This article is taken from GTDT Practice Guide: Germany M&A. Click here for the full guide.
As in all EU member states, German data protection law is overlaid by EU legal acts, in particular Regulation (EU) 2016/679 (GDPR). Its general principles also apply within the scope of national German data protection law. The processing of personal data is not permitted unless justified by a legal basis. All data processing must comply with the principles of purpose limitation, data minimisation, integrity and confidentiality. The data controller is subject to comprehensive accountability and documentation obligations as well as the duty to protect data subjects’ rights. Service providers must be carefully selected, monitored and bound by a processing agreement pursuant to article 28 GDPR. Data transfers to third countries outside the EU and the EEA are only permitted if appropriate safeguards as defined in Chapter V of the GDPR are in place to protect the data of the data subjects.
Overview of the applicable law
The territorial scope of application of the GDPR, in simple terms, is opened whenever either the processing entity (controller or processor) is established in the EU or its data processing relates to data subjects habitually resident in the EU.2 The GDPR covers the processing of any personal data in file systems, unless one of the exceptional cases of article 2(2) GDPR applies. The term personal data is legally defined in article 4(1) GDPR. It is not always congruent with the term PII used in US law. In particular, it also includes pseudonymous data. Only data relating to a natural person is protected, but the data subject may also be, for example, the owner of a private company.
At the national level, German data protection law is primarily regulated in the Federal Data Protection Act (BDSG), the scope of which is modelled on the GDPR. However, if there are sector-specific special regulations, these take precedence. Important examples of such special regulations are those for the area of telecommunications,3 the protection of social secrecy,4 data processing by ecclesiastical bodies5 and co-determination in companies.6
For some time, Germany has intended to pass a separate law for the area of employee data protection and such a project has also been agreed upon in the coalition agreement of the new government from 2021. Until then, however, the processing of employee data remains primarily regulated in the German Federal Data Protection Act.7 A particularly important regulation is also found in the Works Council Constitution Act for companies that are subject to co-determination.8 According to this provision, which is interpreted very broadly in practice, the works council has a right of co-determination if the employer introduces or uses technical equipment intended to monitor the behavior or performance of employees. On the other hand, the Works Council Constitution Act provides for the possibility of concluding works agreements with the works council as a separate legal basis for the processing of employee data.9
Overview of the administrative practice
It should be noted that, due to Germany’s federal structure, each federal state has its own data protection supervisory authority and has enacted state data protection laws. As a rule, the data protection laws of the federal states are only relevant for processing by public bodies.
The supervisory practice of the 17 authorities in total (including the Federal Data Protection Agency which, inter alia, is responsible for telecommunication providers) can vary greatly. As a rule, their respective competence depends on the location of the controller or processor.
A certain standardisation of administrative practice is achieved through the cooperation of the authorities in the Data Protection Conference (DSK). The DSK publishes Guidance Papers which, along with the Guidelines of the European Data Protection Board, are the most important sources regarding the legal opinions and practices of the German data protection authorities. One such guidance of particular importance is the DSK’s concept for setting fines, which stipulates, among other things, that the total group turnover rather than the controller’s turnover is to be used as a basis for determining the fine.10
However, the authorities of the federal states also publish their own guidelines and they may explicitly dissent from the prevailing opinion of the DSK. An example relevant in the context of M&A is the resolution of the DSK on asset deals, which was issued with the explicit rejection of the data protection authorities of Berlin and Saxony.11
Data protection in M&A
In the context of M&A transactions, the relevant legal issues can be divided into three categories:
- data protection law requirements for the provision of data to the prospective buyer in the context of sales negotiations (preparatory phase);
- data protection risks of the target relevant in the context of the prospective buyer’s due diligence of the target (due diligence phase); and
- data protection law limits of data processing after completion of the acquisition (post-sale boundaries). Such limits may depend on whether the transaction is a share deal, an asset deal or a transformation.12
In the sale and bidding process, the prospective buyer will require the target to disclose company data for the purposes of due diligence in a protected data room. Insofar as this data has a personal reference (ie, it is not exclusively aggregated or otherwise anonymised data), this constitutes a processing relevant under data protection law within the meaning of article 4(2) GDPR. Data subjects are typically employees, customers (ie, leads and consumers) of the target as well as employees of business partners of the target.
Controllership and responsibility
The parties involved in the data processing are regularly the prospective buyer, the target, the seller of the target (ie, its shareholders) as well as the consultants and technical service providers called in by these parties.
Regarding the relationship between the prospective buyer and the seller, in light of the ECJ’s case law, one will typically have to assume joint responsibility, so that the conclusion of an agreement pursuant to article 26 GDPR is recommended.13 With technical service providers (eg, the data room provider), a data processing agreement pursuant to article 28 GDPR must be concluded.
