The handling of personal data in connection with mergers and acquisitions presents unique and complex issues at all stages of the relationship, from the due diligence and evaluation of the target’s databases, to the actual transfer of the personal data, and the integration of the purchaser and target’s data handling policies and procedures.
Different issues arise depending on the nature of the data, and the types of promises that have been made to the individual data subjects. Customers, distributors, and other outsiders are usually subject to different agreements or rules than employees, contract employees, retirees and other insiders. Each of the related policies or contracts has to be examined separately, in its context. In addition, national or foreign laws that regulate the transfer of personal data may create barriers or impose additional obstacles to the completion of the transactions.
In each case, it is important for both the purchaser and the target to ensure that the transfer of the personal data is consistent with the written commitments and representations that were made to the different categories of data subjects, and if not, that appropriate consent be obtained.
As privacy and security counsel, we assist the parties in ensuring the smooth transition and transfer of the personal data files. These activities may include, for example the performance of privacy and data protection-focused due diligence of the target company, and the review and evaluation of the target’s privacy and security policies and practices. We are also called on to evaluate the target’s compliance with applicable data privacy or security laws in order to ensure that their purchaser is aware of the potential liabilities from the seller’s deficient practices.
In cooperation with the parties’ legal and business team that effects the merger or acquisition, we draft, structure, and negotiate privacy and security focused provisions or contracts in order to complement the master purchase agreement. In connection with the closing of the deal, and as part of the transition, we work with the parties in addressing the combination of the privacy policies of two entities after an acquisition.
Examples of projects on which we have assisted purchasers or target companies include:
- Preparing a due diligence checklist in preparation for acquisition;
- Performing privacy and data protection-focused due diligence of the target company;
- Review and evaluation of the target’s privacy and security policies and practices;
- Assessment of the target’s compliance with applicable data privacy or security laws;
- Assessment of the potential liabilities from the seller’s deficient data protection practices;
- Drafting addendum to the purchase agreements, to address the unique issues raised by the ownership or transfer of personal data;
- Counseling the client business teams in preparation for the transfer of data pre-closing in order to ensure a smooth transition for the personnel;
- Drafting and structuring data transfer agreements to address the disclosure of personal data during the interim period before completion of all transfer formalities;
- Evaluating the deficiencies of the target company privacy policies and related filings, in order to bring it to compliance;
- Conducting a global survey of applicable data protection laws applicable to the transfer of employee databases in a merger.