Sharing and transferring personal data in cross-border transactions—A Nordic Perspective

Technological developments and globalization in business, combined with privacy rules, bring new challenges to lawyers assisting companies in cross-border transactions. Even though technology enables us to transfer personal data very quickly and easily to the other side of the world, privacy rules make the actual transfer more complex and compel us to follow specific procedures prior to transferring any personal data.

All Nordic countries (Finland, Sweden, Norway and Denmark) have implemented the EU directive (95/46/EC) that regulates processing of personal data, and each country has their own national laws based on the directive. The basic principles of processing personal data and transferring personal data are very similar in each country. Despite the similarities, the practical interpretation of laws may vary a great deal between the countries. Also, the lack of official guidance from supervising authorities makes it more difficult to know how the rules are supposed to be applied in a cross-border transaction.

A transaction is always a multi-stage procedure in which privacy rules have to be taken into consideration at different levels. From the privacy perspective, transactions always include two critical moments: 1) due diligence and 2) completion of a deal. Potential buyers are interested in analyzing the seller’s operations, for which purpose they need information about the seller’s financial status, client relationships, employees and their benefits, possible disputes, market position, et cetera. If the seller is, for instance, a private clinic, the transaction will involve a large amount of sensitive patient data.

Due-diligence takes place in the early stages of the planned transaction. A potential buyer wants to get as much information as possible about the target company in order to analyze its status and value. Customer data and employee data are often important and require disclosure at this stage. The completion of a deal happens naturally in the end of transaction and has two phases—signing and closing. It is very common that the buyer wants to start preparing its operations for the merger after the signing even though it is not completely certain at this stage that the transaction will be closed. In practice, this means that the buyer wants information about the customers and employees in order to guarantee high-quality services immediately after the merger.

None of the Nordic countries’ privacy laws deal directly with the issue of transferring personal data for transaction purposes, as they are more general laws which state the requirements for any type of processing and transferring of personal data. In each country, there is always a requirement for a legitimate basis to process personal data. In a transaction, this means that the buyer needs a legal basis to process the seller’s personal data (such as employees’ personal data, customers’ personal data). Without such a legal basis, the seller is in breach of privacy laws because it has transferred personal data to a party who is not entitled to process the data, and the buyer is in breach because it is processing personal data without a legal basis. Just being a party in a transaction does not create a legal basis to process personal data.

The privacy laws in all the Nordic countries recognize several options as being a legal basis to process personal data. The absolute and the most common and logical basis for legal processing is a data subject’s consent. Obtaining an adequate consent requires that a person is fully informed of whom and for what purpose his/her personal data will be transferred. However, acquiring consent might be problematic in practice for two reasons: 1) transactions are not usually publicly available information until after the signing has taken place and 2) there are so many data subjects whose consent should be acquired that it is basically impossible to obtain consent from all of them. Unfortunately, it is not very common that data subjects are informed about possible data transfers due to a transaction already at the time when the data is being collected. On the other hand, since we lack official guidance from the supervising authorities, it is not certain that this procedure would be enough to create a legal basis in Scandinavia to process personal data in a transaction.

In most cases, due-diligence reviews do not require personal data, but they can, for the most part, be carried out without that information. If we think about an employment contract, the buyer is interested in information regarding salary, benefits and other conditions stated in the agreement and not so much about an employee’s name and address. Our common view is that the seller should try to depersonalize data for the data room material as much as possible, because a diligent analysis is still possible without including personal data in the documents.

Transferring personal data after signing is more problematic, because that data is necessary for the buyer to prepare its technical systems for the time after the merger. Naturally, the ideal situation would be that the systems were complete and would work without problems and delays. This also means that the data cannot be depersonalized. The Finnish Data Protection Ombudsman has stated that the seller can transfer some data regarding key employees to the buyer after signing (but before closing), but this information can never include a complete list of the employees or sensitive data. Other Nordic countries do not have an official view on this matter, which means that there are always risks involved if personal data is transferred to the buyer before closing.

We all agree that the parties should be encouraged to pay attention to privacy issues from the beginning of the procedure, especially when there is a cross-border transaction at hand. Privacy issues might seem to be a minor part of a large project, but if the parties are not prepared for these questions, privacy laws might cause serious problems when trying to standardize the systems just before closing. It is also worth noting that, despite the EU directive, practices vary a great deal in different European countries and the rules should be examined country-by-country and case-by-case.