In recent years, innovative Hungarian companies are increasingly attracting foreign professional and financial investors who seek their state-of-the-art products and services.
As investors increasingly focus due diligence on a target’s regulatory compliance – relative to innovative companies, increasingly on data protection and IT security – practical data protection compliance gaps become evident. Their evolution since the implementation of the General Data Protection Regulation (GDPR) and potential impact on M&A transactions gives rise to practical considerations.
Technology companies were perhaps more focused on the need to achieve substantive – rather than merely formalistic – compliance with privacy laws. Yet due diligence often reveals fundamental weaknesses in the privacy documentation, even of tech sector companies. The reasons can be traced back to both a lack of data privacy-focused compliance resources and the incredibly rapid growth of companies.
The Hungarian enforcement of the GDPR also seems to have played a role in the relative levels of compliance achieved to date. The level of data protection fines imposed by the Hungarian supervisory authority in recent years is nowhere near the level of fines imposed by authorities in other EU countries. In Hungary, the highest fine imposed to date was HUF 100 million, while fines up to hundreds of millions of euros are not uncommon elsewhere in the EU. Although the Hungarian supervisory authority is keen to use fines as a compliance motivating tool, the level of fines to date seems not to have yet encouraged small and medium-sized companies to invest more in GDPR compliance. Because a significant proportion of the authority’s proceedings are initiated based on complaints from data subjects, legal compliance is often limited to preparing privacy notices. Yet often, for instance, the business procedures for responding to data subjects’ requests or data breaches are not well established, giving rise to exposure of yet more data subject claims.
In addition to planning, designing, and operating data protection compliant business processes, it is important that data controllers also comply with specific obligations under data protection legislation. A key element of that compliance – which is one of the starting points for legal due diligence – is the record of data processing activities. One of the important new features of the GDPR is that supervisory authorities no longer record data processing activities – rather, the data controllers and processors themselves are required to do so. In many cases, even in companies with a relatively mature data protection regime, this type of record-keeping is either missing or does not meet legislative requirements. In addition to being obviously noncompliant with the law, the absence of a register makes a company’s data management practice non-transparent and, therefore, more difficult for a potential buyer to assess.
Stating an appropriate legal basis for data processing activities and complying with the administrative burden of the chosen legal basis also seems to give rise to a considerable substantive challenge for companies. Consent is often the chosen legal basis for data processing, yet it is inappropriate in many instances, such as in employment relationships, where it is not a permitted legal basis because of the hierarchical relationship between the parties. In the case of direct marketing, companies often refrain from asking their customers for consent, fearing that doing so would significantly reduce their marketing campaigns’ effectiveness. Inadequate processes for record of consents and consent withdrawals also create significant compliance exposure – those processes are essential to comply with data controller accountability requirements. In the case of legitimate interest, a regular problem is the absence of the interest balancing test, which, based on current administrative practice, automatically renders the processing unlawful, regardless of the actual existence of a legitimate interest.
Establishing internal processes alongside appropriate policies and regulations will greatly enhance legal compliance and meet the accountability requirement mentioned above. Regular data protection training for employees and business partners is an integral part of achieving in practice a process that is legally compliant.
Data protection compliance can make a transaction significantly smoother, resulting in fewer closing conditions and reducing the risks associated with reps and warranties and indemnifications, which will be reflected in the pricing of the transaction.
By Csaba Vari, Head of IP/Tech Practice Group, Baker McKenzie