BELGIUM Law and Practice Contributed by: Steven De Schrijver, Allegiance Law
9.2 Data Privacy Data Protection Considerations During M&A Process The due diligence process for technology com- panies typically involves the transfer of personal data from the seller to the buyer. As a result, these data-processing activities must adhere to general data protection requirements. Specifi- cally, compliance with the GDPR necessitates a legal basis. By way of example, the release of relevant data can be justified on the grounds of legitimate interests, such as facilitating the M&A transaction. However, certain information may need to be anonymised, including employ- ee names and sensitive personal data such as health information. Additional complexities arise when the poten- tial buyer is located outside the EU, as interna- tional transfers of personal data require specific privacy safeguards. If the seller has engaged a data room provider to oversee the data room, it is crucial to provide clear instructions in the data-processing agreement regarding handling a potential data breach. Furthermore, it is advis- able to maintain the data room within Europe to minimise the transfer of EU personal data to non-European Economic Area (EEA) countries. If the seller is managing the data room internally or through a law firm, although a data processing agreement may not be required, it is essential to implement suitable technical and organisational safeguards. Moreover, implementing EU Stand- ard Contractual Clauses or alternative transfer tools with potential buyers should be contem- plated if there is a potential need to transfer data to a non-EEA country at a later stage in the transaction. If data needs to be transferred to the USA, the EU–US Data Privacy Framework (DPF) could be relied upon, as this was approved by the EC on
the same information is provided to any compet- ing bidder per the Takeover Decree. Bidders are cautioned against obtaining insider dealing information and, if acquired, it must be disclosed in the prospectus. In the case of a hostile bid, the bidder typically relies on publicly available information in order to decide whether to proceed with the bid. Private M&A Due diligence in technology M&A transactions – particularly with regard to IP assets, privacy, and cybersecurity concerns – is crucial for acquiring technology companies. Emphasis is placed on analysing owned and third-party IP, IP disputes, and IT assets. The review includes a focus on IP ownership under Belgian copyright law, recognising that software protection is limited to the form and expression of ideas. The due diligence extends beyond ownership to assess transferability, addressing key questions about the technol- ogy’s origin, development, inventors, available IP rights, and compliance with obligations. The nature of legal due diligence varies based on whether the transaction involves asset or share purchase, with special attention paid to IP and data asset transferability in technology M&A. The impact of the EU AI Act will have to be assessed during the due diligence on targets subject to the new EU AI Act. IP and privacy compliance will vary based on the risk level posed by AI, deter- mining the specific obligations for providers and users alike.
32
CHAMBERS.COM
Powered by FlippingBook