Dealing with Data Protection Issues in M&A Transactions

After reaching a record high in 2021, reports[1] show that the global M&A market in 2022 is likely to be regarded as the second-best year with a slightly slower pace. In recent years, amid the global growth of data protection regulations and the M&A market, privacy and personal data protection issues have been progressively affecting M&A transactions. Both parties are under certain obligations arising from the applicable laws and face the effects and risks of a sheer volume of data transfers.

A specific assessment for each type of transaction (an asset, a share transfer, or a merger) would be advisable and convenient to determine and preclude the risks that may occur relating to the processing of data in such transactions. However, ideally, both parties can manage to stay on the safe side by achieving the following actions[2]:

  • maintaining a data protection resource in the organization before and after the completion,
  • performing detailed due diligence, and
  • managing risk detection and mitigation processes for each phase of the transaction.

This article focuses on the potential impacts associated with personal data protection issues on participants in an M&A transaction and critical points to navigate these issues and amplify the data value.

Purchasers Side

Dealing with the acquired data, one of the main assets of the transaction, might bear leverage or adversely complication and dispute for buyers; hence, they are advised to embrace personal data protection and carry out detailed examinations and evaluations in this regard.

From the outset, in the pre-discussion and due diligence phases, buyers often seek to procure profound knowledge about the target and its assets, financial, and legal activities to grasp it well. To maximize the value of the deal on their end, in the due diligence phase, buyers should at least examine (i) the business area of the target to address the value and usage of data, (ii) applicable privacy and data protection regulations, (iii) the use of data after the transaction, and (iv) the regulatory compliance status of the target. While assessing the compliance level of the target, it is recommended to analyze all its data protection documents, such as privacy notices and policies, procedures, data transfer agreements, records of processing activities, reports regarding the security measures taken by the target, and so on.

Based on the detailed assessment of the target, foreseeing the liabilities that might be faced after the completion phase is another critical point. Therefore, buyers should also contemplate the representations and warranties to deal with liabilities concerning data security. The acknowledgment of an agreement that covers pre- and post-completion assurances and indemnities for contingent personal data-related liabilities and risks is of great importance for a successful deal.

Furthermore, accomplishing the below-listed matters would draw vast benefits to buyers for ensuring compliance and its continuity, and avoiding the risks that might arise; thus, buyers are advised to include these in their privacy and data protection-related to-do list in such transactions.

  • Addressing the extent to the usage of data,
  • Taking the technical and administrative measures to prevent any kind of data breach while storing, processing, and especially obtaining the data and contractually binding the seller to provide such security,
  • Mapping the data flows of the target,
  • Understanding the target’s IT infrastructure,
  • Updating records of processing personal data,
  • Notification/registration before competent authorities, if necessary,
  • Informing data subjects,
  • Constituting an integration agenda that comprises the privacy-related requirements of the parties after the completion phase.

Vendors Side

Vendors are required to provide certain information about the target to the potential buyer, sometimes even before commencing the preliminary discussions, and thereafter they form the data room that includes the required information and documents about the target for the due diligence phase. While completing such interactions, the information shared by vendors to the potential buyer is likely to include an amount of personal data. Therefore, vendors would be liable to transfer personal data lawfully even if the transaction fails. It is pertinent to mention that evaluating every personal data transfer in line with the necessities of each phase and limiting the transfers to those necessities would be valuable for conducting the data transfer on a legal basis.

To amplify the value of the target, sellers are advised to demonstrate that the target has implemented the regulatory requirements for ensuring data protection compliance. This includes reviewing and updating all privacy notices, consent forms, data processing mapping documents, and third-party data protection agreements that are in place before presenting them to the buyer.

Cybersecurity matters are also highly important for sellers since any deficit in this area might affect the target’s business and thus the deal’s value. Notably, implementing a well-designed information security risk management program would be beneficial for sellers to assure buyers that the potential security risks that they may face after the completion of the transaction are under control. Advanced and comprehensive risk management programs often enable the following: (i) identify the assets, (ii) segment the networks and systems to limit the potential impact of a security breach, (iii) analyze the risks, threats, and vulnerabilities, (iv) continuously monitor the systems to ensure security, (v) establish response and recovery plans, and finally (vi) boost the awareness concerning data protection and security among employees of the target.

In Türkiye

Legal grounds for processing personal data in M&A transactions

Personal Data Protection Law No. 6698 and relevant secondary legislation (“PDPL”)[3] do not specifically stipulate personal data processing activities related to M&A transactions. Yet one of the Guidelines[4] published by the Turkish Personal Data Protection Authority (“DPA”) indicates that in the event of a sale, acquisition, or change of a company’s shareholding structure, accessing personal data in a measured and secured way, for the examination phase, which will be conducted by the purchaser to have a good grasp of the target company, would be considered within the scope of the legitimate interests of the purchaser.

