Dealing with GDPR compliance risks in M&A transactions
Wolf Theiss, Vienna
Wolf Theiss, Vienna
In recent years, the European Union's General Data Protection Regulation (GDPR) has significantly changed the importance of data protection compliance with respect to M&A transactions. In particular, the due diligence process of a target company is subject to new requirements and standards. To the extent that the data processing activities of the target company are not in line with the GDPR, buyers may face significant risks. The GDPR has essentially increased the enforcement power of regulators. In the event of non-compliance with the GDPR, fines can reach up to EUR20m, or up to four per cent of a group's annual global turnover if higher.
Non-compliance with the GDPR – enforcement
The consequences of non-compliance are not limited to fines. They also include the associated costs, such as legal fees and litigation costs, in addition to potential reputational damage and an impact on the market standing of a business. Furthermore, failing to fully comply with the GDPR may result in lawsuits and claims by individuals for material and immaterial damages, which can be as equally costly as the fines levied by regulators. This is a result of the possible large number of individual claims (the potential claimed damages of which can total in the millions of euros). Additionally, the authorities have investigatory powers, such as on-site GDPR audits and the issuance of public warnings.
Risk analysis – due diligence
The magnitude of GDPR fines and other consequences of GDPR non-compliance increases the importance of a comprehensive evaluation of a target company. Without a thorough risk assessment, buyers may acquire a non-compliant company that brings with it the risk of significant fines and lawsuits.
In order to assess the target company's level of compliance with the GDPR, it is advisable to request the following information during the due diligence process:
all relevant data protection documents, such as guidelines, data processing agreements, works council agreements;
all information related to technical and organisational measures;
data security and data protection concepts;
information regarding IT-systems;
information regarding data processing activities;
expert sessions or interviews with data protection experts (eg, IT managers, data protection officers);
information regarding any data breaches and related communication with the authorities and the data subjects;
information regarding any disputes, regulatory and criminal proceedings with respect to GDPR issues;
information regarding a self-assessment of the target company with respect to GDPR compliance;
information regarding dealing with data subjects' requests and other data protection processes; and
information on how the target company has secured the rights to use personal data (eg, individual agreements, relevant regulation of such rights in terms and conditions).
Based on our experience in recent years, the following aspects need to be considered, among others, when evaluating potential GDPR risks of a target:
Data applications that are structurally unlawful
Data applications that are structurally unlawful as a result of violation of data processing principles or the absence of a sufficient legal basis pose a potential risk. This aspect is of the utmost importance to the extent that the target company's business model is largely based on such data applications, as not only the actual asset may be impaired, but additional GDPR risks may arise.
Certain companies are in possession of ‘data cemeteries’, where the purpose of the data application no longer exists or is unclear. Companies often abstain from deleting such data stocks, even though the relevant requirement under the GDPR is clear: as soon as the purpose of a data use no longer applies, the relevant data must be deleted. Deutsche Wohnen, for example, was recently fined EUR17m by regulators for such ‘legacy data’ in an archive system
Other structural deficits in data protection management systems, such as inadequate processes for dealing with data subject requests (access, deletion, objection to data processing, etc.) can also pose GDPR risks.
Data protection violations
Data protection violations are potential GDPR risks if, due to technical defects or targeted hacker attacks, personal data is unintentionally disclosed (data leakage), altered without authorisation (eg, encryption by ransomware) or used with the intention of causing damage (identity theft). The Information Commissioner's Office (ICO) in the United Kingdom recently announced its intention to impose a GDPR fine of approximately GBP 100m on the Marriot Group, which was accused of losing millions of guests' data, which only came into existence years after the acquisition of the Starwood Hotels and was the result of alleged inadequacies in IT security.
In order to understand and mitigate GDPR risks, comprehensive due diligence of the target company is required.
Reflecting GDPR risks in transaction documents
Following the assessment of GDPR compliance risks, any identified instances of non-compliance should ideally be rectified by the completion of the M&A transaction. To the extent that this is not possible, the relevant risks can either be reflected in the valuation of the target company or certain risks can be reflected in the transaction documents (eg, indemnities and warranties).
If the risks related to the GDPR cannot be eliminated prior to completion, appropriate warranties with respect to the GDPR, among other things, should be contained in the purchase agreement. From the buyer's point of view, no financial limitations should be included regarding the GDPR warranties listed in the purchase agreement, if data protection risks remain. This is recommended because of the possible large magnitude of GDPR fines, reputational damages and claims for damages by individuals.
Furthermore, such warranties related to the GDPR which refer to the knowledge of the seller or the target company should only be agreed upon if the finding of the due diligence assessment is that the target company has a sufficient level of data protection level and, in particular, adequate technical and organisational measures to reduce the likelihood of data protection violations.