NETHERLANDS Law and Practice Contributed by: Herald Jongen, Maarten de Boorder, Samuel Garcia Nelen and Jelmer Kalisvaart, Greenberg Traurig, LLP
tors like software, AI or cybersecurity, the board may restrict access to sensitive intellectual prop- erty until later stages of the process, potentially after signing non-disclosure agreements or let- ters of intent. This ensures that proprietary tech- nology is not prematurely exposed. The management board has a fiduciary duty to act in the best interests of the company, its business and stakeholders (including its share- holders). This includes determining what level of due diligence is reasonable and appropriate while ensuring that the process does not com- promise the company’s competitive position should the M&A process be aborted. In some cases, the board may limit or structure the due diligence process to protect sensitive data (eg, source code or trade secrets) while still provid- ing enough information for bidders to make Data privacy restrictions in the Netherlands, pri- marily governed by the General Data Protection Regulation (GDPR), can limit the scope of due diligence in technology company transactions. These restrictions apply to the handling, sharing and transferring of personal data during the due diligence process. Important data privacy restrictions impacting due diligence include the following. • GDPR compliance – the GDPR, which applies across the EU and thus in the Netherlands, imposes strict requirements on how personal data is handled. Companies must ensure that personal data shared during due diligence is: (a) minimised – only data necessary for the assessment should be shared (data mini- misation principle); (b) anonymised or pseudonymised – where informed decisions. 9.2 Data Privacy
possible, personal data should be an- onymised or pseudonymised to protect the privacy of individuals, especially with respect to sensitive information like em- ployee, customer or user data; and (c) lawful – there must be a legal basis for sharing personal data, such as in the le- gitimate interests of completing the trans- action, but this must be balanced against the privacy rights of data subjects. • Due diligence limitations – in the context of technology M&A, the following restrictions often apply: (a) employee data – sharing identifiable employee information (eg, payroll or per- sonal details) is restricted unless neces- sary for assessing liabilities or integration risks; (b) customer data – access to customer databases, especially if they include sensitive information, is limited and often requires anonymisation or consent before sharing; and (c) intellectual property or source code – if source code or technology assets contain embedded personal data (eg, user data in AI training models), additional precautions may be required before disclosing these assets. • Data processing agreements (DPAs) – if personal data must be transferred during due diligence, a DPA between the selling and buying parties may be necessary to outline the terms of processing and ensure GDPR compliance. This contract would include pro- visions on security measures, data protection obligations and how the data can be used. • Cross-border data transfers – if the buyer is outside the EU, the GDPR restricts the transfer of personal data to countries that do not provide an adequate level of data protec- tion. In such cases, specific safeguards like
237 CHAMBERS.COM
Powered by FlippingBook