Alongside the interpretation of the DPA, ideally, the parties to an M&A transaction should assess the data processing conditions specified under Articles 5 and 6 of the PDPL for any data processing activity taking place in each phase of the deal by following the general principles such as accountability, data minimization, and transparency. Below are a few examples highlighting the assessments for probable processing activities that may take place in such transactions in terms of the mentioned conditions and principles:

  • Processing the customer data of the target for marketing purposes by depending on customers’ consents and opt-ins obtained by the seller, might be based on the legal ground of forming and performing a contract provided that the service or product continues to be the same as the one that is rendered by the seller,
  • Processing the employee data for employment relations after the completion phase might be based on the legal ground of fulfilling the obligations arising from the applicable laws,
  • Processing the personal data of the representatives of the seller’s current vendors might be based on the legal ground of the formation or performance of the contract,
  • Processing employees’ medical records after the completion phase would require the explicit consent of data subjects unless the processing is conducted by persons who are subject to secrecy obligations or competent public institutions and organizations, for the protection of public health, the operation of preventive medicine, medical diagnosis, treatment, and nursing services, the planning and management of health-care services, as well as their financing. (It is important to note that the condition for processing health data is subject to upcoming amendments to the PDPL.)

Data transfer issues

Since an M&A transaction naturally leads to the transfer of personal data between the parties, the norms, and conditions for transferring data, stipulated in Articles 8 and 9 of the PDPL, must be followed for each data transfer. While Article 8 addresses the legal grounds for domestic data transfers, Article 9 lays out the rules for cross-border data transfers. The legal bases for processing personal data under Articles 5 and 6, as partially explained in the examples above, apply to local data transfers, and transferee parties must identify the legal basis for each transfer considering the nature of the data and the purpose of the transfer.

Another cardinal point in terms of data transfers in the negotiation phase or at any stage of the transaction is following and implementing the principle of being limited and proportional to the purpose of processing. Evaluating the extent of required data before transferring personal data would be beneficial for following the data minimization principle.

The location of the data room and cross-border data transfer issue

As a part of the due diligence process, sellers form a virtual or physical data room that holds all the necessary documents about the target, effectively transferring the data. If a data room is set up in cloud storage or in another country, personal data contained in shared documents will be regarded as having been moved overseas, and the transferring party must follow the cross-border data transfer standards.

In Turkiye, due to the lack of determination of the countries that provide adequate protection, the existing cross-border data transfer regime necessitates either (i) obtaining approval of the DPA by signing the undertakings (similar to SCCs) published by the DPA, which requires a significant amount of time and workforce, or (ii) collecting data subjects’ consent for the transfer, which is a vague option since data subjects are entitled to withdraw their consent anytime. (It is important to note that the cross-border data transfer regime is subject to upcoming amendments to the PDPL.)

Technical and administrative measures

In parallel with the global data protection regulations, the PDPL holds data controllers and processors responsible for taking all appropriate technical and administrative measures to ensure data security in their processing activities. The methods and practices of implementing security measures are discussed in one of the Guidelines[5] published by the DPA to map out a route.

As each stage in an M&A transaction requires different kinds of business necessities, parties should consider taking the necessary safeguards in line with those necessities while transferring the data by forming the data room. Sharing the documents by anonymizing or pseudonymizing personal data where it is commercially feasible to do so or structuring access authorizations during the negotiation and due diligence phases exemplifies such safeguards. Besides, data separation is also critical for parties to implement adequate security measures. Ultimately, when the completion phase happens, sellers must provide the target’s datasets to the buyers, and effectively migrate the data. Unless appropriate safeguards are implemented, this may lead to certain risks, such as unlawful access, loss, or disclosure of the data. Accordingly, separating the data by limiting the access controls, identifying the location of the data, and determining solutions for dividing the datasets during the due diligence phase would be advantageous for both sides. 


Data protection issues may significantly impact the success of an M&A transaction; thus, parties should approach this matter with a high level of importance. As explained in detail above, this means assessing the target’s data protection compliance, identifying potential data breaches or security vulnerabilities, and determining the potential risks and liabilities associated with the target’s data. Failure to properly address the data protection issues in such deals might result in financial and legal penalties, crucial reputational damages, and the loss of customer trust.



Changing the legal landscape by technology
Changing the legal landscape by technology
Explore BTS&Partners