This post is also available in: Español

Can personal data be processed in mergers and acquisitions of companies?

In a merger, as well as in other structural changes and in transactions involving the transfer of a line of business or branch of activity, the communication of personal data between the entities involved is inevitable. For example, in a takeover merger, the absorbing company will process the data that was previously processed by the absorbed company. What is the legal basis that covers the communication of personal data to the new controller?

Before the General Data Protection Regulation (“GDPR”), data communications within the framework of structural changes were covered by article 19 of Royal Decree 1720/2007, of December 21, approving the regulation implementing the former Spanish Data Protection Act. Under that article, a change in the controller of the file as a result of a structural change did not constitute a data transfer, without prejudice to the information obligations established in the Spanish Data Protection Act.

However, the GDPR does not establish any exception for this specific case. Article 19 of the new Spanish Data Protection Act introduced a specific provision under which the legality of “the data processing, including the prior communication of that data, that may arise from carrying out any transaction involving structural changes or the contribution or transfer of a line of business or branch of activity” is assumed, unless proven otherwise. Although the article does not indicate the legal basis on which such legality is based, the preliminary recitals specifically refer to the data controller’s legitimate interest.

The presumption of legality established in the new Spanish Data Protection Act requires two conditions to be met:

  1. The data processing must be necessary for the successful outcome of the transaction.
  2. The data processing must guarantee, where applicable, continuity in the provision of the services.

The regulation also indicates that if the transaction is not successfully completed, the assignee of the data is required to immediately erase the data that has been assigned to it, adding that the obligation to block the data, governed in article 32 of the new Spanish Data Protection Act, will not apply.

Author: Esther Ballesteros

This post is also available in: Español



52 artículos