As nearly all companies store or process information about their business partners, customers, potential customers and employees the GDPR will have an impact also on M&A transactions, especially in light of the extraordinarily high fines that may be imposed on non-complying companies.
From an M&A perspective, the scale of GDPR's impact will depend on the characteristics of the business of the relevant target company. Companies focusing on B2C business will more likely be in the possession of significant quantities of personal data, because their business largely depends on the company's access to its customers. On the one hand, the more complex and detailed information a target company has about its customers, the better the chances that it can use them for its business. On the other hand, however, the more such information is collected and processed, the greater the risk of either non-compliance, or that a so-called data protection incident – for example data leakage – occurs.
Since the adoption of the GDPR, the non-compliance of a target company has started to purport a high risk for the potential buyer considering the potential amount of the fine. Therefore, nowadays, the level of the target company's GDPR compliance needs to be much more carefully investigated. This entails a thorough review of the legal basis of the use of personal data, the existence of adequate internal privacy policies and the communication of various aspects of the data processing. The potential buyer will also need to identify the internal processes, action plans and possible GDPR related past or contingent breaches of the target company. Understanding the exact nature and puzzles of the target company's business is also crucial, in order to identify the scope and type of the data that the target company stores or processes. Thus, the due diligence request list should include specific requests for information and documents in relation to the GDPR compliance of the target company.
In addition to the above, IT due diligence will likely play a more important role given that IT systems have an essential role in data protection, as the level of IT defense is already a key factor. From a compliance point of view, a secure and well-designed IT system will represent a remarkable value at a target company. However, from a business point of view, the integration of a more complex system of the acquired business with the acquirer's business could cause additional costs and more technical difficulties.
First of all, the buyer is advised to negotiate more sophisticated representations and warranties ("R&W") that should explicitly cover, for example, that the target company collects only personal data for which the company has an appropriate legal basis, which are absolutely required for the given purpose, and the data subjects are well informed. Another possible R&W could be that the data is stored only as long as absolutely required, and the data subjects are given the possibility to request correction or deletion of their data, and that such requests are actually and swiftly complied with. Further, R&W could also be negotiated to the effect that there are no and have not been any GDPR related investigations that could adversely affect the company.
If the due diligence review reveals that the target company does not comply with GDPR, it may affect for example the purchase price, as the buyer will need to invest into bringing the company into compliance after the closing of the transaction. In the case of identified possible breaches, adequate indemnities should also be included in the transaction documents.
As Hungary has not yet adopted the laws which are necessary to actually operate the GDPR system, it is still unclear whether additional local tasks or other burdens will be imposed on companies. Whereas it will not be feasible for the buyer to cover this risk in the sale and purchase contract of a currently pending acquisition, the buyer should still take it into consideration in its own business calculations when acquiring a Hungarian company.
Co-Author: Roland Szebényi
This article first appeared in the Budapest Business Journal
We're on top of legal developments in Austria and CEE. Are you? Subscribe to our weekly updates!
Cybersecurity: Why it matters in M&A Transactions
Austria: (De)Regulatory Affairs or the Delegates' proposal for altering the national Data Protection Act
Privacy-related representations in m&a agreements