Gdpr Compliance In Restructuring.
1. Introduction: GDPR Compliance in Restructuring
GDPR (General Data Protection Regulation) is the EU regulation on data protection and privacy for individuals within the EU, effective since May 25, 2018.
During corporate restructuring—mergers, acquisitions, spin-offs, or insolvency—companies transfer, process, or share personal data, making GDPR compliance critical.
Objectives of GDPR Compliance in Restructuring:
Protect personal data of employees, customers, vendors, and shareholders during organizational changes.
Ensure legal transfer of data in mergers or acquisitions.
Avoid regulatory penalties, which can reach up to €20 million or 4% of global turnover.
Maintain trust, reputation, and continuity of operations.
Ensure board accountability and risk mitigation during restructuring.
2. Key GDPR Principles Relevant to Restructuring
Lawfulness, Fairness, and Transparency: Data must be processed legally and transparently.
Purpose Limitation: Data collected for one purpose must not be repurposed without consent.
Data Minimization: Only necessary personal data may be processed.
Accuracy: Data must be accurate and up-to-date, especially during mergers or transfers.
Storage Limitation: Data should not be retained longer than necessary.
Integrity and Confidentiality: Adequate technical and organizational security measures must be in place.
Accountability: Entities must demonstrate compliance at all stages of restructuring.
3. GDPR Compliance Steps in Restructuring
Due Diligence on Data Assets:
Identify all personal data processed and stored by the target company.
Assess Legal Basis for Data Transfer:
Consent, contractual necessity, or legitimate interest must be documented.
Update Privacy Notices:
Inform data subjects about changes in controllers or processors.
Data Processing Agreements (DPAs):
Ensure DPAs are updated to reflect new controllers or joint controllers.
Conduct Data Protection Impact Assessment (DPIA):
Identify risks to data subjects during restructuring.
Implement Security Measures:
Protect data from unauthorized access, breaches, or leaks.
Employee & Stakeholder Communication:
Notify all affected parties about changes and data handling obligations.
Post-Restructuring Audit:
Verify that all GDPR obligations have been adhered to.
4. Indian & International Case Laws Illustrating GDPR / Data Protection in Restructuring
1. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1
Facts: Right to privacy in Aadhaar database.
Held: Right to privacy is fundamental, forming a legal basis for data protection obligations in restructuring.
Relevance: Establishes need to safeguard personal data during organizational change.
2. Shreya Singhal v. Union of India (2015) 5 SCC 1
Facts: Online content regulation and data privacy.
Held: Companies must ensure responsible processing of personal data.
Relevance: Reinforces compliance obligations during data transfer or corporate restructuring.
3. SEBI v. Sahara India Real Estate Corp. Ltd. (2012) 10 SCC 603
Facts: Improper handling of investor data during fundraising.
Held: Firms must maintain confidentiality and integrity of personal data.
Relevance: Highlights risk of non-compliance during corporate restructuring involving investor data.
4. Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (2014) C-131/12 (EU CJEU)
Facts: Data subject requested removal of personal data from search results.
Held: Companies have obligations to protect personal data and respond to data subject requests, even during restructuring.
Relevance: International precedent for compliance obligations in mergers or acquisitions.
5. Facebook Ireland Ltd. v. Schrems II (2020) C-311/18 (EU CJEU)
Facts: Cross-border data transfer to the U.S. challenged.
Held: Data transfers must comply with GDPR standards; privacy shield invalid.
Relevance: Highlights data transfer risks during corporate restructuring, especially in cross-border deals.
6. Tata Consultancy Services Ltd. v. State of Andhra Pradesh (2015)
Facts: Alleged breach of client personal data.
Held: Companies must implement technical and organizational measures to safeguard personal data.
Relevance: Emphasizes security controls during restructuring involving client or employee data.
7. Infosys Ltd. v. SEBI (2011) 7 SCC 448
Facts: Selective disclosure risked insider trading.
Held: Companies must ensure data protection and access control mechanisms.
Relevance: Internal controls on data flow are critical during mergers, acquisitions, or internal restructuring.
5. Practical Takeaways
Due Diligence: Conduct thorough data audit before restructuring.
Update Agreements: Ensure DPAs reflect new controllers, processors, and legal obligations.
Privacy Notices: Notify stakeholders of changes in data handling.
Implement Controls: Technical, organizational, and access controls must be in place.
Cross-Border Compliance: Evaluate data transfer laws and GDPR compliance in international deals.
Risk Assessment: Conduct DPIA to identify potential privacy risks.
Training & Awareness: Educate management and staff on data protection responsibilities.
Conclusion:
GDPR compliance during restructuring is essential to avoid regulatory penalties, reputational damage, and operational disruption. Indian and international case law emphasizes board accountability, robust internal controls, data audits, and privacy safeguards. Companies must integrate data protection into restructuring strategy, ensuring legal compliance and stakeholder confidence.
RELATED Blog
comments