"Data-protection norms have led to new challenges when buying a company"

Five years after establishment, Heuking Kühn Lüer Wojtek’s thriving French Desk is reaping the rewards of the hard work of its multilingual, 15-member team. Leaders League spoke to Helge-Torsten Wöhlert, the man leading it.

Posted mardi, octobre 25 2022
"Data-protection norms have led to new challenges when buying a company"

Five years after establishment, Heuking Kühn Lüer Wojtek’s thriving French Desk is reaping the rewards of the hard work of its multi-lingual, 15-member team. Leaders League spoke to Helge-Torsten Wöhlert, the man leading it.

LEADERS LEAGUE: How’s business?

Helge-Torsten Wöhlert: Excellent! Last year the French desk was active in transactions for strategic investors, both for CAC40 groups and in the mid-cap sector. We can also look back on lively transaction activity in the private equity sector.

What was a prominent item on your agenda in 2021?

The influence of data protection requirements on the structuring of corporate acquisitions. There are cases in which customer data are the essential element of the company purchase, for example in the mail-order business. In general, though, it is often a question of being able to continue to use the customer data available to the company after the transaction, especially within a group. New challenges arise at various phases of the company acquisition, this applies to the implementation of due diligence as well as to the contractual design.

What features does data protection add to the due-diligence process?

I would like to single out three aspects. First of all, the question has already arisen as to what extent, and on what legal basis, personal data may be transferred to the buyer in the course of due diligence or made accessible to the buyer in separate data-rooms. This is about employee data, but also about customer and supplier data, among other things. Here, the consent of the persons concerned to the processing of data concerning them, for the purpose of due diligence will usually not exist, and furthermore can generally not be obtained, as this would counteract the transaction secrecy imperatives. For the question of the legality of data processing, it depends on the legitimate interests of the companies involved within the context of the GDPR, which must be weighed against the interests of the data subjects, on the other hand. With regard to customer and supplier data, redacted documents will generally be sufficient.

Furthermore and as a second aspect, the GDPR includes specific transparency obligations vis-à-vis the persons affected by a data processing. Since none of the parties involved will have an interest in informing all affected customers, suppliers and, in particular, employees of the target company about this during the transaction, they will want to invoke exceptions from the GDPR with regard to information obligations, according to which there would be overriding legitimate interests in secrecy in this respect.

In this case, it is highly recommended to carefully document the decision to provide information only at a later stage, and to weigh the interest of the persons concerned against the interest of the parties involved in the transaction on a case-by-case basis.

If one wants to protect oneself as much as possible against possible information obligations in the run-up to a transaction, it is recommended that potential target companies include the potential transfer of personal data to possible prospective buyers in any data protection information in advance and without any specific reason.

Finally, it should also be noted that the transfer of data to the (electronic) data-room provider must comply with data protection requirements. 

This means that it is not only necessary to conclude an order-processing agreement that meets the requirements of Art. 28 of the GDPR. When selecting the data-room provider, it must also be ensured that the provider has taken appropriate technical and organisational measures in accordance with Art. 32 of the GDPR, in order to guarantee the integrity of the data. The process of conducting due diligence has thus become significantly more complex.

Are there new, content-related due diligence challenges related to data protection?

Of particular importance is the lawfulness of the collection and processing of personal data at the target company and whether there are inadequacies in the collection of the data or whether these can be remedied for the future. With regard to any fines for data protection breaches, the buyer should also seek to identify the nature, gravity and duration of the breaches, as well as the number of data subjects affected by the processing and the extent of the harm suffered by them. In addition, it may also be pertinent to determine what costs are likely to be associated with remedying the breaches found.

Who has to bear the threat of damages from data protection violations in the case of company acquisitions?

Since full compliance with the GDPR will often not exist in practice and the necessary compliance structure or knowledge will often be lacking, the seller will only want to guarantee to a very limited extent, or not at all, that there are no breaches of data protection provisions in the target company. In contrast, the buyer will try to minimize the risk that not all risks were uncovered during the due diligence it conducted. This is all the more true as actual events outside of data-room documents, such as the actual storage and deletion of data, access management or the day-to-day behaviour of employees are usually not (yet) examined in the due diligence. Numerous sources of data protection violations, therefore, often go unchecked and undiscovered.

How do you evaluate the economic risk of a data protection breach?

The risk for the parties in a purchase agreement is hard to quantify.

The GDPR, for which group turnover can be decisive, allows considerable leeway, which has not been exercised uniformly by the data protection authorities to date.

Has a general contractual standard of risk allocation already been established?

In practice, data protection risks of the buyer are generally covered by guarantees. A classic topic of negotiation will be their possible limitation to the seller’s knowledge. In the area of data-protection, this restriction can be problematic because the seller will often have no knowledge at all of which facts violate data-protection regulations. Therefore, it will also be a topic of negotiation whether and to what extent managing directors and data protection officers are to be included in the liability regime of the guarantee.

Furthermore, indemnities may kick in. The exciting question is whether indemnities will become the general standard for the distribution of risk between buyer and seller in relation to data-protection breaches, as is the case for tax or environmental risks, for example. This could lead to the seller only being liable for breaches that occurred prior to the closing. As of the closing, it would then be the buyer’s responsibility to prevent new violations and to uncover and remedy existing persistent violations. If, in the course of official investigations, a fine were to be imposed for a violation that began before the closing and continued after the closing until it was discovered by the authorities, this would require a separate provision.

This is because, unlike tax law, data protection does not know any delimitable assessment periods. One possibility would be to divide this fine between the parties pro rata temporis, calculated on the duration of the violation before and after the closing.