In both cases, the requirements of Chapter V of the GDPR must be observed in the event that transfer of personal data to a third country outside the EU or EEA takes place. In particular, if the personal data is transferred to the US, it is currently necessary to agree on the European Standard Contractual Clauses, to carry out a data transfer impact assessment and to agree on additional contractual, technical and organisational safeguards.14
No separate data processing agreement is required with external consultants if they are subject to a professional duty of confidentiality.
The disclosure of personal data to the prospective buyer requires a legal basis within the meaning of article 6 GDPR. For the processing of data of customers and other third parties, such legal basis can usually be found in the legitimate interest of the company for sale.15
As for the disclosure of the target’s employee data, the target may consider additional legal provisions. While this data processing cannot be based on the employment relationship as such,16 it may be justified based on a works agreement between the company and its works council.17 If the employee is a key employee who is privy to the negotiation process anyway, the employee’s consent can also be considered as a legal basis. Such consent needs to be voluntary, which can be assumed if a legal or economic advantage is achieved for the employee or if the employer and the employee pursue similar interests.18
As a rule, however, the disclosure of personal data to the prospective buyer needs to meet the requirement of legitimate interest. In principle, the target as well as the seller can claim a legitimate interest in disclosing personal data to the prospective buyer, provided that this data is relevant for determining the purchase price. This interest must be weighed against the interests of the data subjects and the weighing of interests must be documented.
Within this balancing of interests, it is crucial to only disclose personal data the knowledge of which is actually necessary for the prospective buyer. Such necessity depends on the respective stage of the negotiations, but also on the type of data involved and the specific intended transaction. As an example, with regard to employee data of the target, it will regularly be sufficient to limit oneself to the disclosure of aggregated reporting data and model contract documents. In contrast, there may be an overriding legitimate interest in disclosing clear data of employees if negotiations of an asset deal resulting in a transfer of business19 are at an advanced stage.
This being said, the transaction data room should always be prepared carefully. Personal data in contract documents must regularly be redacted. If it becomes necessary in the course of the process to disclose further personal data, the reasons for doing so should be documented in a supplementary written assessment of legitimate interest.
Disclosure of sensitive data within the meaning of article 9 GDPR, for example health data, data relating to religious belief or trade union membership, is only permissible with the explicit consent of the data subject.
Under the GDPR, there is still some legal uncertainty with regard to the transparency obligations of the parties involved vis-à-vis the data subjects.20 While, to the prevailing opinion, the acquirer can rely on legal exceptions,21 the information obligation applicable to the target does not contain such an exception. The approaches discussed for this are in any case associated with risks.22 Also for this reason, the seller should refrain from an avoidable disclosure of personal data in the sales process.
Due diligence phase
With due diligence, the buyer aims to obtain as accurate a picture as possible of the value of the target (ie, its assets and existing and future liabilities). Only on the basis of the due diligence can the buyer decide how to deal with the identified risks. He can assume them and deduct the costs he has calculated for establishing a legally compliant condition from his purchase offer or he may demand contractual liability guarantees from the seller instead.
Whether and which data protection risks are relevant depends, of course, on the business area and business model of the target. Typically, however, the buyer will want to check the following aspects and documents, if applicable:
- the existence and qualifications of a data protection officer and/or internal data protection coordinators, an EU representative, and an IT security officer;
- external certifications, audits, records of penetration tests;
- a documented data protection management system, in particular a data protection and information security policy;
- Records of Processing Activities within the meaning of article 30(1) and (2) GDPR, any data protection impact assessments and legitimate interest assessments;
- the technical and organisational measures taken by the company within the meaning of article 32 GDPR, and possible special legal obligations for critical infrastructure;23
- compliance risks of used facilities and their surveillance, especially the use of video surveillance;
- internal company guidelines or procedural instructions, in particular on how to deal with data security incidents and how to avoid certain legal or security risks (eg, policies on the private use of IT by employees, IAM concept, BYOD concept);
- agreements on confidentiality and data secrecy obligations with employees;
- employee onboarding and off-boarding proceedings, employee information of the company to fulfil its information obligations pursuant to article 13 GDPR, compliance of any monitoring of the behaviour or performance of employees;
- works agreements with the works council;
- policies as well as technical and organisational processes relating to the deletion of personal data;
- policies and processes for the fulfilment of data subject rights including staffing, practices, and customer authentification;
- intra-group agreements on data transfer;
- data-processing related agreements with key partners, suppliers, and providers, in particular data processing agreements pursuant to article 28 GDPR and documents on the selection and monitoring of data processors;
- documentation of third country data transfers and transfer impact assessments;
- customer-facing privacy policies or privacy notices including the company’s cookie consent management approach;
- if the target bases its data processing on consent, documentation of the consent texts used for this purpose at present and in the past, including the context of the data subject’s declaration of consent;
- data breach notifications of the company according to articles 33 and 34 GDPR; and
- pending and completed legal proceedings, including those in the areas of competition law, and labour law.
