BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
company. The employer may have an interest in monitoring the use of the company’s email or internet access by its employees. Several collective bargaining agreements (CBAs) must be observed as it has been concluded that they provide specific privacy protection for employees. This is the case for camera surveil - lance (CBA No 68 of 16 June 1998) and the elec - tronic monitoring of the internet and emails (CBA No 81 of 26 April 2002). In December 2024, the Act on Private Investi - gations entered into force. Its practical implica - tions for employers are that they must create an internal policy to describe the circumstances and authorised methods of investigations, con - sult with the collective bodies, update their pri - vacy policies and inform employees. In addition, businesses must only use external investigation suppliers that are duly licensed and abide by the new legal provisions, which tend to guarantee the respect of data protection rules in the con - text of private investigations. Some investigation methods and the collection of some categories of information are prohibited, sometimes with a possible exemption if the individual has given their consent. 4.4 Transfer of Personal Data in Asset Deals In each phase of an asset deal, personal data is collected and processed, requiring compliance with the GDPR. The main points regarding the processing of personal data are summarised as follows. Confidentiality and/or Data Processing Agreement In the initial phase, a confidentiality agreement (non-disclosure agreement) is often signed to prevent the spread of information and keep
exploratory talks secret. This agreement should include provisions on data protection. Agreement With the Data Room Provider An agreement must be made between the seller(s) and/or the target company and the data room manager (the processor) that complies with the GDPR, including mandatory mentions of Article 28. If the manager is outside the Euro - pean Economic Area (EEA), additional restric - tions on cross-border data transfer apply. Processing Personal Data in the Due Diligence Report Information in the data room will be analysed by the potential buyer and their advisors. Under the minimisation principle, only personal data that is strictly necessary for the specified purposes can be shared in the data room. Businesses must therefore find ways to assess whether docu - ments should be redacted in part, and to make sure that spreadsheets and tables are obfuscat - ed or the circulation thereof is limited to those who have an actual need to know. Lawyers must keep this information confidential, but it may be that not all other professionals are bound by the same duty. All individuals with access to the data room must commit to keeping the infor - mation confidential and not spreading it beyond the intended purpose. Participants often sign a digital confidentiality agreement before access - ing the data room, which should include data processing provisions. Clauses on the Risks of Data Processing If due diligence reveals potential data protection risks, it is important for the buyer to obtain guar - antees from the seller regarding the legality of the initial data collection and processing, and of the lawful transfer of personal data for the asset deal, including confirmation that data subjects
25
CHAMBERS.COM
Powered by FlippingBook