Terje Gulbrandsen Ketil Sellæg Ramberg Personal data and privacy law issues raise a number of issues in a company's day-to-day business and may be significant in many transactions. That being said, personal data issues have not played an important role in M&A, although they may turn out to be more important than previously thought. As a means of guidance, and not as an exhaustive list, the following checklist may be useful in your next transaction; either as seller in preparation of a future sale, or as buyer when performing due diligence. Is the company a data processor that is obliged to obtain a licence from the local data protection authority, or will a notification to the relevant authority be sufficient? If the company is obliged to have a licence, it is important to review this licence. Is the company handling sensitive data (health data, trade union membership, racial or ethnic origin, sex life, information with regards to criminal acts) or just regular personal data (information that may be linked to a natural person)? Does the company have a security strategy and how is the company handling their internal control? Does the company have any security zones? If so, how is access granted and denied? Is it possible to track such access? Has the company entered into any data processor agreements? Has the company performed a security audit? If so, were any discrepancies discovered? Has the company been subject to review from the local data protection authorities? If so, any report from such a review should be provided. Has the company entered into agreements with regards to the transfer of personal data to third countries? Is aggregated data or big data in some form used in the business? If so, is the data properly anonymised or would it be possible to re-identify the data subject? If not, how is the data subject's consent obtained and kept? Is customer data used in the business? If so, how is the data subject's consent obtained and kept? If the company is developing internal systems, is the company complying with privacy by design guidelines? Is the company storing internal or external data in the cloud? How are security measures taken? Is the company certain that personal data stored in the cloud is kept in the country or is the personal data transferred to third countries? Does the company have a data protection officer? Terje Gulbrandsen and Ketil Sellæg Ramberg
September 22, 2014