Protection Of Personal Data In Mergers And Acquisitions

I. Introduction

The due diligence phase of mergers and acquisitions ("M&A") requires intensive information sharing, making it particularly sensitive in terms of personal data protection. This article addresses the responsibilities of the parties under the Turkish Personal Data Protection Law ("KVKK"), the importance of the obligation to inform, the principle of data minimization, Non-Disclosure Agreements ("NDAs"), data destruction obligations, and key considerations for the processing of special categories of personal data.

II. Data Controller Status and the Due Diligence Phase

The due diligence process in mergers and acquisitions is a critical stage in which extensive information and document exchange occurs between the buyer and the target company. The buyer aims to obtain comprehensive data about the target company to make an informed decision regarding the planned transaction and to assess legal, financial, and operational risks.

During this process, the processing, storage, and sharing of data that qualifies as "any information relating to an identified or identifiable natural person" under the KVKK inevitably occurs. Accordingly, all data processing activities conducted during due diligence must comply with the provisions of the KVKK.

Under the KVKK, a data controller is the person who determines the purposes and means of processing personal data. In this context, both the target company and the buyer may qualify as data controllers during M&A processes, the target company as it processes personal data within its own structure, and the buyer insofar as it requests access to such data for review purposes. Consequently, both parties may bear obligations under the KVKK.

III. Obligation to Inform

For data controllers, the obligation to inform is crucial to ensure transparency and accountability in personal data processing during M&A transactions. Pursuant to Article 10 of the KVKK, parties who process or transfer personal data are obliged to inform the relevant individuals, regardless of whether explicit consent has been obtained.

As reflected in the decisions of the Personal Data Protection Board ("Board"), privacy notices containing vague or overly general statements are considered non-compliant. Therefore, privacy notices prepared within the scope of due diligence must be drafted in a concrete, clear, and comprehensible manner.

In due diligence, personal data are often transferred to the buyer indirectly, through the target company. In such cases, pursuant to Article 6 of the Communiqué on the Procedures and Principles for Fulfilling the Obligation to Inform, the party obtaining the data indirectly must inform the data subjects within a reasonable period. However, in transactions involving hundreds of employees or stakeholders, the practical application of this obligation may be challenging.

III. NDAs and Data Destruction Obligations

Information sharing in M&A processes requires a high level of confidentiality to protect both trade secrets and personal data. Therefore, NDAs entered into between the parties should serve not only to safeguard commercial information but also to protect personal data. Including explicit provisions on personal data protection within NDAs ensures comprehensive legal security from both commercial and data-protection perspectives.

Such agreements should explicitly state that personal data processed during due diligence will be used solely for the purpose of the transaction, will not be shared with third parties, and that necessary technical and organizational measures will be taken. Additionally, considering the possibility that merger or acquisition negotiations may fail, it is crucial to include provisions requiring the buyer to destroy any personal data obtained in compliance with the law once the process concludes.

These provisions concretize the obligation under Article 7 of the KVKK, which requires deletion, destruction, or anonymization of personal data when the purpose of processing ceases to exist. They also minimize potential liability risks and ensure legal compliance throughout the process.

IV. Processing of Special Categories of Personal Data, Anonymization and Data Minimization

During due diligence, access to special categories of personal data such as health reports or criminal records may occur. Under Article 6(3) of the KVKK, the processing of special categories of personal data is prohibited as a general rule. However, such data may be processed, inter alia, where (a) the explicit consent of the data subject has been obtained, (b) it is expressly provided for by law, (c) it is necessary for the protection of the life or physical integrity of the data subject or another person where the data subject is physically unable to give consent or whose consent is not deemed legally valid, (d) it relates to personal data that has been manifestly made public by the data subject and is in accordance with the data subject's intent of disclosure, or (e) it is necessary for the establishment, exercise, or protection of a right. However, obtaining explicit consent from each employee or satisfying the aforementioned conditions in a corporate transaction is often impractical, and the applicability of other legal grounds varies across data categories.

Therefore, anonymization and data minimization are the most reliable and compliant approaches for handling special categories of personal data. Applying data minimization ensures that only the information strictly necessary for the assessment is processed, while anonymization eliminates legal uncertainty by preventing any possibility of identifying individuals. These principles jointly reduce compliance risks and align with the core requirements of the KVKK.

Furthermore, the technical and organizational measures established by the Board, such as encrypted data storage, restricted access rights, maintenance of access logs, and prevention of unauthorized access, must be fully implemented, particularly in data room environments.

V. Conclusion

The due diligence phase of mergers and acquisitions requires balancing the legitimate business need for information with the strict obligations of personal data protection law. Both the buyer and the target company may qualify as data controllers and therefore must ensure that all data processing activities comply with the KVKK. Transparency toward data subjects, explicit data protection clauses in Non-Disclosure Agreements (NDAs), lawful data destruction, and the application of anonymization and data minimization principles are essential for ensuring compliance and reducing legal risks. By implementing strong technical and organizational safeguards, parties can protect personal data and maintain trust throughout the M&A process.