We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
15 May 2018
Companies regularly store information about their customers, clients, employees, investors, partners and vendors. Privacy and data security are therefore important aspects of most M&A transactions. Although the risk of non-compliance with privacy laws may result in severe negative consequences, many M&A agreements still lack adequate privacy-related representations and warranties. This update discusses the rising importance of privacy issues and how to approach them effectively.
In order to frame an appropriate set of representations and warranties, it is vital for both parties to not only understand the target's business in general, but also the privacy-related environment in which the target conducts its business (eg, nature and amount of collected personal information, storage location and applicable privacy-related legal provisions). By properly assessing privacy and data security issues during due diligence, a buyer can manage transactional risks and ensure that M&A agreements contain provisions that adequately address the target's privacy-related issues. A thoroughly conducted privacy-related due diligence should therefore cover the following:
In many cases, practitioners simply rely on standard compliance with laws and representations; but these often do not adequately address privacy issues and usually do not provide enough protection for buyers. Of course, privacy-related representations should cover compliance with privacy laws – but they should not stop there. A sophisticated set of representations and warranties should, in particular, cover the following.
Representations and warranties should comply with all laws, including applicable laws relating to privacy, data security and the processing of personal information, which includes (but is not limited to) the requirement to:
Further, representations and warranties should comply with the target's own policies, representations to consumers and employees, contracts and applicable industry standards.
Representations and warranties must also comply with future legal requirements (eg, appropriate procedures to ensure compliance with the GDPR).
Finally, they must comply with notices, consents and other information provided to data subjects regarding the processing of personal information.
Representations and warranties must implement adequate:
Representations and warranties must ensure that there is no:
Finally, representations and warranties must ensure that there are no past, pending or threatened privacy-related disputes, claims or complaints by an individual or administrative authority.
This update aims to build awareness. Sophisticated privacy-related representations and warranties in M&A agreements can indeed offer a certain level of comfort to buyers, but they are not a universal cure. Even if damages are awarded as a result of accurately drafted representations and warranties, they may not be sufficient to compensate for the type of public relations and customer relationship damage often associated with privacy failures.
For further information on this topic please contact Clemens Rainer or Paul Nimmerfall at Schoenherr Attorneys at Law by telephone (+43 1 5343 70) or email (email@example.com or firstname.lastname@example.org). The Schoenherr Attorneys at Law website can be accessed at www.schoenherr.eu.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.