class="container container-header"

Data Protection In M&a What You Need To Know

04 October 2021

2 minute read

Data Protection in M&A What You Need to Know
Any context requiring or necessitating the use of personal data requires taking steps to comply with the Data Protection Act, 2019 (the Act), including where personal data is to be shared or processed within a transactional context. This is ever more likely for data protection issues to materialise, particularly where a target to the transaction is a data-heavy business. This means that transacting parties need to be aware of such potential stumbling blocks, especially in relation to individual rights of data subjects. An example of this could be seen through the issues that arose in the acquisition of WhatsApp by Facebook in October 2014. Specifically, transacting parties giving or receiving information about a target business must be alive to individuals’ personal data being exchanged, stored, or otherwise processed throughout the course of the transaction, including from the point of entering into and negotiating the initial agreements, to the signing and finally completion, as well as during post-completion integration. Where Does Data Protection Come In? Data protection compliance (including compliance with the Act as well as the GDPR if necessary) often comes in at different points during an M&A transaction, for instance: a). when entering into a non-disclosure agreement (NDA) or term sheet; b). during initial negotiations and engagement between a buyer and a seller; c). in the course of the due diligence and disclosure phases, when parties and their respective advisers will inevitably be exchanging a large amount of information on the target, on a confidential basis and subject to confidentiality agreements. Such information will almost certainly include some personal data and the parties will therefore be “processing” that data in the context of assessing the transaction; d). between signing the transaction documents and completion; e). in the context of an asset sale, where assets containing personal data such as customer details for instance, are to be transferred and continue to be processed in the normal course of business by the receiving party, including as part of any business integration; or f). after completion when facilitating integration for instance through the use of transitional services agreements, amongst other things. This is merely a depiction of how the coming into force of the Act in Kenya has affected how we do business. Data protection principles will practically apply to the entire timeline of a deal. More so, the transacting parties should pay particular attention to ensure continual compliance with those principles throughout the transaction. Other Obligations The transacting parties should also be aware to the information they hold so as to ensure that only personal data that may be necessary for the specific transaction is shared. This means that there should be solutions in place to separate transferring and non-transferring personal data to as to ensure the respective party is not in breach of any of its obligations as a data controller or processor. Likewise, principles such as the obligation to process personal data in a lawful, fair and transparent manner, and the overarching accountability principle also place a burden on the giving party to ensure that the required information is shared, with the subjects’ consent, withholding no information that may be material to the transaction under the guise of privacy. In addition, it is inevitable that every target will process some form of personal data, and in any corporate transaction, the buyer almost always inherits any unlawful data processing activities the target has been carrying out. A buyer will need to identify where any unlawful data processing has been carried out in the due diligence process to ensure that it is rectified (ideally pre-completion or if not possible then after completion has taken place). We shall look further into ensuring compliance with data protection and privacy principles in corporate transactions in the coming weeks. For more information, please contact our corporate team by emailing law@cmadvocates.com.

Related blogs & news

What you need to know about the Data Protection Act, 2019

For a long time, Kenya has lacked a comprehensive personal data protection legislation which has been quite necessary in this age of digital use and access. This has exposed citizens to the risk of their personal data being misused. ...

The Data Protection Act: A Series

The Data Protection Act, No. 24 of 2019 (the DPA) was enacted into law on 11 November 2019 through Gazette Supplement Number 181. The provisions of the DPA gives life to Article 31 (c) and (d) of the Constitution of Kenya which guarantees the right to privacy including the right of a person not to have information relating to their family or private affairs unnecessarily required or revealed and the right not to have the privacy of their communications infringed....

Data Subject - What you need to know

The Data Protection Act, No. 24 of 2019 (the DPA), introduced various concepts and principles aimed at bringing to life the right to privacy enshrined under our Constitution. ...

Data Security Today

Technology has so strongly been synced to our everyday lives and as a result, data security is both personal and a corporate consideration. Personal computer and mobile phone users are faced with concerns on the accessibility of their devices and the data contained in the same way that businesses are concerned with customer data....

Notification of Data Breach

One of the distinct changes made to the way we handle and perceive personal data relates to responding to a breach of personal data....


section separator logo

Let us take it from here.

+254 716 209673

law@cmadvocates.com

Skip to contentHomeAbout UsInsightsServicesContactAccessibility