March 20, 2019 In Thought Leadership

Mergers and Acquisitions (M&A) in the Face of Data Protection


The Data Protection Act, 2019 (the Data Protection Act) commenced on 25 November 2019 and as discussed in our previous commentary it seeks to, among other things, (i) make provision for the regulation of the processing of personal data; and (ii) provide for the rights of data subjects and create obligations for data controllers and processors.

M&A transactions would typically assume these forms: (i) a share sale/acquisition, which would result in maintenance of the legal status of the target company and result just in a change in ownership; and/or (ii) an asset sale/acquisition, which involves the transfer of agreed and identified assets and liabilities.

This write up provides a brief overview of salient points to look out for or seek clarity on in your M&A transaction.

Pre-transaction Phase

In an asset sale, there is a high likelihood that, embedded in the listed assets or as an asset itself, data, falling within the purview of the Data Protection Act.

Prior to collecting data, a data processor or controller is required to notify the data subject of, among other things, the use for the data.

The pre-transaction or the due diligence phase may involve the access to this data by the proposed purchaser or representatives of the proposed purchaser. Pursuant to the Data Protection Act, the relevant data processor or controller is required to seek the consent of the data subject prior to making available this data. Incidentally, during this phase, the parties to the transaction are intent on keeping the proposed transaction confidential.

It is understandably impractical to seek the consent or approval of all the data subjects of an entity. The Data Protection Act exempts a data processor or controller from obtaining the consent of a data subject where it is in the legitimate interest of the data processor or controller to disclose (in this case due-diligence) such information to a third party provided the rights, freedoms and legitimate interests of the data subject are not harmed.

Transaction Phase and Closing

At the transaction phase, the actual transfer of data occurs and in this regard the assets and liabilities would be transferred to the buyer.

Logically, and from the provisions of the Data Protection Act, the data is being transferred from one data controller/processor to another, which renews the obligations of the new data controller/processor to notify the data subjects.

It is typical for M&A agreements to include warranties issued by the seller to the buyer. With respect to data protection, we expect to see the negotiation and inclusion of warranties issued by the seller that they have complied and continue to comply with their obligations under Data Protection Act with respect to the data being transferred, that they have sought the relevant entitlement or consent to transfer the data, and that there are no existing claims of violations of data protection with respect to the transferred data.


The phenomenon of data protection is fairly new globally and the practical application of the salient features of statute is yet to be tested. In our view, parties to an M&A transaction will be required to carry out a risk assessment of the data they hold prior to disclosing such data and balance it against the requirement for confidentiality in such transactions.

In addition to this, we are likely to see data intensive entities amending their privacy policies to obtaining consent of their data subjects to such transactions in advance in order to mitigate this risk.

Should you require any more information or assistance kindly contact Samuel Kisuu or Craig Douglas Oyugi

This alert is for general use only and should not be relied upon without seeking specific legal advice on any matter.