Welcome to Penrose Personal data in M&A
Penrose advises and assists companies and institutions in the field of personal data and data protection pursuant to Dutch law and European legislation. We draft all relevant privacy-related agreements and statements. Penrose also represents companies and institutions facing privacy audits and privacy compliance procedures. In the event of a data breach, we can provide immediate assistance with the actions that need to be taken as well as address the matter of who can potentially be held liable for the data breach. Some of the privacy-related issues that we encounter on a daily basis are outlined below.
Others also searched for:
Due diligence and personal data
As a seller of a business in the Netherlands, it is important to ensure that personal data in documents in a data room, such as customer files, client records and personnel files, are deleted, or otherwise adequately protected.
The Dutch Data Protection Authority is of the opinion that, in principle, it is not necessary to share personal data in the context of a due diligence investigation. The potential buyer should manage with aggregate data or data in an anonymous form. Occasional exceptions are allowed, whereby the basic principles enshrined in the GDPR must of course always be respected.
Even as a potential buyer, it is important that privacy is part of the due diligence investigation. This is even more important where the acquisition involves large customer databases. Also the purchase of a client data base out of bankruptcy deserves attention.
Non-disclosure agreements and personal data
Prior to a merger or acquisition, parties usually enter into a non-disclosure agreement (NDA). In a NDA, the negotiating parties agree to share information with each other under strict confidentiality, for example in the context of a due diligence investigation. A non-disclosure agreement should also extend to any personal data involved in the sales process.
Employee personal data
Mergers and acquisitions often involve employees. An acquiring party will therefore wish to conduct a due diligence investigation regarding the composition of the workforce, the employees, and their working conditions (e.g. salaries). In this context, personal data may be shared or otherwise processed. Consequently, privacy laws and regulations should be taken into account. Before sharing or otherwise processing personal data of employees or customers with a buyer, it is advisable to seek advice on how to handle the buyer’s request.
At Penrose, lawyers specialised in data protection and mergers and acquisitions are happy to work with you and answer any questions you may have. Contact details are available here.