Transfer of Data in Merger and Acquisition Deals: Best Practices

August 16, 2024
Digital Personal Data Protection

By Anuradha Gandhi and Nihit Nagpal

Information and Data has become the catalyst in most of the business. Most of the world’s successful business are data intensive and act as Data Fiduciary to the data principal. Most of this data is personal information of company’s stakeholders such as customer data, employee data, vendors data etc. Which is used for various purposes such as marketing, R&D, Selling to other enterprises etc. In M&A deals one of the most crucial aspect is regulatory compliance with privacy rules and protection of customer data being transferred to another entity. The Digital Personal Data Protection Act, 2023 (DPDP Act) in India is one such legislation that underscores the importance of safeguarding personal data during corporate transactions. Rules for this act are currently awaited to enforce the act which would replace The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules). A pivotal component of this act mandates the appointment of a Data Protection Officer (DPO) in certain scenarios.

The concept of DPO is derived from General Data Protection Regulation (GDPR) which are a premier guidelines of European Union to ensure data privacy of the consumers. According to these regulations a DPO can be an employee or an external service, but must have expert knowledge of data protection laws and practices.

Legal provisions defining Data Protection Officer (DPO)

Section 2(l) of the Digital Personal Data Protection Act, 2023 defines DPO as “Data Protection Officer means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10;” Section 10 of this Act provides mandate for appointment of Data Protection Officer for entities meeting specific criteria such as volume and sensitivity of personal data processed, risk of rights to data principal, potential impact on sovereignty of our country etc. The DPO’s responsibilities include ensuring compliance with the Act, acting as a point of contact for data subjects, and liaising with regulatory authorities. The DPO plays a crucial role in monitoring data protection strategies and ensuring that data processing activities align with the legal requirements.

The provision talks about the term ‘Data Fiduciary’ and this is often confused with the term “Data Processor’. These terms represent the people who are responsible for data being acquired from ‘Data Principal’. Now, Data Fiduciary is responsible for compliance of data processing regulations and defining the purpose and processing of this data. Data processor is the person who works on processing of data on the behalf of data fiduciary.[1] Now the DPDP act talks about ‘Significant Data Fiduciary’ which is notified by the government on the basis of its assessment of certain factors such as type of personal data processed, risk to data principal, and in national/public interest can term a data fiduciary as ‘Significant Data Fiduciary’.

Article 37 of GDPR states the appointment of DPO by controllers and processors. Unlike Indian DPDP, Act. GDPR states different instances where the appointment of DPO is necessary such as where a public authority carries out processing of data other than courts acting in their judicial capacity or where data processers under GDPR require regular and systematic monitoring and storing of data much like the concept of data fiduciary in Indian legislation for data protection.[2]

Role of the DPO in M&A Transactions

M&A transactions involve the transfer of vast amounts of data, including sensitive personal information. This process poses significant risks if not managed correctly, potentially leading to data breaches, regulatory fines, and reputational damage. Mostly the  transfer of assets in a M&A transactions take place on the basis of term-sheet that is proposed in starting of a M&A transaction after which due diligence of entities take place at this stage the DPO’s role becomes indispensable in this context, providing oversight and ensuring that data transfer complies with the DPDP Act. Some of the key roles of DPO are:

  1. Pre-Transaction Due Diligence: The DPO must conduct thorough due diligence to assess the data protection practices of the target company as well as targeting company. This includes evaluating data collection, storage, processing, and sharing practices. Identifying potential data, sensitive data, protection risks and liabilities early in the process helps in making informed decisions and negotiating appropriate safeguards.
  2. Ensuring Compliance with Data Protection Principles: The DPO ensures that the transfer of data adheres to the core principles of data protection, such as purpose limitation, data minimization, and storage limitation, consent mechanism. This involves assessing whether the data being transferred is necessary for the transaction and ensuring that it is handled in a secure and compliant manner.
  3. Data Localization– The sensitive data recognition, collection and storage of such data complying with the policy of storing sensitive data within the local limits under the principle of data localization is a key role performed by DPO which has been mentioned in obligations of DPO as stated in the GDPR.
  4. Protection against Data Breaches: Safeguarding data during transfer is paramount. The DPO is responsible for implementing appropriate technical and organizational measures to protect personal data. This includes encryption, access controls, and secure data transfer protocols to prevent unauthorized access and data breaches.
  5. Data Subject Rights: The DPO ensures that the rights of data subjects are upheld during the M&A process. This includes informing data subjects about the transfer of their data, obtaining necessary consents, and addressing any concerns or requests from data subjects regarding their personal information.
  6. Post-Transaction Integration: After the transaction, the DPO plays a vital role in integrating the data protection practices of the merged entities. This involves harmonizing data protection policies, conducting training and awareness programs, and continuously monitoring compliance with the DPDP Act.

Author’s Note

Recently, in one of biggest M&A deals in the aviation sector of India between Vistara SIA airlines and Air India NCLT has given approval to the combination scheme. Soon after this approval Vistara airlines has issued a public notice in newspapers ensuring privacy of the personal data will be safeguarded throughout the merger process and beyond. This public notice also is one of the first examples where an Indian company has appointed a Data Protection Officer complying with the new Digital Personal Data Protection Act, 2023. And GDPR Guidelines being a global company. (See below)

Vistara Fly

This move has been appreciated by the customers as well as other stakeholders. Vistara being a global company deals with data of its flyers around the globe, making the entity a Data Fiduciary thus, the company has appointed a Data Protection Officer for smooth flow of the merger between two airlines ensuring all regulatory compliances as well as data protection of customers.
While the DPO’s role is crucial, several challenges may arise during the M&A process. These include varying data protection standards between entities, complexities in cross-border data transfers, and integrating data protection policies ensuring data localization. The role of the Data Protection Officer under the Digital Personal Data Protection Act, 2023, is indispensable in ensuring the safe transfer of data during M&A deals. As the regulatory landscape continues to evolve, the importance of robust data protection practices, guided by skilled DPOs, will only continue to grow.

Lakshit Rajdev, Intern at S.S. Rana & Co. has assisted in the research of this article.

[1] 95 U. Colo. L. Rev. 175 (2024)
Data Controllers as Data Fiduciaries: Theory, Definitions & Burdens of Proof

[2] Cliza, Marta-Claudia, and Laura-Cristiana Spataru-Negura. “The General Data Protection Regulation: what does the public authorities and bodies need to know and to do? The rise of the data protection officer.” Juridical Tribune Journal= Tribuna Juridica 8.2 (2018): 489-501.

Related Posts

“Green Channel” Clearance for Mergers & Acquisitions (M&A) by CCI

For more information please contact us at : info@ssrana.com