Data assets in M&A transactions
Data assets are becoming increasingly important in M&A transactions. In some cases they are the main motivation for the transaction, representing the core asset – especially in tech acquisitions. But data also impact how transactions are structured. Not only because regulatory compliance has to be ensured, but also to secure the (ongoing) viability of the seller and the company sold in carve-out situations, for example.
Data are often a key component of a company’s value – especially in the technology sector – and may be the reason for entering into M&A transactions in the first place. Examples of data assets include image, video and audio databases used to train AI software and prepared specifically for this purpose. Customer, user and sales data are often equally important, as are price lists, production information, internal reports, etc., which may be trade secrets within the meaning of section 2, no. 1 German Trade Secrets Protection Act (Gesetz zum Schutz von Geschäftsgeheimissen, “GeschGehG”) protected for the benefit of the target company. Numerous other types of data also play a role, such as the target’s employee data, accounting data subject to statutory retention obligations under section 257 German Commercial Code (Handelsgesetzbuch, “HGB”) and section 147 German Fiscal Code (Abgabenordnung, “AO”), data relating to the target’s movable assets or real estate and other data necessary for the continuation of its business operation.
Although there is no ownership right to data, databases are protected by copyright and/or ancillary copyrights. It is, however, possible to protect data as know-how or trade secrets. This means that unauthorised use of data (even simple collections of data, so-called “data piles”) may establish cease-and-desist claims. When handling personal data, the legal regulations, in particular the GDPR, must be observed, as data protection violations can lead to substantial fines. It is therefore important to precisely define what data are to be acquired through the transaction and what data are (also) to remain with the seller.
This article looks at both traditional full share deals and asset deals. It does not cover joint venture scenarios or questions that arise during pre-closing, such as handling and the accessibility of data in due diligence.
Transfer of legal entity that owns the data
A share deal involves the transfer of the target, which owns the data. Generally, all of the data necessary for the current business operations and/or that the target is required to retain by law must be handed over, meaning they remain with the target. This also includes historical data (even if the retention periods have already expired).
The seller may retain data only if this is agreed in the transaction documentation and does not conflict with any legal requirements.
- For non-personal data, such retention can be stipulated in the contract, but must comply with antitrust requirements (HR data can also be relevant in connection with the competition for talent), since access to competitively relevant data can influence a company’s market power (cf. section 18(3), no. 3 Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen, “GWB”). In addition to the M&A transaction itself potentially being prohibited, conditions may also be imposed requiring the parties to refrain from exchanging certain data and transferring certain data together with ownership of the company. Restrictions may also apply under foreign trade law, for example.
- Regarding the target’s personal data, however, the seller may only retain, access and/or process data where such use is permissible under data protection law. It would be possible, for example, for the seller to process data on behalf of the target, e.g. under a transitional service agreement (i.e. an agreement on the provision of interim services post-closing, see below) or another service relationship.
Seller’s obligation to delete data, especially in carve-out scenarios
In share deals where data relating to the target are (also) stored by the seller and no special provisions are agreed in the transaction documentation, the seller may be obliged to delete that data. A fundamental distinction must be made between personal and non-personal data in this regard:
For non-personal data, if no retention rights for the seller are stipulated in the purchase agreement and no other rights of the seller to access and use the target’s data have been agreed, the following, in particular, must be considered:
- The seller may not access or use data or databases protected as trade secrets within the meaning of section 2, no. 1 GeschGehG or as IP rights of the sold company, post-closing.
- The purchaser may also require the seller to delete the protected data it holds unless it is obliged by law to retain such protected data under statutory provisions (e.g. under retention obligations pursuant to section 257 HGB and section 147 AO).
The seller is generally no longer allowed to access or process (i.e. in particular store, query, duplicate, transmit, etc.) the target’s personal data post-closing. All of the target’s personal data held by the seller that are not required, for example, for the performance of a transitional services agreement must be transferred to the sold company or deleted.
If the seller and the purchaser have entered into a transitional services agreement that includes data processing, the seller may generally process personal data required to provide the services under the transitional services agreement, but only to the extent that processing personal data is necessary for this purpose (e.g. for IT or HR services, etc.).
