BELGIUM Law and Practice Contributed by: Steven De Schrijver and Carl Dotremont, Allegiance Law
tection is limited to the form and expression of ide- as. The due diligence extends beyond ownership to assess transferability, addressing key questions about the technology’s origin, development, inventors, avail- able IP rights and compliance with obligations. The nature of legal due diligence varies based on whether the transaction involves asset or share pur- chase, with special attention paid to IP and data asset transferability in technology M&A. The impact of the EU AI Act will have to be assessed during the due diligence on targets subject to the new EU AI Act. IP and privacy compliance will vary based on the risk level posed by AI, determining the specific obligations for providers and users alike. 9.3 Data Privacy Data Protection Considerations During M&A Process The due diligence process for technology companies typically involves the transfer of personal data from the seller to the buyer. As a result, these data-pro- cessing activities must adhere to general data protec- tion requirements. Specifically, compliance with the GDPR necessitates a legal basis. By way of example, the release of relevant data can be justified on the grounds of legitimate interests, such as facilitating the M&A transaction. However, certain information may need to be anonymised, including employee names and sensitive personal data such as health informa- tion. Additional complexities arise when the potential buyer is located outside the EU, as international transfers of personal data require specific privacy safeguards. If the seller has engaged a data room provider to oversee the data room, it is crucial to provide clear instructions in the data-processing agreement regard- ing handling a potential data breach. Furthermore, it is advisable to maintain the data room within the EEA to minimise the transfer of EU personal data to non-European Economic Area (EEA) countries. If the seller is managing the data room internally or through a law firm, although a data processing agreement may not be required, it is essential to implement suitable technical and organisational safeguards. Moreover, implementing EU Standard Contractual Clauses or alternative transfer tools with potential buyers should
be contemplated if there is a potential need to trans- fer data to a non-EEA country at a later stage in the transaction. If data needs to be transferred to the USA, the EU–US Data Privacy Framework (DPF) could be relied upon, as this was approved by the EC on 10 July 2023. By doing so, the EC confirmed that personal data transferred to the USA under the DPF is adequately protected in line with the rules on international data transfers imposed by the GDPR. Data Protection Considerations During Due Diligence of Target In order to avoid acquiring non-compliant businesses, buyers must conduct a comprehensive evaluation of the target’s data protection compliance. Identified non-compliance can be addressed before closing; or factored into risk assessments, valuations, or indem- nification mechanisms. Conducting a post-closing data protection audit is suggested so as to remediate potential breaches quickly. The due diligence process should involve requesting various documents from the seller to assess the target’s data protection compli- ance status, covering processing activities, relevant documents, IT and security measures, expert assess- ments, data breach documentation, impact assess- ments, IT program compliance, cybersecurity policies, legal proceedings, disputes and insurance coverage. Non-compliance with data protection laws in a target’s data-processing activities poses significant risks for buyers, as violations of the GDPR can result in fines of up to EUR20 million or 4% of the total worldwide annual turnover. Recent high-profile data breaches underscore the risks associated with data security, exposing companies to liabilities from shareholder lawsuits, government investigations, remediation costs and reputational damage. Juniper Research predicts that the global cost of data breaches will reach USD5 trillion by 2024. National data protection authorities – including the Belgian Data Protection Authority – have imposed substantial fines, empha- sising the GDPR’s importance. Buyers must also consider the impact of new regula- tions such as the EU AI Act, which introduces trans- parency, risk management and accountability require-
30 CHAMBERS.COM
Powered by FlippingBook