Switzerland: Data Protection In The Due Diligence Of M&A Transactions

Companies face a challenge when it comes to different compliance rules, with the legal framework applicable to data protection playing an important role in this process. Data protection awareness in Europe may have substantially increased in the past few years but is nevertheless often an underestimated issue. Special attention should be paid to the topic in M&A transactions.

If companies or their assets are transferred in the context of an M&A, the transfer and processing of data may be at issue in various respects and at several stages of the transaction, be it (i) in connection with its preparation (disclosure of information to potential acquirers), (ii) in the context of its completion (actual data transfer (namely in asset deals)) or (iii) in connection with the subsequent integration of the acquired company in the group of the acquirer (use of the target company's data).

This article primarily focuses on the preparatory phase of M&A deals where data protection issues particularly arise in relation to the due diligence process. First it describes the general data protection rules, which have to be considered when setting up a data room. It then briefly shows the potential consequences of a breach of these rules. Finally, it concludes with recommendations how companies can comply with these rules in the due diligence process.

Conflicting interests

The purpose of disclosure and the establishment of a data room is usually the search for potential purchasers or investment partners (the investors). A company discloses financial information, important contracts and other documents to potential investors to provide them with the opportunity to assess contractual risks and the value of the company. It is obvious that, on the one hand, potential investors are interested in information being as comprehensive as possible to decide whether they would like to buy or invest in the target company. The target company, on the other hand, has to abide by data protection rules as well as contractual and statutory confidentiality obligations. As such what information may be disclosed by a company in a due diligence process and at what stage?

Barriers to disclosure of information in due diligence

Confidentiality obligations

When setting up a data room in M&A transactions companies should bear in mind that, in addition to being compliant with data protection rules (see below), they are generally obliged to protect business and industrial secrets as well as further confidential information. Information is considered confidential if it is not publicly known – for example, unpublished financial data, business plans or knowhow not in the public domain. Furthermore, professional secrets and bank secrecy have to be kept and cannot be disclosed in a due diligence process. If a company considers disclosing memoranda provided by third party advisors or consultants (eg a memorandum regarding a new envisaged group structure), the consent of this third party is usually required given that such memoranda regularly contain provisions making their disclosure subject to the author's prior consent.

Swiss data protection rules, on which this article focuses, partly overlap with these general confidentiality barriers. However, they encompass also further data which would otherwise not be protected.

Data protection obligations

The Swiss Federal Act on Data Protection (FADP) aims to protect the privacy and the fundamental rights of persons when their data is processed. It applies to data pertaining not only to natural persons but also – unlike data protection regulations in most other jurisdictions – to legal persons (such as corporations, limited liability companies etc). According to the FADP's article 3 section a, personal data is defined as all information relating to an identified or identifiable person. Hence, in a due diligence process, under Swiss law, personal data is at issue not only when dealing with data of employees and corporate officers but also in the context of processing customer and supplier data. Therefore, a company disclosing its contracts or any other information containing personal data has to be careful not to violate any data protection provisions. Companies should never forget that they do not only have to protect their own data but also data of third parties such as suppliers and customers.

Risk of unjustified data processing

In the context of the preparation of M&A transactions, the risk of unjustified data processing and transfer is substantial. There is a significant risk that data disclosed in a data room is too extensive and/or accessible to too many or to the wrong people. Potential investors may receive more personal information than actually required for the purchase of, or an investment in, a company.

As a fundamental rule, each processing of personal data has to be in line with the principles set out in FADP's articles 4 et seq. That disclosure of company information in a data room and its assessment by the investor have to be qualified as data processing is obvious in view of the legal definition of this term in article 3 section e. Pursuant to this provision, data is processed by any operation with personal data, irrespective of the means applied and the procedure, and in particular by the collection, storage, use, revision, archiving, destruction and namely disclosure of data.

In case of a breach of data protection provisions, affected persons may claim damages, request the surrender of profits and seek compensation for personal suffering. They may particularly also request that (i) their data be corrected or destroyed, (ii) data processing be stopped and (iii) no data be disclosed to third parties. According to the FADP, the claim is related to, and expressly governed by the rules regarding, personality protection according to article 28 et seq. of the Swiss Civil Code. Furthermore, in case of an unlawful disclosure, contractual penalties are often triggered. Finally, the breach of data protection rules may under certain circumstances result in criminal sanctions.

In view of these far-reaching consequences, the parties involved in a due diligence process are well advised to process data only in compliance with the FADP. What does this mean in more practical terms?

General data protection principles

Personal data may only be processed lawfully, in good faith and in a proportionate manner. As a general rule no more information than is absolutely necessary should be disclosed in a data room, and a company managing a data room is well advised to disclose information gradually. The relevant test will always be whether the other party really needs to know the information at the current stage.

Furthermore, personal data may only be processed for the purpose indicated at the time of collection – which is evident from the circumstances or provided for by law. The collection of personal data and in particular the purpose of its processing must be evident to the data subject.

The consent of the data subject leads to a lawful or justified processing of data. However, it has to be considered in this context that such consent is valid only if given voluntarily upon the provision of adequate information. Additionally, consent must always be given expressly in case of processing of sensitive personal data or personality profiles (see below).

Cross-border disclosure is only permitted if the privacy of the data subject is adequately protected by the recipient. If there is no statute providing for adequate protection, the parties have to ensure such protection by entering into respective contractual provisions. If no such adequate protection is guaranteed, personal data may in principle only be disclosed abroad with the consent of the data subjects.

Possible justifications

If the above-mentioned data protection principles are breached the processing is unlawful, unless it is justified by (i) the consent of the affected party, (ii) an overriding private or public interest or (iii) statutory law (article 13 para 1 of the FADP).

