GDPR:s påverkan på due diligence-processen vid ett företagsförvärv

Sammanfattning: The commencement of the new data protection regulation, GDPR, entails increased requirements on companies when it comes to their processing of personal data. The due diligence that is carried out in connection with an M&A does in most cases contain some kind of processing of personal data. This induces the purpose of this essay, which is to investigate whether the information-management associated with a due diligence is affected by the rules in GDPR. The information-management in connection with a due diligence implies processing of personal data according to GDPR and therefore a lawful basis is required in order to process personal data in a due diligence. It is not possible to determine a lawful basis for processing of personal data in a due diligence. However, the balancing-of-interest in article 6.1 f GDPR seems to be applicable depending on the circumstances of each case. In order to increase the probability for a balancing-of-interest to result in lawful basis there is some actions for the controller to take. Such actions could for example be limitation of the amount of processed personal data, pseudonymisation and anonymisation of personal data. Actions of the above kind and actions as separate dataroom for the HR-department and detailed confidentiality agreements could further be required to fulfil the requirements in GDPR as for taking appropriate technical and organisational measures. Furthermore, a due diligence could contain a transfer of personal data from the controller to another controller. If the transfer is within the EU the conventional rules for processing of personal data applies. However, if the transfer is made to a receiver in a third country special rules apply. In order for a third country-transfer to be in compliance with GDPR it has to fulfil any of the terms that is stated in chapter five of the regulation. Article 46 GDPR prescribes, among other things, that a transfer to a third country is lawful if the transferring part and the receiver enter into an agreement which contains standard clauses adopted by the Commission or clauses formed by the parties after authorisation by Datainspektionen. The above-mentioned term is the term that appears to be applicable for a transfer in connection with a due diligence. Additionally, GDPR requires the controller to inform the data subjects when a transfer of personal data occurs. Although, there are some exceptions to the requirement of information which could be fulfilled by a precept in the privacy policy of the controller. Accordingly it could be stated that GDPR affects the information-management in a due diligence. The impact primarily appears with regard to the measures the involved parties have to take in order to be in compliance with GDPR. Because of the fact that many of the provisions in GDPR are dependent on the circumstances of each case it has however, to some extent, been hard to draw concrete conclusions.