A world of opportunity - Ernst & Young - Switzerland

Legal News January 2012

Due Diligence and Data Protection

Marc P. Gugger, attorney-at-law, Legal Services, marc.gugger@ch.ey.com

Print version (PDF 419 kB)

1. Introduction

In order to be able to perform due diligence with the proper care, all necessary information of the target company must, to the greatest extent possible, be disclosed. Here, the interest in achieving maximum transparency can often come into conflict with those of maintaining confidentiality by participating parties, as well as with the Data Protection Act. It is not unusual that personal data is also disclosed in the course of due diligence, information which relates to identified or identifiable natural or juristic persons. In light of advances in technology, such information is also increasingly made available electronically and across borders, which demands heightened awareness. The legal boundaries have been established in the Federal Act on Data Protection (DPA). Similar provisions also apply in the EU, as well as – to a more or less developed degree – in many other countries.
 

2. Data protection

The definitions the law applies to the concepts of personal data and the processing of such data, as well as the scope of application of the DPA are extremely broad. Because information is disclosed in the course of due diligence that in particular relates to relationships with suppliers, customers and employees, it is not uncommon that personal data, and as it happens – particularly from employment relationships –, even sensitive personal data (such as health-related data, as well as information pertaining to a person's religious, ideological or union-related beliefs or activities) or personality profiles (e.g. curriculum vitae or medical history) is disclosed and thus processed within the meaning of the DPA.
 

3. Breach of Data Protection

Because of the broad scope of the DPA and the urgency with which due diligence is conducted, there is an increased risk of committing a breach of data protection provisions. Particularly delicate in this context is the processing of personal data deemed to be sensitive, since any disclosure of such information already constitutes a breach. In addition, any persons affected from such disclosure must be specially informed that their data is to be processed. Even with regard to non-sensitive personal data, the collection of personal data and in particular the purpose of its processing must be evident to the data subject.

However, the secrecy with which due diligence is conducted often precludes such collection and processing from being evident to the data subject, since disclosure to him or her is diametrically opposed to the confidentiality interests of the contracting parties. Other possible duties to provide information must be observed in the event of any cross-border transfer of data, albeit here, where applicable, directly vis-à-vis the Federal Data Protection and Information Commissioner (FDPIC). Transferring data abroad constitutes a breach and will need, under certain circumstances, to be notified wherever the target country is lacking data protection comparable to that in Switzerland. This is less the case when transferring data to European countries than it is to third countries such as the USA. However, by taking certain precautions, any potential breach of data protection may, under certain circumstances, be justified and may thus ultimately be considered legal.
 

4. Justification

In particular, the preponderant private interest in disclosing personal information could be construed as a justification for a potential breach of data protection laws in the context of performing due diligence. The corresponding legal basis is contained in the analogous application of Art. 13 para 2 lit. a and c DPA, which allows for the possibility of a preponderant interest of the person processing the data (seller or purchaser), where such personal data is processed in direct relation to the conclusion or execution of a contract (sale and purchase agreement), and is required for the conclusion or execution of said contract.

However, one should not assume that this argument gives one carte blanche for the comprehensive disclosure and processing of all personal data at any time in the context of due diligence. Any justification and thus the preponderant interest in the disclosure of information must be weighed, in terms of its proportionality, against the interest of the DPA in protecting privacy.
 

5. Balancing of interests

Only on the basis of a holistic and case-by-case analysis giving due consideration to the type and nature of the data is it possible for the interests of all the parties concerned to be weighed up against one another. The protection of data does not provide any abstract boundaries, which, once crossed, would constitute a breach. The more preponderant and urgent the needs of the data recipient are, in obtaining such information, and the less the affected data is of a personal nature, the easier it will be to disclose information.

To the extent corresponding protective measures can be taken, these should thus be mandatorily implemented within the limits of proportionality.
 

6. Summary / Recommendation

In sum, the DPA certainly does not prevent M&A transactions, although it does require that the necessary precautions be taken and implemented in the context of due diligence. The following considerations should thus be part of any balancing of interests:

• As a rule, personal data must, wherever possible, be anonymised in order to exclude any application of the Data Protection Act.
   
• From the outset, a distinction must always be drawn with regard to the data to be disclosed, based on its nature and sensitivity, so as to be able to provide special protection where necessary.
   
• Sensitive data or personality profiles should only be disclosed in exceptional cases. Otherwise, special duties to provide information vis-à-vis the data subject must in particular be observed and where possible, the consent of the data subject is to be obtained.
   
• The circle of people to whom personal information is disclosed, or who are entrusted with processing it, must be limited to the absolute minimum.
   
• Where data is to be transferred abroad, the parties must provide specific data protection and confidentiality undertakings that they will in particular comply with the Swiss Act on Data Protection, so as to ensure an adequate level of privacy protection. In some cases, it may even be worth considering a notification to the FDPIC.
   
• In particular when dealing with international transactions, the due diligence report should contain as little (sensitive) personal data as possible, so as to prevent any serious exposure if the report is sent abroad. The ideal scenario is where all persons processing such data are located in Switzerland. For example, a special team of advisers could be mandated to process any personal data in Switzerland, and then reproduce such data only to the extent effectively necessary in the report.
   
• Any processing of data must be protected against unauthorized processing by adequate technical and organizational measures. Those involved in such processing are required to ensure the confidentiality, accessibility and integrity of the data. In this context, particular attention must be had to ensuring that the due diligence report does not end up in the wrong hands or that its contents are manipulated.
   
• Finally, all persons processing the data as well as all third-party recipients must at least be informed that they must return or destroy any personal data as soon as it is no longer required.