The risks that may come to light in the process can be diverse, which is why only selective further indications are possible at this point.
So far, the German data protection supervisory authorities have imposed the highest fines for the unauthorised collection of (partly sensitive) employee data,24 the failure to implement deletion periods25 and the inadequate authentication of callers to a customer hotline.26 The latter case in particular illustrates that even as a result of a single complaint to the data protection supervisory authority, deficiencies can come to light that can be considered a breach of the obligation under article 32 GDPR to have taken appropriate technical and organisational measures to protect the data of the data subjects.
As for the relevant state of the art in the context of article 32 GDPR, the data protection authorities usually refer to the recommendations of the BSI, the German Federal Office for Information Security. In particular, the BSI’s IT-Grundschutz-Compendium can provide good guidance for the protection of the prospective buyer’s data.27
Especially then, if the target company is active in B2C business, the validity of any marketing consent should always be taken into account when assessing the economic value of the customer base. It needs to be pointed out in this regard that the German data protection authorities closely follow the strict competition law case law of the German Federal Court of Justice (FCJ) when assessing the permissibility of contacting the data subject for marketing purposes. The FCJ tends to interpret the concept of advertising very broadly, while setting strict requirements for vaild consent. The prospective buyer should also be aware of the new and extensive documentation obligations with respect to consumers’ consent to telephone advertising.28
Another important question for M&A transactions is the extent to which the processing of personal data is subject to limits under data protection law after the transaction of the target has been completed.
In the case of a share deal, generally, no additional restrictions follow from the transaction. There is no change of controller and the acquisition of shares in the target is not a data processing operation as such. In exceptional cases, it may however be necessary to reassess the balancing of interests, if legitimate interest is used as legal basis for the data processing of the acquired company. Such reassessment may be necessary in particular if new risks for the data subjects are created in the course of the transaction, for example, if employee data will be reported to a parent company in an unsecure third country, such as the US, as a result of the acquisition.
The processing of personal data by the acquirer in the context of an asset deal must be considered more closely. In this respect, the DSK takes a restrictive approach. According to its Resolution of May 2019, personal data of existing customers may only be transferred and processed by the acquirer without the consent of the data subject if:
- the contractual relationship does not date back more than three years;
- outstanding claims against the customer are assigned to the acquirer in a legally permissible manner; or
- customer data from older contractual relationships are transferred to the acquirer solely for the purpose of archiving.
The transfer of the data requires that the data subject is informed and granted a sufficient period of time to exercise his or her right of objection pursuant to article 6(1)(f) GDPR.
However, sensitive personal data within the meaning of article 9 GDPR, but also data relating to the banking accounts of existing customers, in the view of the DSK may only be transferred to the acquirer on the basis of the data subject’s prior consent.
Another question is whether the acquirer can rely on consent (eg, to email advertising) given by the data subject to the target before the transaction. This is possible in principle, however a question of interpreting consent in individual cases. In practice, due to the restrictive view of German courts in competition law cases, such interpretation of the data subject’s consent cannot usually be assumed.
If the transaction is executed in the form of a transformation under the German Transformation Act, the assets of the transformed legal entity are transferred to the acquiring legal entity in the form of a statutory universal succession. According to the prevailing opinion, the acquiring legal entity is not a third party in the sense of data protection law, so that the same principles apply as in the case of a share deal.
It should be noted, however, that in its Resolution of May 2019, the DSK does not define the term asset deal in more detail, so that the principles it sets out could also be applicable to transformations or at least certain sub-forms of transformations such as a spin-off.29
Data protection issues are becoming increasingly important in M&A transactions. On the one hand, this is due to the fact that under the GDPR there is an increased risk of severe fines, especially in the light of the German data protection authorities’ administrative practice as set out in the DSK’s concept for fines.30 On the other hand, from the buyer’s point of view, data protection risks are comparatively easy to identify because the processor of personal data is subject to extensive documentation and accountability obligations under the GDPR.
In reality, no target is ever fully GDPR-compliant. Bidders and acquirers are therefore advised to very carefully assess the target’s compliance with data protection law and the possible costs of establishing a legally compliant status, and to draft their contracts with the seller accordingly. In this context, particular attention should be paid to a realistic evaluation of the customer base and the possible disadvantages of an asset deal under data protection law.