The focus is often on personal data relating to employees, workers and self-employed personnel. This includes a range of personal information, including employment history, sickness absence and disputes. In addition, there may be a wealth of non-HR related personal data shared in a transaction, such as information pertaining to clients, customers, and suppliers.
Data
TUPE
All parties should consider data
privacy requirements at every stage
of a transaction.
There may be a wealth of non-HR
related personal data shared in a transaction.
Where possible data should be anonymised, pseudonymised, aggregated and/or summarised. Removing names from a detailed spreadsheet is not enough to ensure anonymisation under UK law but it is a small step in the right direction.
Standard template agreements used for different categories of employees should be disclosed instead of individual contracts of employment (complete with original employee signatures).
Access to personal data can also be staggered on a ‘need to know’ basis in a data room.
Extreme caution should be exercised before disclosing data such as health information and trade union membership. Processing such special category data faces greater legal hurdles.
Buyers and sellers need to consider what lawful gateway they might rely on in case staff information were transferred outside of the UK to parent companies, lenders and other stakeholders.
TUPE requires employee liability information ELI to be provided at least 28 days before a TUPE transfer. Sellers often wait until the last minute to release the information, taking a conservative view when relying upon “compliance with a legal obligation” as the reason for supplying the information. There are a couple of points to note here. First, TUPE requires the information to be provided “not less than 28 days before the relevant transfer,” so it could be provided earlier. Second, in a TUPE situation, more and more often we are seeing buyers pushing for the early release of employee data that is unanonymised and that goes beyond employee liability information. It is possible to do this and remain compliant with the UK GDPR where there is a “legitimate reason” for doing so. In practice, we have seen sellers agreeing to do this where the buyer has produced evidence to support the early transfer of data, the most common reason being that the buyer needs extra time to migrate the employees onto its systems, especially payroll.
All parties should consider data privacy requirements at every stage of a transaction from the drafting of heads of terms and confidentiality agreements, the due diligence process, the negotiation of the transactional documentation (including the disclosure letter), and finally as part of the implementation of post-deal integration.
At the very start of the process parties should carry out a data mapping exercise and consider what lawful ground they could rely on to share the personal data in the manner proposed. This analysis can form part of an overall data protection impact assessment (and/or legitimate interests assessment), the results of which should be recorded. In certain situations, a business and asset sale for instance, the requirement to share employee liability information under TUPE provides a legal basis for processing employee data. This is a relatively narrow set of data, covering terms and conditions of employment and details of any grievance and disciplinary matters, and the buyer is usually interested in obtaining a greater sweep of information.
Transaction
The priority is always to minimise the amount of data shared with third parties.
Sharing data
The parties to a transaction should review existing privacy notices to make sure they cover situations in which personal data may be shared as part of a corporate transaction. They need to decide whether a fresh notification is required regarding the use of personal data, or whether they can rely on one of the limited statutory exemptions or derogations, for instance where they can show that notification would seriously impair the objectives of processing the data.
Notification
Virtual data rooms should be sourced from reputable software and platform providers. Password protection and data encryption should be used as standard. Similar contractual provisions should be in place as between seller on the one hand, and buyer/data room providers on the other. This means that service contracts and non-disclosure agreements should provide express protection for personal data, including tight controls on access to personal data and transfer outside the UK, measures for retention and disclosure, mechanisms to deal with potential data breaches, and finally requests from staff regarding their own data.
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. This means that in the case of an aborted transaction (before the hunt for the next buyer begins) concerted efforts should be made to carry out the prompt and secure deletion of any personal data relating to affected individuals.
Storage
What are the risks?
In the worst case scenario, a serious breach of the UK GDPR will lead to fines of up to £17.5m, or 4% of an undertaking’s worldwide turnover (whichever is higher). Businesses should be alive to the possibility of being held accountable under both EU and UK regimes (depending on their processing activities). In addition, an organisation will need to factor in the risk of reputational damage and litigation in an environment where data breaches are attracting a greater level of press coverage and awareness of data privacy rights.
When focusing on getting the deal done, falling foul of data protection obligations poses significant risks.