Last review date: 13 January 2025

Yes

If yes, please provide a link

Under the PDP Law, data controllers in the form of a legal entity that intend to conduct a merger, spin-off, acquisition, consolidation, or dissolution of a legal entity must notify the transfer of personal data to data subjects. The notification is done before and after the transaction. The notification can be done privately to each data subject or publicly through mass media (electronic and conventional).

Last review date: 13 January 2025

☒  It depends (for example, on the way the asset sale is structured, and/or the assets being acquired)

☒  Unclear

From a regulatory perspective, there is no specific guidance. So this will depend on the contractual arrangement between the parties (e.g., the way the asset sale is structured, and/or the assets being acquired).

Last review date: 13 January 2025

Based on turnover of the entity (or group) that owned the assets at the time of the breach

Last review date: 13 January 2025

☒  Yes.

Legally speaking yes because in a share sale, the buyer will acquire the target company, and hence absorb all assets and liabilities of the target company (as appropriate). That being said, in a share sale transaction, there will be due diligence and contractual arrangements that will limit the pre-acquisition liability of the target company towards the acquiring entity (e.g., through an indemnity arrangement).

☒  It depends (for example, on the way the share sale is structured)

Last review date: 13 January 2025

Based on the turnover of the target company (or its group) at the time of the breach