Organic Law 3/2018, of December 5, on Data Protection and Digital Rights Guarantee has not only adapted the national legal system to the General Data Protection Regulation but has also introduced clarifications that will help controllers and processors to carry out processing operations with greater legal certainty.
This is the case of the personal data treatments carried out in the framework of due diligence processes, being that the new Organic Law on Personal Data Protection finally and expressly foresees the lawfulness of these treatments.
The exchange of personal information that occurs between participating entities prior to the completion of a corporate transaction or company sale is evident. Thus, so that the buyer, absorber or assignee of a branch of activity, under whatever title, has a good knowledge of the entity that is preparing to buy, absorb, or receive by virtue of the corresponding transmission, access to Personal data relating to workers, customers and suppliers can be presented as a determining factor for the successful completion of the operation.
The already repealed Regulation of development of the also repealed Organic Law on Personal Data Protection of 1999 established a legal fiction applicable for structural modification operations or business transfers or branch of activity according to which, once the corporate operation was formalized, it was allowed to continue with the treatment originally made by the previous responsible, being that the communication of data in favor of the new responsible resulting from the operation was not considered as a transfer of data. Therefore, it was not necessary to have the consent of the interested parties, it was enough to inform them about the succession in the condition of the person responsible for their data.
Now, what happened in practice when, for example, the absorbing entity in a merger pretended to have access to personal data of the absorbed entity before the execution of the operation? In my opinion, this situation generated problems, especially when this treatment was necessary for the effective completion of the operation, since it was not clear if the access to data by the new person responsible had a place before concluding the operation.
This led to the issuance of several reports by the Spanish Data Protection Agency in which it declared the feasibility of prior access to personal data (see report number 518/2009, where in the framework of an initiation and not concluded merger, the access of the absorbing entity is allowed to the data of the absorbed entity to allow the integration of the information systems of both entities; in the same sense, see report number 194/2017 that analyses the Draft of the current Organic Law on Personal Data Protection.
In the new Organic Law on Personal Data Protection, the national legislator has wanted to echo these pronouncements of the AEPD. Indeed, article 21.1 presumes lawful data processing derived from any structural modification operation or the contribution or transmission of business or branch of business activity, including its prior communication.
Certainly, and based on the cause of lawfulness of the legitimate interest, data communications are allowed before the operation is completed, since the legislator understands that they are necessary for the good end of the operation and can even guarantee the continuity of the services that could be provided to the interested parties. Therefore, we can affirm that the access to data in the framework of the due diligence that involves the transmission of data from the transferring company to the transferring company can be understood covered by this new provision.
However, it should be borne in mind that as long as the operation is not completed, it will not be possible for the assignee of the data to use it for any purpose other than the correct achievement of it, which will only be possible at the time of its conclusion.
On the other hand, the law says nothing about the obligation to inform interested parties about the communication of data carried out in the framework of these processes, which – in my opinion – is still equally applicable. Now, if it is considered that the fulfilment of the duty to inform can seriously affect the achievement of the objectives of the prior data communication, then said duty would not be mandatory.
Finally, article 21.2 of the new Organic Law on Personal Data Protection obliges the assignee of the data to delete it in the event that the operation does not succeed. And this is entirely logical if it is, since access to the data would have been limited to the stated purpose (the successful completion of the operation), without the possibility that the participating entities may retain personal information of others.