Business now feeling the effects of GDPR in M&A transactions

Automotive, healthcare and financial services are prime examples of sectors that are undergoing rapid digital change. This transformation in the digital environment is causing business models to be radically altered or replaced by other models, but few areas are undergoing more change in this digital area than Merger & Acquisition (M&A) transactions.

How is M&A being impacted? When companies attempt to meet these current challenges through external acquisitions, they are finding that the products and applications of their transaction targets often contain the personal data of customers or users. As result of the GDPR, M&A transactions are increasingly becoming more complicated.

Not long ago, data protection issues were an afterthought in the structuring of M&A transactions mainly because penalties for data protection violations were minimal. But no longer. Now, as a result of the GDPR, violations can result in fines of up to EUR 20 million or 4% percent of the company's worldwide annual turnover.

Importance of data protection in automotive, fintech and healthcare industry

The GDPR always applies when the personal data of "natural persons" (i.e. people) are being processed. In corporate transactions, this applies to employee, supplier and customer data, including user data from apps or other digital services.

In the automotive sector, for example, car sharing can create data that includes highly sensitive information like movement profiles, register payment behaviour models and traffic violations. The same is true of healthcare apps that manage highly sensitive healthcare data and financial apps that deal with information from the fintech sector.

Moreover, data volumes have increased with the entry of large players into the market. Mergers in these areas, such as the recent agreement between Drive Now (BMW) and Car2go (Daimler), are expected to continue. As a result, CMS recommends that data protection be considered and documented at an early stage in every M&A transaction to exclude or at least minimise the risks of a GDPR violation from a compliance point of view.

Legal tech support for compliance

The personal nature of data and hence its regulation by data protection laws can be eliminated by redacting documents. To this end, legal tech is being used in this process more and more to save costs and time.

Confidentiality measures are being taken to minimise risks such as limited access to data rooms, encrypted data transmissions, the obligation to delete data upon the termination or completion of a transaction and all corresponding contractual penalties.

In addition, where data rooms are concerned, GDPR compliance should be clarified with the providers, especially those with headquarters or servers outside the EU.

Throughout the M&A process, data protection considerations should be documented as each milestone (e.g. due diligence, post-signing, post-closing) is reached, depending on the requirements of the transaction structure – whether it is an asset deal, share deal, or conversion measure – and the advice of experienced advisors.

The same considerations should apply when assessing whether and at what stage the employees, customers' employees, suppliers' employees and users of each party involved in the M&A need to be informed about the potential transaction.

These are vital considerations and making the right decisions about the handling of personal data can make the difference between a successful or problematic M&A.

To assist companies facing a M&A in these complex times, we have devised the following aid: "CMS Checklist M&A and GDPR". And if you have other questions about how GDPR could affect a M&A you are involved in, contact your regular CMS source or one of the following local CMS experts: