Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

GDPR:s påverkan på due diligence-processen vid ett företagsförvärv

Wahlberg, Gustav LU (2019) JURM02 20191
Department of Law
Faculty of Law
Abstract
The commencement of the new data protection regulation, GDPR, entails increased requirements on companies when it comes to their processing of personal data. The due diligence that is carried out in connection with an M&A does in most cases contain some kind of processing of personal data. This induces the purpose of this essay, which is to investigate whether the information-management associated with a due diligence is affected by the rules in GDPR.

The information-management in connection with a due diligence implies processing of personal data according to GDPR and therefore a lawful basis is required in order to process personal data in a due diligence. It is not possible to determine a lawful basis for processing of personal data... (More)
The commencement of the new data protection regulation, GDPR, entails increased requirements on companies when it comes to their processing of personal data. The due diligence that is carried out in connection with an M&A does in most cases contain some kind of processing of personal data. This induces the purpose of this essay, which is to investigate whether the information-management associated with a due diligence is affected by the rules in GDPR.

The information-management in connection with a due diligence implies processing of personal data according to GDPR and therefore a lawful basis is required in order to process personal data in a due diligence. It is not possible to determine a lawful basis for processing of personal data in a due diligence. However, the balancing-of-interest in article 6.1 f GDPR seems to be applicable depending on the circumstances of each case. In order to increase the probability for a balancing-of-interest to result in lawful basis there is some actions for the controller to take. Such actions could for example be limitation of the amount of processed personal data, pseudonymisation and anonymisation of personal data. Actions of the above kind and actions as separate dataroom for the HR-department and detailed confidentiality agreements could further be required to fulfil the requirements in GDPR as for taking appropriate technical and organisational measures.

Furthermore, a due diligence could contain a transfer of personal data from the controller to another controller. If the transfer is within the EU the conventional rules for processing of personal data applies. However, if the transfer is made to a receiver in a third country special rules apply. In order for a third country-transfer to be in compliance with GDPR it has to fulfil any of the terms that is stated in chapter five of the regulation. Article 46 GDPR prescribes, among other things, that a transfer to a third country is lawful if the transferring part and the receiver enter into an agreement which contains standard clauses adopted by the Commission or clauses formed by the parties after authorisation by Datainspektionen. The above-mentioned term is the term that appears to be applicable for a transfer in connection with a due diligence. Additionally, GDPR requires the controller to inform the data subjects when a transfer of personal data occurs. Although, there are some exceptions to the requirement of information which could be fulfilled by a precept in the privacy policy of the controller.

Accordingly it could be stated that GDPR affects the information-management in a due diligence. The impact primarily appears with regard to the measures the involved parties have to take in order to be in compliance with GDPR. Because of the fact that many of the provisions in GDPR are dependent on the circumstances of each case it has however, to some extent, been hard to draw concrete conclusions. (Less)
Abstract (Swedish)
Ikraftträdandet av den nya dataskyddsförordningen, GDPR, medför ökade krav på företag när det kommer till företagens behandling av personuppgifter. Den due diligence som genomförs i samband med ett företagsförvärv innefattar i de allra flesta fall någon form av personuppgiftsbehandling. Vilket föranleder uppsatsens syfte som är att utreda huruvida informationshanteringen vid en due diligence påverkas av reglerna i GDPR.

Informationshanteringen vid en due diligence innebär en personuppgiftsbehandling enligt GDPR och således krävs det rättslig grund för att behandla personuppgifter i samband med en due diligence. Det är inte möjligt att fastställa en rättslig grund för personuppgiftsbehandling i samband med en due diligence. Däremot... (More)
Ikraftträdandet av den nya dataskyddsförordningen, GDPR, medför ökade krav på företag när det kommer till företagens behandling av personuppgifter. Den due diligence som genomförs i samband med ett företagsförvärv innefattar i de allra flesta fall någon form av personuppgiftsbehandling. Vilket föranleder uppsatsens syfte som är att utreda huruvida informationshanteringen vid en due diligence påverkas av reglerna i GDPR.

Informationshanteringen vid en due diligence innebär en personuppgiftsbehandling enligt GDPR och således krävs det rättslig grund för att behandla personuppgifter i samband med en due diligence. Det är inte möjligt att fastställa en rättslig grund för personuppgiftsbehandling i samband med en due diligence. Däremot förefaller intresseavvägningen i artikel 6.1 f GDPR vara tillämplig beroende på omständigheterna i varje enskilt fall. I syfte att öka sannolikheten för att en intresseavvägning leder till rättslig grund finns det åtgärder som den personuppgiftsansvarige kan vidta. Sådana åtgärder kan till exempel vara begränsning av antalet behandlade personuppgifter, pseudonymisering och anonymisering av personuppgifter. Åtgärder av ovan nämnda slag och åtgärder som till exempel ett separat datarum för HR-avdelningen och utförliga sekretessavtal kan dessutom krävas för att tillgodose kraven i GDPR vad gäller vidtagande av lämpliga tekniska och organisatoriska åtgärder.

