(Data) Privacy Behind The Corporate Veil: Avoiding Data Pitfalls In M&A - Part 2

Following on from part one of our mini-series on M&A and data protection, in this second part we explore in further detail the concepts of a personal data "controller" and "processor", how the various parties to an M&A transaction may fit into these roles, and the data protection obligations each of them must fulfil.

The concepts of a "controller" and a "processor" under data protection law are not new. They were introduced by the previous regime under the Data Protection Directive and Data Protection Act 1998, and have remained largely unchanged under the GDPR. Significantly, however, the GDPR has made key changes to the legal obligations for processors (which generally have increased in scope), introduced specific requirements in respect of how a controller must contract with a processor and significantly increased the potential fines for non-compliance with its requirements.

Understanding the distinction between the two roles from the outset of a transaction, therefore, is crucial in ensuring that each participant is clear on its role and data protection responsibilities, and that appropriate documentation has been entered into.

Controllers vs Processors – what's the difference?

In general, parties which handle personal data will fall into one of two categorisations. Controllers and processors. The GDPR defines these roles as follows:

"Controller": the person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Processor": the person which processes personal data on behalf of the controller.

"Processing" is a widely defined term under data protection law which captures the vast majority of operations performed on personal data, such as collection, recording, storage, use, and disclosure.

Most of the time it will be clear when a party is acting as a controller or a processor. However, in an M&A transaction where several parties may be involved in the processing of personal data, it is prudent to clarify and agree upon the appropriate categorisation of each party to ensure that personal data is handled lawfully and without unnecessary risk.

Additionally, while a party may be designated as a controller or processor in a contract, this will not be decisive in determining its actual status. The categorisation depends on the actual circumstances of personal data processing and is decided as a question of fact. In practice, this distinction is often not black or white, and with business operations being dynamic there are circumstances where parties jointly determine the "purposes and means" (resulting in joint controllership) or a recipient party may process the personal data for an independent purpose (resulting in 2 independent controllers). This is made clear in the 2006 Swift case¹, in which Swift was determined to act as a data controller in relation to certain activities despite a contractual designation as a data processor.

Who really determines the "purposes and means"?

Put simply, a controller decides the "how" and "why" of the personal data processing, however making such a decision may not automatically cause a party to be a controller. The level of influence a party has on the "how" and "why" of the personal data processing is key to establishing when it acts as a controller of that personal data.

Determination of the "purpose" (or "why") of the data processing in almost all circumstances will make a party a controller in respect of that processing, however determination of the "means" (or "how") of the data processing can, in many cases, be delegated to a processor. For example, a processor may make decisions such as the type of hardware or software that is used to perform the processing.

The Article 29 Working Party's (the advisory board to the EU Commission on data protection under Directive 95/46/EC), guidance² suggests that the designation of controller may arise due to a party's exercise of professional judgement or exercise of significant influence over the personal data is processed.

Guidance further suggests that where a party determines certain "essential elements" of how the data is processed, it will make the party a controller in respect of that processing. These "essential elements" include, for example, determining which personal data will be processed, which third parties have access to the personal data, and how long the personal data will be retained for.

When does one party actually process "on behalf of" another?

The level of discretion afforded to a party in relation to its processing activities is equally important in determining whether it acts as a processor.

A controller will typically provide instructions to a processor in relation to the purpose of the processing, and in relation to the "essential elements" of the means. The processor, in turn will usually take on certain processing activities which have been specifically delegated to it and serve the interests of the controller.

The controller may still allow a certain degree of flexibility to the processor regarding how to best serve the controller's interests (for example, by allowing the processor to choose appropriate technical measures in relation to the security of processing of personal data).

Being classified as a processor therefore depends, to a degree, on the instruction provided by the controller in the first place. A processor which goes beyond the scope of instruction provided by the controller and itself determines the purpose or essential means of processing will become a controller in respect of those processing activities.

Applying the distinction to an M&A transaction

Where personal data is shared in an M&A transaction and there is a lack of clarity over whether it is shared between parties on a controller to controller, or controller to processor basis, the parties should ask themselves the following questions:

• What level of monitoring of the data processing is carried out by one party over another?
  
  Constant and careful supervision by a party to ensure compliance of another with its specific instructions indicates that the supervising party is still in sole and complete control of the processing.
• What level of instruction has been given by the discloser to the recipient?
  
  If the margin of manoeuvre left to the recipient is such that it can in fact determine the purpose of the processing or any essential elements of the means, the recipient is likely to be a controller rather than a processor. Similarly, a processor could process under general guidance provided primarily on the purpose of processing which gives limited detail on the essential elements of the means, leaving the rest to be decided by a processor.

• Is the receiving party a specialist?
  
  In certain cases, the traditional role and professional expertise of a service provider (e.g. an accountant or a law firm) is such that they determine the essential elements of the means of processing in addition to being subject to their own professional obligations in respect of the processing which usually makes such parties a controller.

While classification depends on the factual context of a party's processing activity and may change on a transaction by transaction basis, the following table sets out a general rule of thumb for certain parties classification within an M&A transaction:

Importantly in M&A transactions whilst parties may be designated as a controller, such designation is not a carte blanch permission to process the data for its own broader purposes; obligations of confidentiality which limit processing for the purpose of the transaction will still need to be complied with.

In the next and final part of this mini-series, we will consider the impact of data protection on the use of data rooms.

Byte-sized news

• ICO starts to takes action against non-registering organisations. The ICO has begun formal enforcement action against 34 organisations that have failed to register and pay the new data protection fee. The notices show ICO's intent to fine these organisations unless they pay the fee, and those who don't could face fines ranging from £400 to £4000 depending on the size and turnover of the organisation. Aggravating factors could result in maximum fines of £4350. The ICO commented that more notices were in the drafting stage and would be issued soon, showing how seriously the ICO will be taking the fee process and data protection compliance.

• Italy implements GDPR. The Italian Legislative Decree No. 101 (the "Decree") entered into force on 19 September 2018. The Decree integrates all the provisions of the GDPR that were left to the autonomy of Member States, including an age of consent of 14 to the offer of information society services. The Decree also described the function of the Italian Data Protection Authority (the "Garante") and how their decisions would be guided under the Decree.

• Crackdown on cookies. An administrator of a fan page hosted on Facebook, was regarded as a joint controller with social media provider, Facebook, in relation to cookies in a recent case. The German case shows that it is important for organisations to understand how online analytics technology works and that using such technologies for their commercial benefit means that they are jointly responsible for compliance with data protection obligations.

With special thanks to Will Barrow, Helena Brackenridge and Kishen Vora for their contribution.