The following conditions apply:
- Access may only be granted to those employees of the seller who are entrusted with the provision of the relevant services under the transitional services agreement and require access in order to provide these services (need-to-know principle).
- Even where the need-to-know principle is applied, it must be ensured that wherever data regarded as sensitive under antitrust law is involved, employees with access to the data do not perform similar operational functions for the seller (for example in the case of HR data, they may not work in the recruiting department).
- From a technical standpoint, it must always be ensured that the data of the sold company is at least logically separated from the seller’s data. This is usually achieved with the help of appropriate authorisation policies. The technical and organisational measures (TOMs) normally attached to data processing create additional technical requirements in this regard.
The seller may only process further personal data if it is obliged or entitled to do so under applicable EU or national law. The sold company must generally be informed of any such legal obligation prior to the processing.
Handling data in the transaction
In the case of a share deal, if no special arrangement is made, the target’s data will remain with it. Since the seller generally can neither retain the data belonging to the company’s current business operations nor the target’s historical data, such data must be handed over together with the ownership of the target. As a result, there is a need for regulation in the following situations in particular:
Handling of the target’s data on the seller’s servers
If the target’s data are stored on the seller’s servers, the purchase agreement must include provisions on the IT carve-out:
Data not to remain with the seller
Data that are not to remain with the seller must be separated until closing and transferred to the target, subject to format specifications, if necessary (physical separation).
If physical separation cannot be implemented until closing, the data can continue to be stored in the systems if they are at least logically separated from other data. Logical separation is usually achieved with the help of appropriate authorisation policies. Failure to implement logical separation for personal data can lead to data protection violations that may carry substantial fines. As a rule, the target’s access to the data post-closing is regulated in a transitional service agreement, but can also be determined in a long-term service agreement (in each case including an agreement on the processing of personal data, where necessary).
A migration project should simultaneously be set up to implement the physical data separation by the end of the transitional services agreement at the latest. The key terms of this project and the allocation of the migration costs between the purchaser and the seller must be stipulated in a migration plan, which can become an annex to the purchase agreement or the transitional services agreement.
Data to remain with the seller
If the target’s data are to remain (exclusively) with the seller on its servers, this must be explicitly stipulated in the purchase agreement — subject to statutory regulations, as explained above. Such provisions can include, for example, the target’s time-limited access rights and special requirements for data storage at the seller (authorisation policies, need-to-know principle, etc.):
- With regard to personal data, these provisions must be limited to cases where the seller is permitted to process such personal data at the time of closing (in particular where it has a statutory retention obligation).
- If the seller requires personal data at a later point in time, but is not permitted to access it at the time of closing, the purchase agreement can oblige the purchaser to hand it over in such cases. However, the seller must initially delete such personal data.
- With regard to non-personal data, including anonymised data (i.e. the link to specific persons can only be restored with disproportionate effort and expense; such anonymisation is subject to stringent requirements), the parties are generally free to regulate the seller’s access and use of such data. However, in order to avoid as far as possible a technically complex transfer and/or deletion of data, an agreement similar to the one described above would be preferable with regard to such data, as it allows the data to remain with the seller.
Handling data on the target’s servers that are to remain with the seller
If the target’s servers still have data that are to remain with the seller, a reverse data carve-out is necessary.
This can be implemented by simply migrating the data prior to closing. In this case it would make sense for the target and the seller to conclude a data transfer agreement prior to the sale of the target granting time-limited access rights to the target, if necessary.
Alternatively, a provision to this effect can be incorporated in the purchase agreement itself, clarifying what data are not included in the transaction and will therefore be transferred to the seller ahead of closing.
Personal data, on the other hand, can only be retained by or transferred to a group company subject to statutory data protection rules and regulations (e.g. customers must consent to the transfer of their data).
Transfer of data assets
In an asset deal, the transfer of data assets must be set out in detail in the purchase agreement.
If the data represent the core asset of the transaction, the purchase agreement must contain the main provisions on physical separation (described above) and transfer of the data to the purchaser. A detailed migration project should be also set up to physically separate the data.
In an asset deal, the data relating to the transferred assets are transferred to the purchaser, but the transfer is limited to that data. In particular:
- Employee data are only to be transferred insofar as employees are taken over as part of the asset deal pursuant to section 613a German Civil Code (Bürgerliches Gesetzbuch, “BGB”) and are necessary for the continuation of the employment relationships with the purchaser.
