Data (Protection) in M&A Transactions

In order to expand their own businesses or to explore new business models, companies frequently acquire competitors or start-ups operating in the relevant fields and integrate them into their businesses. Data protection is playing an increasingly important role in the context of M&A transactions, because often the object of purchase cannot be clearly identified but rather is a structure comprising rights, technology, knowledge and infrastructure. In this regard, the question often arises whether the data underlying the asset (eg customer or supplier data) may be sold and transferred in a straightforward manner. Also, it will in future be necessary to clarify whether data represents an independent additional factor in determining a company's market power and thus may trigger a notification requirement with the competent cartel office under merger control rules.

Even the provision of personal employee or customer data in the data room as part of a due diligence may be deemed a transfer within the meaning of data protection law. Data pertaining to officers or directors may be governed by other rules, however. Restrictions under data protection law frequently undermine the legitimate interests of the purchaser for disclosure of relevant data in order to perform a risk analysis and gain a detailed overview of the target, and should be taken into account when acquiring a company. Although potential administrative fines for non-compliance of course do play a role, the risk that data collected unlawfully may have to be deleted and may no longer be used is even more important (as shown recently by the sanctions imposed by the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht) regarding the unlawful transfer of data in connection with an asset deal).