News
Turkey: Data Protection Matters in M&A Transactions
Privacy issues in mergers and acquisitions take the attention of transaction parties among other things in these days.
Introduction
Privacy issues in mergers and acquisitions take the attention of transaction parties among other things in these days.
Privacy risks/ issues in mergers and acquisitions used to be overlooked or underestimated however, in these days, conducting adequate due diligence on privacy issues and mitigating risks associated with a target’s privacy-related liabilities as well as requesting privacy related representations and warranties are very much seen in merger and acquisition transactions.
The other important issue is how the target company can disclose the required data to the purchaser (and purchaser’s advisors) that include personal data and the risk associated with such transfer and how the purchaser will use such data upon closing.
Last, purchasers nowadays have to think about further post-closing items to be dealt with in terms of data protection according to the jurisdiction that the transaction takes place.
This document aims to review data protection issues in different phases of the transaction and how the parties must plan data transfers during the transaction and be prepared for privacy related post-closing issues.
Data Protection Issues in M&As
1. Transferring/ Disclosing Personal Data to Purchaser
Merger and acquisition transactions involve the disclosure or transfer of personal data from the target company to a purchaser. The data being transferred generally is related to personal data of employees, customers, users, suppliers or other business partners. Although most of the personal data is fully transferred at closing phase, some disclosures may also happen during due diligence process, or at any stage between signing and closing. But one must ensure that disclosure/ transfer of personal data to the purchaser does not violate any privacy rules of applicable law.
2. How can transfer/ disclosure of personal data from target to a purchaser can be dealt under Turkish law?
Under Turkish law, the disclosure of data relating to data subjects must comply with Turkish Data Protection Law numbered 6698 which was enacted on April 7, 2016 (“Law”). The Law introduces a definition of “personal data”, defining it as “any type of information that relates to an identified or identifiable natural person”. In this sense, personal data can only relate to natural persons.
Processing of personal data is permitted when it is based on grounds stipulated under the Law. Personal data can be processed and transferred to a third party, if:
- The data subject has provided explicit consent, or
- The processing is clearly mandated by Laws,
- For a person who is unable to express their explicit consent due to a situation of impossibility, the processing is required for the safeguarding of their or a third person’s life or physical wellbeing,
- The processing is directly related to the formation or execution of an agreement to which the data subject is a party,
- Processing is required for the data controller to satisfy their legal obligation,
- The data to be processed has been made public by the data subject,
- Processing is mandatory for the establishment, use or protection of a right,
- On the condition that it does not harm the data subject’s fundamental rights and freedoms, the processing is mandatory for the legitimate interests of the data controller.
In case of a breach of data protection rules, affected persons may claim damages and seek compensation before courts. Furthermore, in case of an unlawful process, administrative fines may be imposed as a result of breaching data safety obligation and enabling unlawful data processing. Last, breach of data protection rules may under certain circumstances result in criminal liability, although criminal liability does not apply to legal persons but persons committing such crime can be held liable.
2.1. Can explicit consent be a ground?
In light of the above, in an M&A context, it does not seem practical to rely on the consent of the data subjects considering that the contemplated transaction might be confidential until the closing takes place and it may be difficult to follow consent procedure (which includes providing adequate information to the data subject before obtaining the consent) and risk associated with consent is the fact that it can be withdrawn at any time. So, consent is only used in practice when very few individuals are concerned and these individuals have reason to be aware of the contemplated transaction. Last, consent must be explicit, freely given and based on appropriate information to be held valid.
However, in case of transfer of sensitive data, data subject’s consent to the transfer will be required and sufficient precautions determined by the Data Protection Authority are in place.
2.2. Can legitimate interest of the data controller/target company or the purchaser/ data recipient be a ground?
Legitimate interest is determined as a last resort ground for data processing due to the fact that it requires balance test when applied and it must be ensured that fundamental rights and liberties of the data subject are protected. In an M&A transaction “legitimate interest” ground can be used considering the fact it is in the legitimate interest of the purchaser to receive the relevant data to be able to make an assessment/ evaluation regarding the target company and also the target company to provide such data to the purchaser so that correct evaluation can be made. However, still such a ground has certain limitations considering that use of such data must be proportionate with the purpose and data what is not needed for such an evaluation before closing must not be transferred. Alternatively, certain other precautions can be taken to keep personal data confidential or if it cannot keep confidential, such data can be transferred very limitedly under conditions and it must not be excessive. In practice, it is therefore often advisable to try to wait until all or most of the conditions to closing of the transaction have been satisfied before transferring personal data based on this ground.
2.3. Can formation or execution of a contract be a ground?
Formation or execution of a contract with the data subject can be a ground when transaction includes transfer of i.e. contracts where data subject is party to and where personal data must be transferred for the contract to be performed.
Finally, even when personal data is transferred based on above grounds, such transfer must be very limited with the purpose of data processing and it must not be excessive. For instance while transferring employee data some aspects of personal data must be deleted, anonymised, and transfer must be limited with the personal data which is held necessary for the purchaser to make a valid and correct evaluation.
