11 May 2022

During most (if not all) corporate transactions, personal data relating to staff (HR data) will be transferred between the relevant parties.

Consequently, there is an ongoing obligation for employers to comply with GDPR and DPA 2018 when sharing HR data as part of the transaction.

For example, whenever a business is being sold, the buyer will need to see data relating to the seller’s workforce. This will include personnel records, but also information that whilst less obviously personal in nature, still amounts to personal data because it could indirectly identify an individual – such as an employee number.

In our latest article in this series, we explore five key considerations for processing HR data in corporate transactions.

Key Consideration One – understand disclosure requirements

Data and privacy considerations are unlikely to be foremost in parties’ minds when preparing for a fast-paced deal. However, investing a small amount of time at the outset to consider relevant data issues, will pay dividends in the later stages of a time-critical corporate transaction.

The first step is understanding the relevant types of personal data and when they will be processed during the transaction; in other words, carrying out a data mapping exercise). Often the timing of the necessary disclosure will dictate the legal basis that employers rely on to justify the processing in this context.

For example, an employer that’s required to disclose staff data at the tender stage of an outsourcing transaction or as part of the pre-deal steps (i.e. to attract a potential buyer) is likely to rely on “legitimate interests” as the lawful processing purpose. However, an employer disclosing the same data to comply with their obligation to provide employment liability information under TUPE once the transaction is underway, is likely to rely on “legal obligation” as the lawful processing ground.  Employers should note that where “legitimate interests” is used, they should complete a legitimate interests assessment before any processing is carried out.  This is in addition to conducting a wider data protection impact assessment (DPIA), which we recommend is carried out in all corporate transactions.

It’s also important to understand that data issues will always be relevant to some degree, whatever the structure of the deal. Asset sales arguably pose the greatest risk of non-compliance because more personal data will be transferred to the buyer as part of the due diligence and legal process.  However, this does not mean that data issues can be ignored in share sales, because in most cases the buyer of the shares in the target will still want to carry out pre-acquisition due diligence.

Key Consideration Two – ensure employees are (broadly) informed

Whatever the legal ground of transfer, employers should ensure they meet the obligation to provide employees with transparent information about the processing activities applied to their personal data. Staff privacy notices should therefore refer to the possibility of HR data being processed in any potential corporate transaction.

Key Consideration Three  – agree on security measures

Both parties will have obligations to ensure the security of HR data disclosed during the transaction. Although it’s arguably not the most riveting part of a deal process, it’s in the interests of both sides to take some time to agree on sensible precautions.

Practical security steps may include the use of data rooms, with access restricted to only those working on the deal. Only reputable software and platform providers with robust security policies should be used to host the data room, with password protection to get into the room and data encryption as standard.

Another aspect to consider is whether the HR data disclosed during the transaction is being processed by the recipient outside of the EEA – if so, relevant additional safeguarding arrangements will need to be considered.

Taking this a step further, it’s always good practice to consider implementing a data sharing agreement between the parties (both of whom will be considered data controllers of the HR data in this context). The agreement should include (amongst other things) warranties or indemnities to mitigate the consequences of non-compliance and to manage security risks.

Key Consideration Four – don’t overshare!

Subject to any obligations under TUPE, it’s unlikely that full details of all in-scope employees will need to be shared with the buyer during due diligence.  For example, a buyer won’t generally need to review all employment contracts as part of due diligence, just those of key employees.  That said, a buyer will probably want to access a large amount of HR data to fully understand the workforce. The parties therefore need to decide how to deal with these competing concerns.

To address this, a seller should consider redacting or anonymising data, or providing summaries where appropriate, to prevent individuals being identified. This will be appropriate even where the data is required to meet the TUPE obligation to provide relevant employee liability information. In some cases, pseudonyms may be appropriate so that individuals can only be identified when additional data about them is disclosed (with such additional data not actually being disclosed).  Employers can also consider redacting certain non-essential personal data.

It is important for employers to take even greater care with special category data. This is personal data that needs greater protection because of its sensitive nature. It could be data revealing racial or ethnic origin, political opinions, sexual orientation, religious beliefs, trade union membership, genetic data, biometric data or data concerning a person’s health and sex life.

It’s unlikely a seller will need to share special category data with a buyer in the due diligence stage of a corporate transaction. However, as we’ll see in Key Consideration 5, buyers must be mindful of the seller’s policies and procedures for handling such data and their compliance with the GDPR. Being alert to any inadequacies and shortcomings will enable swift rectification post-completion and reduce the likelihood of the buyer being in breach of the GDPR.

Key Consideration Five – for buyers, data compliance should form part of due diligence

The principle of accountability in the GDPR requires processors of personal data to take responsibility for how they do this. This includes an obligation to demonstrate compliance, which means employers must have well-documented procedures and policies in place. This might include an internal privacy policy, a data minimisation procedure or a routine for conducting DPIAs (Data Protection Impact Assessments).

If the seller’s general approach to complying with their data protection obligations is inadequate and/or inconsistent with that of the buyer, the buyer will need to think about how to reconcile such differences to ensure a consistent and compliant approach is swiftly adopted post-completion. This could be particularly difficult if not given due thought and consideration in advance. The seller’s data protection policies and practices should be reviewed prior to completion, so a clear plan can be put in place to take any necessary remedial action.


There is a difficult balancing act to strike between remaining compliant with data protection obligations and the commercial realities of a fast-paced commercial transaction.

Nevertheless, if either party fails to comply with their data obligations, they could find themselves facing reputational damage as well as significant fines. Consequently, data considerations should be regarded in any corporate transaction as a key part of enabling a successful deal.

If you need help with any of the points raised in this article, please do not hesitate to contact our HR Data Team.