a key challenge during due diligence. The compatibility of purposes in accordance with Article 6 (4) GDPR must be taken into account in order to adequately protect the rights and freedoms of data subjects.

In order to ensure data protection during due diligence, it is advisable to define a data protection concept in advance. This includes implementing technical and organizational measures to ensure the security and integrity of personal data in accordance with the requirements of the GDPR.

In view of the complex data protection requirements for company acquisitions, it is crucial that each contracting party develops clear ideas about data processing and sets them down in written agreements.
This is the only way to minimize potential risks and ensure data protection throughout the transaction.

In the world of mergers & acquisitions (M&A), maintaining confidentiality and concluding appropriate agreements is crucial. Managing directors and board members must maintain strict secrecy from the shareholders of the participating companies. Sensitive business data may not be made available in the data room or disclosed to potential buyers without internal authorization.

Prior to any discussion or exchange of information, the managing directors and board members conclude a confidentiality agreement, particularly with regard to the trade secrets of the target company. This agreement clearly defines the group of persons who have access to confidential information and, where appropriate, sets out separate confidentiality obligations.

As part of M&A transactions, there is no order processing under Article 28 of the General Data Protection Regulation (GDPR), as there is no authority to issue instructions. However, it is important to examine whether joint responsibility exists under Article 26 (1) GDPR, based on a shared decision regarding the purpose and means of data processing.

Data Processing in M&A Transactions:

Data processing in compliance with the GDPR begins with the preparation of personal data for the data room, regardless of whether the data is structured electronically or physically.

Before the data is provided, it is crucial to verify whether there is a sufficient legal basis in accordance with Article 6 GDPR and whether the roles and relationships of the joint controllers have been disclosed to data subjects as required by Article 26 (2) GDPR.

The lawfulness of data processing is of central importance when acquiring a company. Three relevant legal bases of the GDPR must be observed, with Article 6 (1) sentence 1 lit. f GDPR being the most frequently used:

• Article 6 (1) sentence 1 lit. a GDPR: Consent is often impractical for future transactions. Obtaining consent from many individuals is not feasible due to the confidentiality of due diligence.
• Article 6 (1) sentence 1 lit. b GDPR: This basis rarely applies, as the disclosure in the M&A process is not made to fulfill a contract with the individual concerned.
• Article 6 (1) sentence 1 lit. f GDPR: This basis is decisive in most cases. Buyers and sellers have a legitimate interest in the transaction, such as increasing competitiveness.

Asset or Share Deal?

Depending on the transaction model (asset deal or share deal), buyers and sellers have different information obligations towards the data subjects:

• Share deal: The original data controller remains, and there is no obligation to inform data subjects.
• Asset deal: In an asset deal, the data controller changes, and a new legal basis for data processing is required.

Timing of Data Processing and Information Requirements

When balancing interests according to Article 6 (1) sentence 1 lit. f GDPR, the timing of data processing is crucial (before signing, between signing and closing, after closing), as well as the scope and access rights to the data.

Information requirements under Articles 13 and 14 GDPR must be observed, especially when collecting personal data directly or indirectly as part of a company acquisition. The selection and preparation of data for the data room should be carried out carefully to comply with the principle of data minimization, providing only the relevant data for the transaction.