With the introduction of Turkish Data Protection Law No. 6698 (the KVKK) back in 2016, data privacy has become an important aspect of M&A transactions and due diligence processes. Concerned about the potential administrative fines under the law and the strict scrutiny of the Turkish Data Protection Authority (DPA), buyers started to place greater importance on the compliance of target companies’ privacy practices with the law.
It must be noted that privacy compliance in an M&A transaction is not only about the target company’s privacy practices. As part of the due diligence process, companies exchange large quantities of data, which also includes personal information on real persons such as employees or representatives of business partners; and such exchanges have a number of privacy implications.
To Transfer or Not to Transfer
Privacy issues and proposed solutions usually differ based on the time of the transaction. The early stages of a transaction are usually the trickiest in terms of data privacy. As the parties are still in negotiations, and it is unclear whether the transaction will go through, disclosure of a large amount of personal data at this stage may be contrary to data minimization and proportionality principles. Additionally, at this stage, it is usually difficult to identify a legal basis for such transfers, other than the legitimate interests of the seller, and certain types of personal data cannot be processed based on legitimate interest. Finally, considering that parties may want to keep the negotiation phase confidential, it may not be desirable to notify the data subjects involved pursuant to the notice requirement or obtain their explicit consent where necessary for the transfers. Accordingly, companies tend to consider anonymizing personal data for transfers during the pre-signoff phase.
Anonymization of personal data during the transaction may be especially crucial for sensitive data. Processing of sensitive data is subject to strict requirements under the KVKK, and in most cases, data subjects (e.g., employees) consent may be required prior to the disclosure of sensitive data. Considering the practical difficulties of obtaining consent, and the risk of that consent being withdrawn, the recommended approach in practice is to anonymize sensitive data or remove it from files shared with the prospective buyer.
Data Room Issues
M&A transactions usually involve the setting up of a data room to exchange documents and information for the due diligence process. Unless the data room provider is located in Turkey, transferring documents that contain personal data to the data room would trigger cross-border data transfer obligations.
In Turkey, the cross-border data transfer requirements have been heavily debated due to the availability of feasible mechanisms data controllers may resort to. In the current legislative framework, companies may either obtain consent or rely on undertaking letters or the BCRs approved by the DPA. The approval process may take years, and thus undertaking letters/BCRs are seen as long-term solutions. Therefore, in terms of M&A transactions, some of the disclosing parties either obtain consent from concerned data subjects or anonymize data where possible to avoid the requirements for cross-border data transfers. Others choose to adopt a risk-based approach, particularly if the personal data that needs to be shared is minimal (e.g., only the names and signatures of authorized signatories).
When and How Should I Notify?
As briefly mentioned above, among other considerations, the fulfillment-of-notice requirement is another privacy-related issue. As a rule, data controllers must notify data subjects prior to processing their personal data. On the seller’s side, as most M&A transactions have a confidential nature, making it difficult to notify the data subjects whose personal data will be processed, sellers generally ensure that potential M&A transactions are included as a potential purpose of personal data processing in the privacy notices they give to their employees.
Buyers must also comply with the notice requirement to the extent they process personal data they obtained during the transaction as a data controller, which also raises confidentiality concerns. Unlike the GDPR, the KVKK does not provide comprehensive exemptions from the notice requirement (e.g., professional secrecy or impossibility/serious impairment of the objectives of processing). Therefore, it is currently unclear how and to what extent the buyer may comply with this requirement.
Privacy compliance is elemental to M&A transactions, and companies must carefully analyze privacy risks concerning not only the target business but also the transaction process itself.
By Ilay Yilmaz, Partner, Esin Attorney Partnership