3. Risks Associated with Transfers at Closing
At closing, the purchaser will expect to receive all of the personal data related to the acquired business. Then the data subjects must be informed of the transfer. The seller should give the data subjects certain information about the transfer of their data to a third party.
4. Data Transfers Abroad
Additional steps must be taken in the case of transfer of data outside of Turkey. Data rooms nowadays are mostly established as virtual data rooms. It is possible that server of the online platform is based in a foreign country (with or without adequate level of protection).
For transfer of personal data abroad the explicit consent of the data subject can be a legal ground or the above mentioned legal grounds can be used if the foreign country has sufficient safeguards to protect personal data or, if they do not have such adequate safeguards, the data controller in the foreign country, must undertake to the Turkish Data Protection Authority an adequate protection in writing for equivalent safeguards and the approval of the Authority must be obtained. Countries that have sufficient safeguards are to be determined by the Turkish Data Protection Authority. For the time being the safe country list has not yet been announced.
Therefore, currently, consent of the data subjects will make the transfer of data abroad lawful under Turkish law, but it may be difficult or very burdensome.
In the absence of safe country list issued by the Turkish Data Protection Authority or individual consent obtained from the data subjects, an M&A-related data transfer must therefore be made only after the data controller in the foreign country undertakes to the Turkish Data Protection Authority an adequate protection in writing for equivalent safeguards and the approval of the Authority is obtained. Planning ahead is important, as an approval, if needed, may take a long time.
5. Notification to the Data Controllers’ Registry – Post Closing
Under Turkish Law, there is a requirement for data controllers to get registered with the Data Controllers’ Registry - which is a platform that is open to public where data controllers provide information about themselves and record the data categories they process. The Turkish Data Protection Authority recently announced that (i) data controllers which process personal data through non-automatic means provided that the processing is part of a data recording system; (ii) public notaries; (iii) foundations, associations and unions which only process personal data of their own employees, members and benefactors provided that the processing is limited by their field of operations and in line with their purposes and the relevant legislation; (iv) political parties; (v) attorneys; (vi) public accountants, (vii) sworn-in public accountants, (viii) customs brokers operating under the Customs Law numbered 4458 and authorized customs brokers, (ix) Mediators, and (x) data Controllers with less than 50 employees with an annual financial balance sheet less than TRY 25.000.000.- whose field of operations is not the processing of sensitive data are exempt from the obligation to register to the Data Controllers Registry.
Further, companies that are obliged to register to the Data Controllers Registry must prepare a data inventory which includes the purposes of data processing, data categories, the data recipients, and the maximum time periods required for the purposes of processing, data to be transferred abroad and measures to be taken for data security.
The companies residing in Turkey must appoint a contact person responsible for liaising with the Board; whereas companies not residing in Turkey must appoint a data controller representative which is a legal entity or a real person having Turkish citizenship who will be in communication with the Board, answer the requests addressed to the data controller and do things related to the Data Controllers Registry on behalf of the data controller; and all companies must prepare a data preservation and destruction policy.
In light of the above, after the closing takes place the target company may become obliged to get registered to the Data Controllers’ Registry or to update the information already provided to the registry (if it is already registered). Changes must be informed to the Data Controllers’ Registry within 7 days, meaning that purchaser will have another post-closing item to be dealt with.
6. Post-Closing
After closing, the purchaser must consider how to integrate the personal data received from target and the target’s IT systems into its own data and systems. It is important to determine whether the privacy policies of the target and the purchaser are parallel or the purchaser’s is less protective than the target’s.
In addition, the purchaser is obliged to inform data subjects about the closing and results of the transaction and new data processing regime, if need be as part of information obligation under the Law. Obtaining consents from the data subjects for transfer of data may be considered or the purchaser must take necessary actions to ensure that the cross border data transfer is legal.&nb
Summary - Wrap Up
Prior to signing, purchaser’s due diligence must outline all potential risks associated with the target’s privacy-related liabilities and relevant representations in M&A agreements must be in place. Between signing and closing, both seller and purchaser must be careful in the disclosure of personal data and manage disclosure process to ensure that transfer of data is limited with the purpose and is not excessive. Furthermore, the access to the data room must be strictly limited to those persons who is in real need to know and assess the documents and confidentiality agreements must be executed.
After closing of the transaction, the purchaser must consider diligently what steps must be taken to use the acquired data lawfully.
In case the closing does not take place and negotiations fail, the persons granted access to the data must agree to destroy all received data including due diligence results, and personal data must receive special attention in such destruction. In practice, access to data is made available upon the participant accepts the confidentiality and data protection rules before accessing the data room.
M&A transaction involves several jurisdictions and it is essential to manage different applicable rules data privacy in different jurisdictions beforehand not to be exposed to data privacy related risks and obligations.
Article provided by: Begüm Okumuş (Turkey)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010