Privacy issues in mergers and acquisitions take the attention of transaction parties among other things in these days.
Privacy risks/ issues in mergers and acquisitions used to be overlooked or underestimated however, in these days, conducting adequate due diligence on privacy issues and mitigating risks associated with a target’s privacy-related liabilities as well as requesting privacy related representations and warranties are very much seen in merger and acquisition transactions.
The other important issue is how the target company can disclose the required data to the purchaser (and purchaser’s advisors) that include personal data and the risk associated with such transfer and how the purchaser will use such data upon closing.
Last, purchasers nowadays have to think about further post-closing items to be dealt with in terms of data protection according to the jurisdiction that the transaction takes place.
This document aims to review data protection issues in different phases of the transaction and how the parties must plan data transfers during the transaction and be prepared for privacy related post-closing issues.
Data Protection Issues in M&As
1. Transferring/ Disclosing Personal Data to Purchaser
Merger and acquisition transactions involve the disclosure or transfer of personal data from the target company to a purchaser. The data being transferred generally is related to personal data of employees, customers, users, suppliers or other business partners. Although most of the personal data is fully transferred at closing phase, some disclosures may also happen during due diligence process, or at any stage between signing and closing. But one must ensure that disclosure/ transfer of personal data to the purchaser does not violate any privacy rules of applicable law.
2. How can transfer/ disclosure of personal data from target to a purchaser can be dealt under Turkish law?
Under Turkish law, the disclosure of data relating to data subjects must comply with Turkish Data Protection Law numbered 6698 which was enacted on April 7, 2016 (“Law”). The Law introduces a definition of “personal data”, defining it as “any type of information that relates to an identified or identifiable natural person”. In this sense, personal data can only relate to natural persons.
Processing of personal data is permitted when it is based on grounds stipulated under the Law. Personal data can be processed and transferred to a third party, if:
- The data subject has provided explicit consent, or
- The processing is clearly mandated by Laws,
- For a person who is unable to express their explicit consent due to a situation of impossibility, the processing is required for the safeguarding of their or a third person’s life or physical wellbeing,
- The processing is directly related to the formation or execution of an agreement to which the data subject is a party,
- Processing is required for the data controller to satisfy their legal obligation,
- The data to be processed has been made public by the data subject,
- Processing is mandatory for the establishment, use or protection of a right,
- On the condition that it does not harm the data subject’s fundamental rights and freedoms, the processing is mandatory for the legitimate interests of the data controller.
In case of a breach of data protection rules, affected persons may claim damages and seek compensation before courts. Furthermore, in case of an unlawful process, administrative fines may be imposed as a result of breaching data safety obligation and enabling unlawful data processing. Last, breach of data protection rules may under certain circumstances result in criminal liability, although criminal liability does not apply to legal persons but persons committing such crime can be held liable.
2.1. Can explicit consent be a ground?
In light of the above, in an M&A context, it does not seem practical to rely on the consent of the data subjects considering that the contemplated transaction might be confidential until the closing takes place and it may be difficult to follow consent procedure (which includes providing adequate information to the data subject before obtaining the consent) and risk associated with consent is the fact that it can be withdrawn at any time. So, consent is only used in practice when very few individuals are concerned and these individuals have reason to be aware of the contemplated transaction. Last, consent must be explicit, freely given and based on appropriate information to be held valid.
However, in case of transfer of sensitive data, data subject’s consent to the transfer will be required and sufficient precautions determined by the Data Protection Authority are in place.
2.2. Can legitimate interest of the data controller/target company or the purchaser/ data recipient be a ground?
Legitimate interest is determined as a last resort ground for data processing due to the fact that it requires balance test when applied and it must be ensured that fundamental rights and liberties of the data subject are protected. In an M&A transaction “legitimate interest” ground can be used considering the fact it is in the legitimate interest of the purchaser to receive the relevant data to be able to make an assessment/ evaluation regarding the target company and also the target company to provide such data to the purchaser so that correct evaluation can be made. However, still such a ground has certain limitations considering that use of such data must be proportionate with the purpose and data what is not needed for such an evaluation before closing must not be transferred. Alternatively, certain other precautions can be taken to keep personal data confidential or if it cannot keep confidential, such data can be transferred very limitedly under conditions and it must not be excessive. In practice, it is therefore often advisable to try to wait until all or most of the conditions to closing of the transaction have been satisfied before transferring personal data based on this ground.
2.3. Can formation or execution of a contract be a ground?
Formation or execution of a contract with the data subject can be a ground when transaction includes transfer of i.e. contracts where data subject is party to and where personal data must be transferred for the contract to be performed.
Finally, even when personal data is transferred based on above grounds, such transfer must be very limited with the purpose of data processing and it must not be excessive. For instance while transferring employee data some aspects of personal data must be deleted, anonymised, and transfer must be limited with the personal data which is held necessary for the purchaser to make a valid and correct evaluation.
