INDIA Law and Practice Contributed by: Raj Ramachandran, Varun Sriram, Krutamana Pisipati, Aadhitya Logeshen and Abheejit V, JSA
depend on factors such as the nature of the transac- tion, the industry, the size of the deal, and the degree of regulatory exposure. Typically, a data room is established to provide access to documents relating to the company’s corporate structure, contracts, statutory filings/registrations, financial facilities, intellectual property, litigation, employment, and any other material aspects. The acquirer’s advisors (legal, financial, tax, and technical) conduct a comprehensive diligence to identify risks, potential contingencies, and gaps in statutory compli- ance. Findings from this process often influence deal value, representations and warranties, conditions precedent, conditions subsequent and indemnity pro- visions (including specific indemnity matters) in the definitive documents. Robust non-disclosure agreements are executed to ensure confidentiality before any information is shared to ensure that sensitive business and confidential data are protected. 9.2 Technology Company Due Diligence Technology due diligence may cover the technology assets, licences, ownership and registration status, contracts executed for use or upon acquisition, and IT infrastructure and processes, including security proto- cols. However, in 2025, due diligence for technology M&A deals emphasises data privacy compliance and readiness to show compliance with the DPDP Act and the rules thereunder. Deal teams should: • identify all sources of personal data, data-sharing arrangements, and cross-border transfers; • examine privacy policies, consent capture mecha- nisms, breach registers, records of processing activities, and retention/deletion protocols; • evaluate contractual terms with third-party proces- sors, DPAs, and sub-processor chains for align- ment with DPDP requirements; • request any notices, complaints, or audits by the Data Protection Board or sectoral regulators; and • check for active cyber or privacy insurance cover- age and any relevant exclusions related to breach liabilities.
Additionally, under the Competition Commission of India (Combination) Regulations, 2024, the diligence must confirm whether the target company has sub- stantial business operations in India if the deal value threshold is met. 9.3 Data Privacy The DPDP Act was finalised in 2023 and has now been given effect through the DPDP Rules, which have been formally notified. Collectively, the DPDP Act and DPDP Rules establish India’s comprehensive personal data protection framework, including the legal basis for processing personal data, notice-and- consent requirements, cross-border transfer rules, breach notification obligations, the establishment and powers of the Data Protection Board, and obligations applicable to data fiduciaries, significant data fiduciar- ies, consent managers, and data processors. These obligations are subject to a phased enforce- ment timeline, with various provisions coming into effect over the next 18 months. The full details of the DPDP framework including compliance requirements, business impact on a technology company and enforcement timelines are set out under 7.1 Regula- tions Applicable to a Technology Company . The issuer is required to make a public announce- ment in a daily newspaper of wide circulation within two days of filing the draft offer document with SEBI. This announcement should disclose that the draft offer document has been filed with SEBI and invite comments. See 6.1 Stakebuilding and 6.2 Manda- tory Offer . 10.2 Prospectus Requirements See 6.12 Securities Regulator’s or Stock Exchange Process . 10.3 Producing Financial Statements An acquirer (and any persons acting in concert) is required to make financial disclosures to the share- holders and the target company in the prescribed format. 10. Disclosure 10.1 Making a Bid Public
156 CHAMBERS.COM
Powered by FlippingBook