Technology M&A 2025

GREECE Law and Practice Contributed by: Stathis Orfanoudakis, Theodore Konstantakopoulos and Yolanda Antoniou-Rapti, Zepos & Yannopoulos

especially on the part of the target company. This may effectively entail limiting the extent, volume or nature of information shared with a buyer, as well as with other third parties (includ- ing auditors, consultants and virtual data room providers). Importantly, only personal data that is absolute- ly necessary should be disclosed by the target company and processed by the buyer (principle of data minimisation). Any sharing and further processing of personal data must be conducted in a manner that ensures an appropriate level of security of the personal data – including protec- tion against unauthorised or unlawful processing and against accidental loss, destruction or dam- age – by implementing appropriate technical and organisational measures (principles of integrity and confidentiality). It is critical that data subjects (eg, the target company’s employees, customers, and suppli- ers) whose personal data are to be disclosed to the buyer and other third parties during the due diligence process have been properly informed, in advance and in accordance with the GDPR standards, about such processing. In this con- text, the option of sharing anonymised or pseu- donymised data for the purposes of the due diligence should always be examined and pre- ferred, when the information purposes can still be properly served. Furthermore, data protection provisions should be included in the non-disclosure agreements executed between the parties – by virtue of which, restrictions must be imposed on the buyer in relation to the ways it can process any personal data disclosed and, in particular, in relation to the time period for which said data can be retained by the potential buyer. Moreover, additional provisions may determine the deletion

or return of the data if the transaction is aborted. These provisions should be applicable to other third parties with which the buyer may share the personal data disclosed during the due diligence process, such as external consultants. Special attention is needed in transactions where the buyer is located outside the EU/Euro- pean Economic Area (EEA); in such case, the disclosure of personal data to the buyer would constitute an international transfer of personal data. Special rules apply for such transfers, which – depending on the recipient country – may require appropriate safeguards to ensure an adequate level of protection, including: • the execution of the standard contractual clauses approved by the EC; • carrying out a transfer impact assessment (TIA); and • the adoption of supplementary technical measures. A bid is made public either when an offeror decides to proceed with a (voluntary) takeover bid or when the mandatory offer thresholds set out in 6.2 Mandatory Offer are triggered. The relevant steps are as follows: • the offeror must notify the HCMC and the target company’s board of directors in writing; and • within the following business day, the offeror must announce the takeover bid on its web- site and in the daily bulletin announcements of the Athens Stock Exchange. 10. Disclosure 10.1 Making a Bid Public

183 CHAMBERS.COM

Powered by