As part of a joint venture transaction, personal data may be shared between the parties, including as part of the due diligence process. The starting point should be that only the minimum amount of personal data should be shared as is necessary to permit this process to take place. This concept is known as ‘data minimisation’. However, it is likely that certain disclosures of personal data will be necessary, particularly if one joint venture partner is looking to tap into the expertise or resources of the other joint venture partner’s employees. In these circumstances, the disclosing party will need to ensure that the relevant employees have been informed that their personal data is being disclosed for this purpose. This is in order to comply with the transparency requirements of Article 13 of the EU General Data Protection Regulation (GDPR) which requires organisations to be transparent with individuals as to how they use their personal data. It will also be necessary to demonstrate a “legal ground” for “processing” the personal data. These grounds are set out in Article 6 of the GDPR. Often, the most appropriate ground to rely on in this context will be the “legitimate interests” ground. But this can only be relied upon if the disclosure of personal data is necessary, proportionate and does not adversely impact the privacy rights of the individuals. Therefore it is important that only limited datasets are shared.
Before a JV transaction completes, parties often enter into a confidentiality agreement (also referred to as a Non-Disclosure Agreement (NDA)) prior to entering into any serious discussions. Whilst the main purpose of an NDA is to protect confidential information, if personal data will be disclosed as part of the pre-closing phase then data protection provisions also need to be included in that agreement. The provisions should restrict how the potential partner uses and retains the personal data. Other provisions may include: (i) not to combine data with other data; (ii) not to re-identify anonymised data; (iii) to co-operate with seller in event of data breach or exercise of individuals rights requests; (iv) to delete / return the data if the transaction is terminated; and (v) to indemnify in the event of a data breach.
If the main driver for the JV is to make further use of personal data, for example if the plan is to combine each parties’ customer data for analytics, research and / or marketing purposes, then discussions around the data protection implications need to be prioritised at an early stage. The parties need to establish that proposed uses of the data are not incompatible with the purposes for which the personal data were originally collected. They need to ensure that there is a solid legal basis under Article 6 of the GDPR and that notice obligations are not going to prove insuperable.
Running the JV
If, as part of the JV, the shareholders jointly determine the purposes and means of processing personal data, they will be “joint controllers” for the purposes of GDPR. This attracts specific responsibilities under the GDPR.
The parties will need to decide who is responsible for carrying out the various obligations under the GDPR. Whilst the GDPR does not specifically state that joint controllers need to have a contract in place, there must be a transparent arrangement which sets the agreed roles and responsibilities. For example, the parties must decide how the transparency obligations under Article 13 of the GDPR should be complied with. Which party will draft and provide the transparency information to individuals? To whom should individuals direct their queries or rights requests? How will the parties cooperate in the event of a personal data breach?
It is important to note that regardless of what is agreed, each data controller will remain responsible for complying with all of the relevant obligations under GDPR. Individuals can seek compensation from both parties and each will be liable for the entire damage caused, unless it can prove it is not in any way responsible for the event giving rise to the damage. In addition, joint controllers are each accountable to the data protection authority.
Termination of the JV
If the knotty issues described above can be addressed, the main issue in relation to termination is usually a commercial one: who will own the relationship with the individuals and so require to retain the data when the JV terminates?
If personal data is collected at the outset of the JV by both parties jointly, with appropriate consents and transparency information, then it may be that both parties can continue to utilise the data for their own independent purposes once the JV comes to an end. However, the picture gets more complex where, for example, the data in question is that of pre-existing customers of each party which has then been combined or lost its separate identity as part of the joint venture. If, at the outset, it was challenging to argue that the data could lawfully be used for the intended purposes of the JV, it will be even more difficult to argue that the parties can lawfully use all of the data independently once the JV has come to an end.
There may, of course, be JV wind down obligations that need to be complied with for a period after the JV has terminated. However, once these obligations have been complied with, for the most part, the data will need to be reviewed and purged appropriately.