Vidare kan det vid en due diligence bli aktuellt för den personuppgiftsansvarige att överföra personuppgifter till en annan personuppgiftsansvarig. Vid en överföring inom EU gäller de sedvanliga reglerna för personuppgiftsbehandling. I det fall att överföringen sker till en mottagare i ett tredjeland gäller istället särskilda regler. För att en överföring utanför EU ska vara förenlig med GDPR krävs att något av villkoren i förordningens kapitel fem är uppfyllt. Artikel 46 GDPR föreskriver bland annat att överföringen är lagenlig om den överförande parten och mottagaren ingår avtal som innehåller standardavtalsklausuler accepterade av EU-kommissionen alternativt egen utformade avtalsklausuler efter godkännande av Datainspektionen. Ovanstående villkor är det villkor som förefaller vara tillämpligt vid en överföring i samband med en due diligence. GDPR medför dessutom krav på att den personuppgiftsansvarige ska informera de registrerade vid en överföring av personuppgifter till annan personuppgiftsansvarig. Det finns dock undantag från informationskravet vilket skulle kunna uppfyllas genom en skrivelse i den personuppgiftsansvariges personuppgiftspolicy.

Följaktligen kan det konstateras att GDPR påverkar informationshanteringen vid en due diligence. Påverkan ger sig först och främst till känna genom att aktörerna i en due diligence behöver vidta olika åtgärder för att reglerna i GDPR ska efterlevas. På grund av att många av bestämmelserna i GDPR är beroende av omständigheterna i varje enskilt fall har det dock, i viss mån, varit svårt att dra konkreta slutsatser. (Less)
Please use this url to cite or link to this publication:
author
Wahlberg, Gustav LU
supervisor
organization
alternative title
The impact of GDPR on the due diligence-process in connection with an M&A
course
JURM02 20191
year
type
H3 - Professional qualifications (4 Years - )
subject
keywords
GDPR, Företagsförvärv, Due diligence, personuppgifter
language
Swedish
id
8977134
date added to LUP
2019-06-17 14:22:36
date last changed
2019-06-17 14:22:36
@misc{8977134,
  abstract     = {{The commencement of the new data protection regulation, GDPR, entails increased requirements on companies when it comes to their processing of personal data. The due diligence that is carried out in connection with an M&A does in most cases contain some kind of processing of personal data. This induces the purpose of this essay, which is to investigate whether the information-management associated with a due diligence is affected by the rules in GDPR. 

The information-management in connection with a due diligence implies processing of personal data according to GDPR and therefore a lawful basis is required in order to process personal data in a due diligence. It is not possible to determine a lawful basis for processing of personal data in a due diligence. However, the balancing-of-interest in article 6.1 f GDPR seems to be applicable depending on the circumstances of each case. In order to increase the probability for a balancing-of-interest to result in lawful basis there is some actions for the controller to take. Such actions could for example be limitation of the amount of processed personal data, pseudonymisation and anonymisation of personal data. Actions of the above kind and actions as separate dataroom for the HR-department and detailed confidentiality agreements could further be required to fulfil the requirements in GDPR as for taking appropriate technical and organisational measures. 

Furthermore, a due diligence could contain a transfer of personal data from the controller to another controller. If the transfer is within the EU the conventional rules for processing of personal data applies. However, if the transfer is made to a receiver in a third country special rules apply. In order for a third country-transfer to be in compliance with GDPR it has to fulfil any of the terms that is stated in chapter five of the regulation. Article 46 GDPR prescribes, among other things, that a transfer to a third country is lawful if the transferring part and the receiver enter into an agreement which contains standard clauses adopted by the Commission or clauses formed by the parties after authorisation by Datainspektionen. The above-mentioned term is the term that appears to be applicable for a transfer in connection with a due diligence. Additionally, GDPR requires the controller to inform the data subjects when a transfer of personal data occurs. Although, there are some exceptions to the requirement of information which could be fulfilled by a precept in the privacy policy of the controller. 

Accordingly it could be stated that GDPR affects the information-management in a due diligence. The impact primarily appears with regard to the measures the involved parties have to take in order to be in compliance with GDPR. Because of the fact that many of the provisions in GDPR are dependent on the circumstances of each case it has however, to some extent, been hard to draw concrete conclusions.}},
  author       = {{Wahlberg, Gustav}},
  language     = {{swe}},
  note         = {{Student Paper}},
  title        = {{GDPR:s påverkan på due diligence-processen vid ett företagsförvärv}},
  year         = {{2019}},
}