Buying a cat in a sack: why data protection matters during M&A transactions
M&A transaction does not always mean a successful, aggressive expansion for the company. Sometimes it may also come with an additional “gift” of a hefty fine from the regulator.
One Italian company had to learn the importance of properly-conducted legal due diligence the hard way when it received a fine of EUR 1,400,000 for an entire series of GDPR infringements raising from past mergers.
The Italian company retained and used the acquired company’s customer contact details for direct marketing. Yet, it did not have (and did not “inherit” from the acquired company) valid consents to use such data. Moreover, the company failed to inform such customers that a transaction had taken place and also failed to delete inactive customers’ data.
WALLESS experts share their insights to help you avoid this fate when entering M&A transactions:
- Assess whether the target company processed personal data legally, and whether it has all required documentation, i.e., notices to data subjects, consents, etc.
- Assess what personal data will be acquired, whether it is still relevant, etc.
- Assess whether the target company had adequate technical and organizational measures in place
- Assess the level of awareness of data protection in the target
- Inform individuals (target’s clients, employees, etc.) that there is a change of data controller due to the transaction
Have this in mind to ensure that your new purchase will be a valuable asset, not a liability.
#GDPR #privacy #M&A