3. Risks Associated with Transfers at Closing
At closing, the purchaser will expect to receive all of the personal data related to the acquired business. Then the data subjects must be informed of the transfer. The seller should give the data subjects certain information about the transfer of their data to a third party.
4. Data Transfers Abroad
Additional steps must be taken in the case of transfer of data outside of Turkey. Data rooms nowadays are mostly established as virtual data rooms. It is possible that server of the online platform is based in a foreign country (with or without adequate level of protection).
For transfer of personal data abroad the explicit consent of the data subject can be a legal ground or the above mentioned legal grounds can be used if the foreign country has sufficient safeguards to protect personal data or, if they do not have such adequate safeguards, the data controller in the foreign country, must undertake to the Turkish Data Protection Authority an adequate protection in writing for equivalent safeguards and the approval of the Authority must be obtained. Countries that have sufficient safeguards are to be determined by the Turkish Data Protection Authority. For the time being the safe country list has not yet been announced.
Therefore, currently, consent of the data subjects will make the transfer of data abroad lawful under Turkish law, but it may be difficult or very burdensome.
In the absence of safe country list issued by the Turkish Data Protection Authority or individual consent obtained from the data subjects, an M&A-related data transfer must therefore be made only after the data controller in the foreign country undertakes to the Turkish Data Protection Authority an adequate protection in writing for equivalent safeguards and the approval of the Authority is obtained. Planning ahead is important, as an approval, if needed, may take a long time.
5. Notification to the Data Controllers’ Registry – Post Closing
Under Turkish Law, there is a requirement for data controllers to get registered with the Data Controllers’ Registry - which is a platform that is open to public where data controllers provide information about themselves and record the data categories they process. The Turkish Data Protection Authority recently announced that (i) data controllers which process personal data through non-automatic means provided that the processing is part of a data recording system; (ii) public notaries; (iii) foundations, associations and unions which only process personal data of their own employees, members and benefactors provided that the processing is limited by their field of operations and in line with their purposes and the relevant legislation; (iv) political parties; (v) attorneys; (vi) public accountants, (vii) sworn-in public accountants, (viii) customs brokers operating under the Customs Law numbered 4458 and authorized customs brokers, (ix) Mediators, and (x) data Controllers with less than 50 employees with an annual financial balance sheet less than TRY 25.000.000.- whose field of operations is not the processing of sensitive data are exempt from the obligation to register to the Data Controllers Registry.
Further, companies that are obliged to register to the Data Controllers Registry must prepare a data inventory which includes the purposes of data processing, data categories, the data recipients, and the maximum time periods required for the purposes of processing, data to be transferred abroad and measures to be taken for data security.
The companies residing in Turkey must appoint a contact person responsible for liaising with the Board; whereas companies not residing in Turkey must appoint a data controller representative which is a legal entity or a real person having Turkish citizenship who will be in communication with the Board, answer the requests addressed to the data controller and do things related to the Data Controllers Registry on behalf of the data controller; and all companies must prepare a data preservation and destruction policy.
In light of the above, after the closing takes place the target company may become obliged to get registered to the Data Controllers’ Registry or to update the information already provided to the registry (if it is already registered). Changes must be informed to the Data Controllers’ Registry within 7 days, meaning that purchaser will have another post-closing item to be dealt with.
After closing, the purchaser must consider how to integrate the personal data received from target and the target’s IT systems into its own data and systems. It is important to determine whether the privacy policies of the target and the purchaser are parallel or the purchaser’s is less protective than the target’s.
In addition, the purchaser is obliged to inform data subjects about the closing and results of the transaction and new data processing regime, if need be as part of information obligation under the Law. Obtaining consents from the data subjects for transfer of data may be considered or the purchaser must take necessary actions to ensure that the cross border data transfer is legal.&nb
Summary - Wrap Up
Prior to signing, purchaser’s due diligence must outline all potential risks associated with the target’s privacy-related liabilities and relevant representations in M&A agreements must be in place. Between signing and closing, both seller and purchaser must be careful in the disclosure of personal data and manage disclosure process to ensure that transfer of data is limited with the purpose and is not excessive. Furthermore, the access to the data room must be strictly limited to those persons who is in real need to know and assess the documents and confidentiality agreements must be executed.
After closing of the transaction, the purchaser must consider diligently what steps must be taken to use the acquired data lawfully.
In case the closing does not take place and negotiations fail, the persons granted access to the data must agree to destroy all received data including due diligence results, and personal data must receive special attention in such destruction. In practice, access to data is made available upon the participant accepts the confidentiality and data protection rules before accessing the data room.
M&A transaction involves several jurisdictions and it is essential to manage different applicable rules data privacy in different jurisdictions beforehand not to be exposed to data privacy related risks and obligations.
Article provided by: Begüm Okumuş (Turkey)