you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH :

01 February 2024

Share everything, but safely? How to protect data in a due diligence process

In the fast-paced world of mergers and acquisitions, due diligence is a critical step in evaluating the legal, financial and strategic aspects of a potential deal. But as personal data becomes increasingly valuable, the data protection aspects of due diligence is coming under the spotlight. Companies must navigate a complex landscape to ensure that personal data is safeguarded.

Who's responsible for the personal data shared?

When determining liability for personal data shared during due diligence, the primary consideration is whether the parties are qualified as data controllers, data processors (or joint controllers), as their responsibility will be shared depending on this definition.

The seller typically acts as the data controller, since it has collected the personal data and usually has a legal basis and a legitimate purpose to share the data with the buyer. In most due diligence processes the buyer also often qualifies as a data controller, as it might use, evaluate and examine the personal data to make strategic decisions about the contemplated transaction. As both the seller and the buyer qualify as data controllers, they can be regarded as joint controllers.

A typical data processor in the due diligence process is the virtual data room (VDR) service provider on whose platform the personal data is uploaded. Others are the law firm and the financial, technical, tax and other advisors who review the contents of the VDR for the buyer and help it to identify potential risks. The seller's legal and financial advisors are also often considered data processors. These advisors make the relevant data available to the buyer, usually through the VDR, where the buyer's legal and financial team can easily access them.

To protect personal data uploaded to the VDR and to define the responsibilities for shared personal data, agreements must be established both between the joint controllers (seller and buyer) and between the data controller and the data processors. These joint controller or data processing agreements define and allocate responsibilities for the processing of shared personal data.

Anonymisation and pseudonymisation in the VDR

Anonymisation is a data processing technique in which personal data is transformed in such a way that it cannot be linked back to an individual, even using additional information or methods. The goal is to make the data entirely anonymous. Pseudonymisation involves replacing or masking personally identifiable information with pseudonyms or codes. Unlike anonymisation, pseudonymisation retains the potential to re-identify individuals by using additional information stored separately. Both techniques can be valuable in a due diligence process. It is advised for the seller and the buyer to agree on which data will be pseudonymised or anonymised. This entails an assessment of the extent of the personal data that will be shared.

The role of technology and AI

Leveraging advanced technology solutions can significantly enhance data protection efforts in due diligence. Artificial intelligence (AI) can play a significant role in anonymization and pseudonymization processes in a due diligence context, enhancing both the efficiency and effectiveness of these privacy-preserving techniques.

AI can be used to automatically identify, anonymise, pseudonymize personal data within the documents and datasets being reviewed during the due diligence process. Natural Language Processing (NLP) and machine learning algorithms can recognize names, addresses, social security numbers, and other personally identifiable information patterns. AI then can suggest replacing names with generic identifiers (e.g., "Employee 1") or masking parts of addresses. One thing is certain; AI will play a significant role in due diligence processes in the future and might be able to successfully replace the human intervention or review of documents in a variety of ways.

Post due diligence

Although a great deal of personal data can be anonymised or pseudonymised during a due diligence process, some must be disclosed and shared in the VDR. Here the parties must determine deletion periods, i.e. how long the data should be available in the VDR, as personal data should not be retained longer than necessary after the completion of the due diligence. 

It is also important to ensure that if multiple prospective buyers had access to the VDR during the due diligence process, but ultimately only one acquired the target company, the data should be permanently deleted for all other prospective buyers. As soon as it becomes clear that a potential buyer will not be purchasing the target company, it is advisable to immediately terminate its access to the VDR.

So, whether dealing with the allocation of responsibilities, pseudonymisation, anonymisation or deletion of data, it is essential that the parties agree on how to handle these data protection issues prior to the due diligence and set out their arrangements in a joint controller or data processing agreement.


authors: Áron Hegyi, Kinga Hetényi