- Accounting data are only to be transferred insofar as the purchaser is subject to statutory retention obligations under section 257 HGB and section 147 AO, e.g. when taking over customer contracts.
Under the GDPR, the transfer of personal data as part of an asset deal requires a legal basis. The legal basis for the transfer of the data of employees whose employment relationships are transferred to the purchaser pursuant to section 613a BGB is derived from section 26(1) Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) (performance of the employment contract). In other cases where the purchaser enters into the seller’s existing contractual relationships with a natural person, the contract also forms the basis for the data transfer (Article 6(1), letter (b) GDPR). Apart from existing contracts with the data subjects, the legitimate interests of the parties involved in the transaction can justify a data transfer except where their interests are overridden by the interests of the data subjects (Article 6(1), letter (f) GDPR). If no statutory legal basis applies, the only justification for the disclosure of personal data is the consent of the data subject (Article 6(1), letter (a) GDPR), but this is usually not feasible in practice. General prior consent given when the data was collected normally does not meet the statutory requirements, as consent must be given for the personal data to be processed for a specific purpose; in particular, it must be clear who will be processing this data.
If there is no legal basis, the personal data may not be transferred.
Seller’s obligations to delete data
When establishing whether the seller is obliged to delete data in an asset deal, a distinction must be made between personal and non-personal data.
Data relating to the transferred assets, in particular data protected as trade secrets within the meaning of section 2, no. 1 GeschGehG or as IP rights, may generally not be accessed or used unless the purchase agreement expressly stipulates otherwise.
Personal data relating to the transferred assets must almost always be deleted. The seller may only continue to store them if and to the extent this is permitted under Article 6 GDPR, in particular if there are statutory retention obligations and the seller has a legitimate interest in processing the data:
- Where employees are transferred as part of an asset deal, retention obligations and rights may arise in particular with regard to employee data, e.g. timesheets for the purpose of monitoring compliance with section 16(2) Working Hours Act (Arbeitszeitgesetz, “ArbZG”) or data relating to the termination of the employment relationship, for example for issuing references and/or relating to potential claims of employees against the seller as the former employer which are not yet statute-barred).
- The seller may also be obliged to retain accounting data under section 257 HGB and section 147 AO (e.g. company books, balance sheets, including any work instructions and organisational documents, trade and business letters, including any e-mails and correspondence with business partners, accounting records, etc.), as the shares in the company will continue to be held by the seller following the asset deal.
Handling data in the transaction
An asset deal involves transferring only the assets specifically listed in the purchase agreement. This means that – unless agreed otherwise – all data which are not listed will generally remain with the seller. If data relating to the transferred assets are to remain with the seller — where this is legally permissible — this must be regulated separately in the purchase agreement. The principles described above for share deals also apply to data that are to remain with the seller.
Particularly in cases in which non-specific data assets are transferred, where specific provision would normally be made in the purchase agreement but any data provisions are lacking, transfer of the data is, however, also subject to contract interpretation. If IP rights are transferred such an interpretation may mean, for example, that all of the data stored in connection with these rights have to be transferred to the purchaser. It is therefore necessary to specify which data are to be transferred.
Handling the data assets in the transaction documentation
Safeguarding the data assets
Contractually safeguarding data assets is a vital aspect in both share and asset deals, especially where data represent the core asset in the M&A transaction. Experience has shown that a technical and operational examination of the data and its usability is of particular importance in this respect. From a legal perspective, the following aspects are key:
- For non-personal data: usability and possible rights of use.
- For personal data: lawfulness of the data collection, usability for business operations and, if applicable, possible subsequent transferability and usability for further purposes.
In this connection, known and unknown risks must be covered by guarantees and indemnities from the purchaser’s point of view, whereas from the seller’s point of view, it is vital that the relevant data assets not expose it to incalculable risks.
Safeguarding handling of the data
In the interest of both sides, the purchase agreement must clearly indicate how the data are to be handled in a manner that reflects the interests of the parties and is geared to the specific M&A transaction. This not only raises the question of what specific data are to be transferred, i.e. how the contractual obligations of the parties are structured, but also how to ensure compliance with the relevant statutory requirements.