Data plays an increasingly important role in companies and requires special attention in M&A transactions. This article provides information on the extent to which data security must be considered in an M&A transaction and which pitfalls are particularly important to watch out for.

Security issues and data safety in M&A deals

In the M&A area, data protection issues have not yet arrived and have been given little attention or dealt with. However, the contracts and processes involved in the purchase of a company must include compliance with all essential aspects of data protection law. As part of the due diligence, checking whether the target company (seller) complies with and has implemented data protection regulations and whether the necessary IT security is in place is mandatory. It is, therefore, advisable to include data protection expertise early on in the context of a company purchase or sale and to accompany the entire process in terms of data protection law.

During M&A due diligence, it should be checked what data is in the company and by what law it is protected. It is the only way to assess whether there are any risks associated with the data. If personal data are available, the question arises as to whether their processing is lawful. If this is not the case, sensitive fines will be threatened. It is, therefore, advisable to request the processing directory of the target company and all other data protection-related documentation during due diligence.

If the company has data protected by copyright, it must be examined whether the target company is entitled to the comprehensive rights as the owner or whether appropriate license agreements have been concluded. And finally, the due diligence should check whether the target company has the know-how. If so, the question is whether it is protected under trade secret law. For example, if there are no appropriate confidentiality measures, there is a risk of not being able to take effective legal action against third parties who want to spy on the know-how of the target company.

When drafting the M&A purchase agreement, a distinction must be made between a share deal and an asset deal: In the case of a share deal, a stake in the target company is transferred to the buyer. Direct transmission of the data, therefore, does not take place. To secure the existence of the data, the buyer should insist on suitable guarantees in the purchase contract. A guarantee for existing intellectual property and data and data protection is particularly recommended. In the case of findings within the scope of due diligence, exemptions can also be considered.

So, as we can see, there are many valuable aspects concerning data protection during M&A transactions. They include secure collaboration, sensitive data sharing, and compliance. Therefore, today companies prefer using

Digital data room or how to stay secure with M&A data room?

The data room M&A platform meets the desire of a seller to make the necessary documents available to potential buyers for an examination as discreetly as possible and the need to make the group of participants as broad and international as possible to achieve correspondingly high sales proceeds.

When selecting a provider for the virtual data room, the following security functions should be queried:

  • Blocking of the “Print” button;
  • Functionality and security of the Q&A Section (Questions & Answers);
  • Dynamic watermark for the documents in the data room;
  • Data encryption and data center location;
  • Protection against viruses;
  • Multi-level authentication when registering participants;
  • Rights management of the participants in the virtual data room.