Skip to main content
Due Diligence

Due Diligence and GDPR

In a due diligence process, a thorough investigation is conducted into the legal, financial, and operational status of a company considering a merger, acquisition, or investment. However, one of the most relevant aspects, which often goes unnoticed, is compliance with the General Data Protection Regulation (GDPR). In this article, we will explore the key factors to consider when conducting due diligence in relation to the GDPR, providing practical examples to help you understand its importance.

1. Review of Personal Data Types

One of the first steps in a due diligence process concerning the GDPR is identifying the types of personal data managed by the company. Under the GDPR, personal data refers to any information related to an identifiable person, such as their name, address, phone number, email, and more. Additionally, there are special categories of data, such as health or financial information, that require a higher level of protection.

Practical Example: If the company undergoing due diligence is a medical clinic, it is crucial to verify that sensitive data, such as medical records, is stored and managed in compliance with the strictest GDPR regulations.

Recommended Actions for Due Diligence:

  • Verify that the company has correctly classified personal data and has taken measures to protect it.

2. Assess the Legal Basis for Data Processing

The GDPR establishes that personal data processing can only occur if one of the legal bases outlined in the law is met. These bases include consent from the individual, the necessity to fulfill a contract, compliance with a legal obligation, among others.

Practical Example: If the company undergoing due diligence collects personal data from customers to offer personalized services, it is important to verify that explicit consent has been obtained from users or that processing is based on the execution of a contract.

Recommended Actions for Due Diligence:

  • Verify consent records if this legal basis is being used.
  • Review contracts to ensure personal data processing is appropriately justified.

3. Review of Privacy Policies

A due diligence process regarding the GDPR should also include a thorough review of the privacy policies the target company has in place. Privacy policies should be clear, transparent, and easily accessible to users, informing them about how their data is collected, used, stored, and protected.

Practical Example: An online store must have a privacy policy detailing how it handles customer personal information, from payment data to purchase preferences. If this policy has not been updated in line with the GDPR, it may indicate non-compliance with data protection regulations.

Recommended Actions for Due Diligence:

  • Verify that privacy policies are up to date and comply with GDPR requirements.
  • Ensure that the company has mechanisms in place to guarantee transparency in data processing.

4. Evaluation of Data Subject Rights

The GDPR grants individuals several rights concerning their personal data. These rights include the right to access, rectification, deletion, portability, objection, and restriction of processing. A critical part of due diligence is reviewing how the company would manage these requests and whether it has an adequate procedure to comply with data subjects’ rights.

Practical Example: If a customer requests the deletion of their personal data from the company’s database, the company must comply with this request within the specified time frame, unless a legal basis prevents it.

Recommended Actions for Due Diligence:

  • Ensure the company has established procedures for managing data subject requests.
  • Verify that defined timelines exist for responding to access, rectification, or data deletion requests.

5. Review of Agreements with Suppliers and Subcontractors

In many cases, companies subcontract personal data processing to third parties (service providers, subcontractors). Under the GDPR, it is essential to have a data processing agreement that governs this relationship, specifying how personal data should be handled and ensuring compliance with legal obligations.

Practical Example: If the company undergoing due diligence has a contract with a cloud storage service provider, it must be verified that the contract includes specific clauses ensuring that the provider complies with GDPR regulations.

Recommended Actions for Due Diligence:

  • Review agreements with suppliers and subcontractors to ensure they include appropriate data protection clauses.
  • Ensure that service providers also comply with GDPR regulations, especially if data is transferred outside the European Economic Area (EEA).

6. Evaluation of Data Security

Data security is a critical component of GDPR compliance. Companies must implement both technical and organizational security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction.

Practical Example: If the target company has a customer database, it should be verified whether the database is encrypted and whether there are restricted access policies to ensure that only authorized personnel have access to sensitive data.

Recommended Actions for Due Diligence:

  • Review the security measures the company has implemented to protect personal data.
  • Ensure that regular audits and risk assessments are conducted to identify potential vulnerabilities.

7. Data Breach Notification

The GDPR mandates that, in the event of a security breach affecting personal data, the company must notify the data protection authority and, in some cases, the affected data subjects.

Practical Example: If a hacker gains access to a company’s database and steals personal information, the company must notify the relevant authority within 72 hours. If sensitive data is stolen, the affected individuals must also be informed.

Recommended Actions for Due Diligence:

  • Verify that the company has procedures in place to detect, manage, and promptly notify security breaches.
  • Ensure that the company has properly informed authorities and data subjects in previous breach cases.

Conclusion

Conducting thorough due diligence with respect to the GDPR is essential for mitigating legal and financial risks associated with improper handling of personal data. By ensuring that the target company complies with GDPR requirements, investors and buyers can avoid fines, lawsuits, and damage to reputation. By considering key aspects such as identifying personal data, legal bases for processing, privacy policies, and security measures, responsible data handling can be ensured.

Author: Victor Roselló, Lawyer.

If you need more informarion, contact us!


    Information on data protection

    Company name
    LEGAL IT GLOBAL 2017, SLP
    Purpose
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Consent.
    Recipients
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
    Rights
    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
    Further information
    See the Privacy Policy.

    Us
    Services