GDPR and Its Impact on M&A Transactions
Safeguarding private individuals’ identity and privacy has always been an important topic in portfolio transactions, but in the light of GDPR it is increasingly essential to finding the right solution to assess and maintain personal data.
Successfully transferring loans from sellers to third party investors and ensuring safeguarding of private individuals’ identity and privacy was always a major topic for debt sale transactions. Considering this, banks have been acting in compliance with each jurisdiction’s bank secrecy rules. In addition to this, the European Union newly issued the EU General Data Protection Regulation (“GDPR”), which entered into force on May 25, 2018. The main goal of the regulation is to harmonize data privacy laws across Europe, in order to protect all EU citizens’ personal data. However, each participating country had the possibility to adjust certain aspects of the regulation, based on its national law.
What is personal data in the meaning of the GDPR and how will this regulation affect the debt sale financial services industry?
“Personal data” means any information relating to an identified or identifiable (directly or indirectly) private individual (data subject).”(GDPR, art. 4; e.g. name, personal email address, cell phone number, IP address…, also including special categories of personal data).
When analyzing the impact of GDPR on debt sale transactions, following questions are of a significant importance: (i) What kind of debtors are in scope?; (ii) What is the source of the personal data (e.g. loan tapes)?; (iii) Who are the involved parties? (e.g. legal/financial/tax advisors, investors); (iv) Are the involved parties EU or non-EU?.
Looking at each stage of the debt sale transaction, due diligence is the most sensitive phase in terms of personal data. The seller must be prepared to disclose to all involved third parties the entire loan documentation. In some cases, it might be useful (needed) to disclose personal data to potential buyers and their advisors. Based on our experience from previous years and since GDPR came into force, we see three potential solutions:
2) Red vs. green VDR and
3) Based on the type of transaction and requirements from third parties involved, the setup of a contractual solution, which will allow the processing of personal data.
The table below presents the main advantages and disadvantages for each mentioned solution.
Based on the above presented advantages and disadvantages, we could say, in general, request and submit personal data only if the information will be mandatory for the deal. The less personal data you submit, the easier it is to be compliant for all involved parties.
How an PwC help
Based on our vast experience on the debt sale market, we can assist you throughout the entire data and documentation readiness process by:
- defining and providing you GDPR compliant portfolio data request list, according to latest investors’ requirements,
- performing qualitative and quantitative checks of the loan tapes in order to achieve top quality and above market standard data & documentation,
- offering you successfully market tested solutions on how to handle the personal data during the each step of the process and
- putting at your disposal a very experienced team in debt sale transactions.
We are looking forward to working with you!
For more information please contact:
Senior Consultant, PwC Austria, FS Deals
Senior Manager, PwC Austria, Legal
Legal Senior Expert, PwC Austria, Legal