This article explores the potential application of the GDPR in running a typical Irish merger or acquisition and sets out some practical guidelines on how parties to the transaction can demonstrate compliance with the GDPR requirements.

1. Data Protection Issues in Managing M&A Deals
What is Personal Data?
Personal data means any information that can be used on its own or in combination with other
information to directly or indirectly identify a specific person (the “Data Subject”). Examples of
Personal data include (but are not limited to) a person’s name, their employment ID number, their
image or online identifiers from which they can be identified (such as an IP address).
In order to process personal data one must have a lawful basis to do so. Processing includes storing,
collecting, retrieving, using, combining, erasing and destroying personal data. There are a number of
lawful bases available. The consent of the data subject is a very common lawful basis on which to rely,
although that will rarely be a practical approach in the context of organising a merger or acquisition.
The GDPR provides additional protection for ‘special categories’ of personal data, for example
personal data revealing racial or ethnic origin, trade union membership or data concerning health.
Processing of special category data is prohibited except in limited circumstances. These
circumstances include where processing is necessary for the purposes of carrying out the obligations
and exercising specific rights of the controller as employer, where there is a legal ground to do so
under EU or Member State law or whether the Data Subject explicitly consents to the processing of
his/her special category data.
Processing Personal Data in an M&A Transaction
Parties to an M&A transaction and their advisors will exchange information on a target business
directly or through a virtual data room (“VDR”).
This exchange facilitates the due diligence process and the
information disclosed is often utilised at the disclosure
stage of transaction. Typical examples of personal data
disclosed in a VDR include the following:
 Employment contracts or documents listing
employees and any additional personal details
(such as salary, medical conditions etc., driver
licence information etc.).
 Supplier contracts or customer contracts which
include individuals’ names, addresses, bank
account/credit card information and signatures in
these contracts.
 Key contact lists.
This exchange of personal data falls within the definition of
‘processing’ for GDPR purposes.
Lawful bases for processing
personal data:
 the consent of the individual
 performance of a contract
 compliance with a legal or
regulatory obligation
 necessary to protect the vital
interests of a person
 necessary for the
performance of a task carried
out in the public interest
 in the legitimate interests of
company/organisation
(except where those
interests are overridden by
the interests or rights and
freedoms of the data subject)

2. 2
Processor v Controller Roles in M&A
A ‘controller’ is a person, company, or other body which decides the purposes and means of
processing personal data. In an M&A context this is most likely to be the seller or the target entity
itself.
A ‘processor’ is a person, company or other body which processes personal data on behalf of the
controller. In the M&A context, the VDR provider is most likely a processor as they are merely hosting
data on behalf of the controller. An advisor (including a law firm or corporate finance advisor) may
also be acting as a processor to the extent that they are merely hosting or making personal data
available to the other parties. It is possible for a party to be acting separately as both a processor and
a controller depending on their role.
A party who is acting as a bidder may also be the controller of the personal data processed where
they process it for their own purposes (i.e. determining whether or not to buy the target company).
Any party which accesses a VDR containing personal data is going to be either a processor or a
controller of data and should consider their obligations under data protection law.
The Seller’s Obligations as Controller
The determination as to whether a party is a controller or a processor is ultimately one of fact. Let us
assume that in a typical transaction, the seller is the controller of the personal data which is made
available in the VDR.
This being the case, the seller will need to satisfy itself that it can meet a number of GDPR
requirements.
In the first instance, it will need to consider the transparency
obligations of the GDPR. In a typical transaction, the most
common type of personal data in the VDR will relate to the
employees of the target company. In order to share this data
with third parties via a VDR, the employees should be on notice
of the possibility that this might happen. This is commonly
addressed (for example) in an employee facing privacy
statement.
In addition to the above, the seller would need to consider
whether it can meet the requirement of having an appropriate
lawful basis for making this data available for review by third
parties (as set out above).
If the seller cannot meet the transparency requirements, or
cannot confidently rely on an appropriate lawful basis for making
the data available, there are other options open to it. For
example, steps could be taken to effectively anonymise the data
in advance of sharing. The removal of personal identifiers should
Tips for anonymising
Personal Data:
 redaction of special
category personal data
and personal data
 using sample form
contracts (instead of
disclosing each original
contract)
 compiling summaries or
aggregating information
relating to personal data
so that Data Subjects
are not identifiable

3. 3
not, for the most part, impact on a buyer’s ability to carry out due diligence on the data set. This
anonymization process also has the benefit of adhering to the general data minimisation principles
which are enshrined in the GDPR.
However, the commercial realities of a transaction may make full anonymisation difficult to achieve.
From an efficiency and cost perspective the parties may consider that anonymising a large
unstructured dataset is not achievable and the buyer may require certain due diligence information
which, even if anonymised, will potentially render the data subject identifiable (for example the salary
information about senior executives).
Even if efforts are made to remove all direct or obvious identifiers, such that individuals are not
‘identified’ in the data, the data will still amount to personal data if it is possible to link any Data
Subjects to information in the dataset. Account should be taken of all the means likely reasonably to
be used, either by the controller or by another person, to identify the Data Subject.
Security and Confidentiality
In addition to the above, the seller (as controller) will have a separate obligation to ensure that any
personal data shared is kept securely and maintained in
confidence.
It is of utmost importance to exercise caution when
appointing a party to establish and run a VDR. The VDR
provider will need to be able to secure the data and maintain
its confidentiality.
Each party who has access to the data should be bound by
confidentiality obligations, for example, a non-disclosure
agreement (“NDA”). Parties should consider explicitly
incorporating GDPR protections in the NDA. This is important
to mitigate the risk to the seller, as controller. It gives the
seller an ability to sue the recipient of the disclosed
information where a data protection breach or issue arises as
a result of acts or omissions of the buyer/recipient and
additional control over the personal data it discloses.
There are a number of other, practical ways the security and
confidentiality of the personal data in a VDR can be
maintained. For example access to the VDR should require login/password details (in the usual way)
and the ability for the seller to be able to monitor the data being accessed. A seller may also direct that
downloading and printing of information with personal data is restricted.
Post-transaction Actions
Where an acquisition of a business results in a change to the identity of the controller (this might
particularly be the case in an asset sale rather than a share sale), the new controller should take steps
post-transaction to notify the data subjects of the change.
NDA could include the
following obligations:
 comply with relevant data
protection and privacy laws
 take security measures to
guard against data
breaches and notify the
buyer if there is a data
breach
 restrict/prohibit onward
transfers and processing of
personal data outside the
EEA

4. 4
Conclusion
Awareness of data protection obligations has increased dramatically in recent years. Breaches of the
GDPR can carry significant downside for companies (including the potential for administrative fines
and regulatory investigations). All the parties to an M&A transaction, including their advisors, would
do well to be cognisant of their own obligations towards data subjects in structuring the M&A
transaction process.