Has the data privacy authority issued any guidance on data privacy compliance in the context of transactional activity (including, but not limited to, share sales, asset sales, reorganizations or spinouts)?
Last review date 20 January 2025
☒ Yes
The ICO's Data Sharing Code of Practice (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/due-diligence/) includes guidance on data sharing following mergers and acquisitions.
In the context of an asset sale (the sale of a separate business unit as a going concern), does the acquiring entity inherit liability for pre-acquisition data privacy or cybersecurity breaches (connected with the assets that are the subject of the asset sale)?
Last review date: 20 January 2025
No.
If so, how would any regulatory fines be calculated?
Last reviewed: 20 January 2025
☒ Based on the turnover of the entity (or group) that owned the assets at the time the fine is imposed (which, if the fine is imposed post-acquisition, may be the turnover of the acquiring entity or group)
In the context of a share sale (where the acquiring entity acquires 100% of the shares of a target company), does the acquiring entity inherit liability for pre-acquisition data privacy or cybersecurity breaches (connected with the target company)?
Last reviewed: 20 January 2025
☒ It depends (for example, on the way the share sale is structured)