CONTACT US 0845 345 5004

Latest Blogs

Data & Security – dealing with disclosure of personal data in a corporate transaction

Although a business should have an understanding of its obligations under the Data Protection Act 2018 and UK GDPR, the following gives an overview of the specific considerations to be made before sharing personal data as part of a corporate transaction:

  1. What data are you sharing?

In the first instance, you should consider what personal data you process and what is likely to be shared during the transaction. This data may include: (1) employment contracts and information; (2) personal data relating to disputes; and (3) personal data contained within key contracts.

  1. Confidentiality

Next, you should enter into a confidentiality agreement. This agreement should provide that any confidential information (including personal data) will be stored securely and that on expiry of the agreement, the receiving party will either destroy or return all confidential information.

  1. Transparency

You should then consider if your processing is likely to be deemed lawful, fair and transparent.

To ensure transparency, you need to notify data subjects that their data is being processed. A well drafted privacy policy should already cover this off.

  1. Grounds for processing data

To ensure lawful processing, there must also be grounds for processing the personal data, such as consent or legitimate interests.

In the context of employer/employee relationships, consent is a difficult ground to rely upon due to the imbalance of power. Therefore, legitimate interests is most likely the best ground to rely upon for commercial transactions. This requires a controller to balance its own reasons for processing data against the data subjects ‘fundamental rights and freedoms’ but consideration must be made in terms of minimising the risk to data subjects.

One way to minimise the risk is to ensure all personal data is shared via a secure virtual data room (VDR) which can only be accessed by authorised users.

Where possible, personal data, such as employee names, should be redacted before being shared.


Ultimately, before sharing personal data, you must ensure that you can answer the following questions:

  1. What personal data are you proposing to share?
  2. Is there a suitable confidentiality agreement in place?
  3. Have you informed data subjects that their data will be shared?
  4. Is it in your legitimate interests to share the personal data?
  5. Have you minimised the risk to data subjects?
M&A – tips for acquiring distressed competitors
The legal consequences of the rise in online fraud

Contact us

Invalid Input
Invalid Input
Invalid Input
Invalid Input
Invalid Input
You must confirm you have read and accept our Website Privacy Policy.