GDPR protocols and (data processor) agreements

The acquisition process entails the sharing of not only commercially sensitive information but also (intentionally or otherwise) personal data. The General Data Protection Regulation or GDPR (In the Netherlands, De Algemene Verordening Gegevensbescherming or AVG) came into force in the European Union on 25 May 2018. According to the GDPR, businesses and governments must take appropriate technical and organisational measures to prevent the unauthorised use and sharing of data as well as data breaches. The GDPR's rules are far stricter than the national legislation applicable prior to May 2018 and allow the Data Protection Authority to impose fines on businesses for non-compliance. As the use of personal data (as the world's most valuable commodity) is a 'hot topic', your reputation is also at stake here.

We help you determine which role and associated obligations you have under the GDPR regarding personal data shared in the acquisition process. As a seller, you are primarily responsible for the data but it is also important for a buyer not to receive an unnecessary amount of sensitive personal data.

Once the roles under the GDPR have been established, appropriate arrangements can be made to ensure the best possible compliance.

Incidentally, non-compliance with the GDPR is also increasingly seen as a ‘red flag’ or a reason to include an indemnity clause in the sales agreement. Our lawyers are here to help you prevent any surprises.