Mergers & Acquisitions (M&A) transactions are complex processes that often involve the transfer of personal data from suppliers, customers, and employees from one company to another. Special attention is particularly required for the transfer of customer data.

1. Type of transaction

Depending on the type of transaction, different data protection implications arise.

Share Deal

In a share deal, the shares of the company (e.g. stocks in a public limited company) are sold. The buyer acquires the shares of the company and becomes the new shareholder. The ownership structure changes, but the responsibility for the data remains with the sold company. Since no data transfer to third parties occurs, data protection plays a subordinate role in this context.

Asset Deal

In an asset deal, all or parts of the company’s assets are sold, often including customer data. This transfer of personal data falls under the General Data Protection Regulation (GDPR) as well as the Liechtenstein Data Protection Act (DSG) and must therefore be carefully reviewed.

2. Legal basis for the transfer of customer data

Any processing of personal data in Liechtenstein must be in compliance with applicable law. Processing is only permissible if at least one of the conditions of Art. 6 (1) GDPR is met. In principle, the following three legal bases for the transfer of customer data come into consideration:

  • Consent of the data subjects (Art. 6 (1) (a) GDPR)

The consent must be a clear and voluntarily by the data subject and must specifically relate to the data transfer and the new data processing. A blanket consent is not sufficient. Due to the low response rate in obtaining such consent, this is often impractical.

  • Fulfillment of a contract (Art. 6 para. 1 lit. b GDPR)

A data transfer for the fulfillment of a contract is usually not applicable, as the data subject is not a party to the purchase agreement.

  • Legitimate interest (Art. 6 para. 1 lit. f GDPR)

The transfer of customer data in the context of an asset deal can be based on a legitimate interest. In this case, the interests of the company must be weighed against those of the data subjects. For example, data related to outstanding claims may be transferred under Art. 6 (1) (f) GDPR.

3. Conclusion

Corporate transactions require careful attention to data protection law, particularly regarding the transfer of customer data. Thorough planning and legal advice are essential to minimize legal risks and successfully complete the transaction.

As an independent boutique law firm specializing in business law in Liechtenstein, with a particular focus on data protection and corporate law, we support you in all phases of your corporate transaction – from the initial negotiation with the counterparty through the due diligence process to the signing of the purchase agreement (SPA).

Start with us now and contact us at office@isp.law or use our fully automated booking tool to schedule a consultation at https://www.isp.law/en/book-an-appointment/ and let us lay the foundation for your successful corporate transaction together.

We do not assume any liability for the accuracy of the legal content on this website or that the content is up-to-date, especially as these contents do not constitute legal advice and are not suitable to replace legal advice in specific cases. If you have any questions, Inmann Stelzl & Partner Attorneys at Law Partnership is always available to assist you.

Author: Christian Inmann, Markus Stelzl

You might also be interested in