January 17, 2019

How can companies share diligence materials that include personal data of EU residents while complying with GDPR?

Hypothetical:  

A US-based software company is considering the sale of some portion of its business that may include personal data of EU residents (either its employees or customers or both).  For bidders to make valuations and submit bids, they need to perform diligence on what the company is selling, but the diligence may involve the disclosure of personal data protected by GDPR.

Key Considerations:

  • When do the bidders need each respective piece of information?  While some documents or data might need to be provided up front, it may be appropriate to hold others back to later stages.  This would reduce the need to require every potential bidder to sign a GDPR-compliant data transfer agreement.
  • Does the information need to be disclosed in its current form?  One way to avoid running afoul of the GDPR is to avoid disclosing personal data.  Where possible, consider redacting personal data or providing documents that do not contain personal data.
  • Do the bidders need access to personal data?  The GDPR typically requires data sharing to be accompanied by a data processing agreement (DPA).  The company should therefore consider executing a DPA with each bidder with which it shares personal data.  These agreements memorialize the bidders’ obligations, such as having in place appropriate safeguards to protect personal data, and notifying of security incidents involving that data.
  • Can the data be reviewed without leaving the EU?  If bidders (or their counsel) have EU-based offices or personnel, having them review the data in the EU might be preferable to transferring it outside the EU.  To the extent the data does need to be transferred, the company may need to have in place a GDPR-compliant mechanism for cross border data transfers (e.g., Standard Contractual Clauses, US/EU Privacy Shield, Binding Corporate Rules).  This should be addressed in the DPAs executed with bidders.
  • Has notice been provided to data subjects about the possibility that their data might be used in this way?  The GDPR’s transparency obligations require the company to provide notice to data subjects regarding how it will use and disclose their data, such as in public-facing and employee privacy policies.  As a result, the company needs to make sure that these policies provide notice that personal data collected under them could be disclosed as a part of a transaction before the sales process begins.