In case of disclosure of sensitive personal data (including religious, ideological, political or union-related views or activities, health, racial origin, social security measures and administrative or criminal proceedings) or personality profiles (which are defined as a collection of data permitting an assessment of essential characteristics of the personality of a natural person) to third parties, a justification is always required. Additionally, a party receiving sensitive personal data or personality profiles is obliged to inform the data subject of the collection.

Justification based on statutory law or overriding public interest is not necessarily readily apparent or available in the case of disclosure in a due diligence. Therefore, we will focus hereinafter on the justification by consent of the affected party and the overriding private interest.

As mentioned above, an affected person may only give valid consent, if it is based on appropriate information and given voluntarily. Precautionary general consent to data processing included in general terms and conditions to a contract is usually insufficient to meet these two criteria. The provisions in general terms and conditions are often vague, and any approval included in them is considered involuntary, because they are usually not negotiable.

There is usually a broad range and number of documents in a data room. Obtaining the individual consent of each and every single party involved is in most M&A transactions barely or in some cases not at all feasible. First of all, the timeframe is usually very tight. Secondly, the risk of an affected party not responding is rather high and may result in uncertainty regarding the lawfulness of the intended disclosure. Finally, the transaction is usually only known to a very limited circle of persons interested in its strict confidentiality. This circle privy to the transaction could be undermined if a large number of consents of third parties needed to be obtained.

As regards the justification of an overriding private interest, the FADP's article 13 para 2 lists certain examples which may possibly justify the unlawful processing of data. For instance, a person processing data may be considered as having an overriding interest if the personal data is processed by such party in direct connection with the conclusion or the performance of a contract and if the personal data is that of a counterparty. Parties involved in an asset deal or company transfer may, according to the predominant opinion of legal doctrine,

invoke this justification reason because the contract's continuing performance by the acquirer is in the interest of all involved parties. However, the company disclosing data has to carefully weigh up its disclosure interest against the privacy interest of the affected data subject. This often leads to substantial uncertainty. Taking appropriate measures to live up to the above-mentioned data protection principles becomes all the more important.

The Commissioner's recommendations

The Swiss Federal Data Protection and Information Commissioner issued guidelines regarding adequate data protection in the context of M&A in 2010, expressly setting out measures to comply with the FADP. With respect to the due diligence process, these guidelines include:

  • Personalised data shall not be physically transferred to potential investors or their advisors. These parties shall merely be given the possibility to see information on site or in a data (information) room.
  • The selection of potential investors granted access to a data room shall be strictly limited to those persons with an actual interest in the company's acquisition.
  • Only a restricted group of persons shall be allowed to access the data room. These persons have to contractually agree to not further use and to destroy the received information in case of a possible failure of the negotiations.
  • The disclosed information shall be limited to what is really necessary and shall be reduced to the amount justified in view of the weighing of interests. Furthermore, data should be anonymised or aggregated so no person can be identified.
  • The extent of provided personal data shall be appropriate to the stage of the transaction process. The more advanced the process is, the more information may be disclosed. If the conclusion of a transaction contract gets closer and becomes more likely, more data may be disclosed.
  • In order to have additional security, non-disclosure agreements (NDAs) with explicit data protection clauses shall be concluded pursuant to which potential investors and their advisors shall be obliged to comply with data protection regulations.
  • Specified statutory professional confidentiality provisions need to be unconditionally complied with.

Practical recommendations to mitigate data protection issues

What do the Commissioner's recommendations mean? How can they help avoid or at least mitigate data protection issues?

According to the first recommendation, companies should prohibit the copying, saving and printing of documents from the data room to prevent confidential information spreading. This may be somewhat cumbersome for the potential investor and its advisors but adequately supports data protection.

With respect to recommendations two and three, data rooms nowadays are predominantly established as online platforms (virtual data rooms). The customary technical security standards to preclude unauthorised persons from gaining access to digital data shall, of course, also apply to such data rooms. Hence, companies have to ensure that the access to the online platform is strictly password protected. To avoid further issues and efforts connected to international data transfers, it seems advisable that the server of the online platform not be located in a jurisdiction whose legislation does – from a Swiss perspective – not guarantee adequate data protection (for instance the USA, India, Japan or China).

Furthermore, the access to the data room should be strictly limited to those persons who really need to assess the documents (need-to-know-principle). The group of persons, to whom access is granted, should be kept as small as possible. Additionally, such persons must have a current and genuine interest in the due diligence.

It goes without saying that every single person granted access to a data room should be expressly obliged to (i) use the information in the data room only for the purpose of due diligence, (ii) not disclose information to any third party (iii) not print or copy documents from the data room and, (iv) take appropriate measures that, when logged in to the data room, no other person may access the relevant computer or other communication device.

In case the transaction negotiations fail, the persons granted access to the data room should agree to destroy all received information including their due diligence results. Very often, data room providers prepare data room rules setting out all these obligations and request each user accepts these rules before accessing the information by their first login.

Recommendations four and five provide that never more information than absolutely necessary should be disclosed. Instead of fully holding back documents from the data room, this requirement may also be fulfilled if personal data set out in such documents is anonymised or blackened. Companies may then at later stages of the transfer negotiations, when the deal is more likely to be concluded, disclose less blackened documents, if required. When blackening information, no individual – natural or legal – person may be identified. In the early stages of a deal, contracts with the top management should be blackened in a way that not even the CEO may be identified. A step by step disclosure allows to forgo the disclosure of personalised data from the outset and ensures that rather only general information is disclosed in the initial phase.

Customer, supplier and in particular employee data should – at least in the initial phase of the due diligence – be disclosed only in an abstract way. Therefore, no individual data of employees, for example, but rather only their number, average age and salary or percentage of women and university graduates etc should be disclosed. Last but not least, one may consider to disclose more sensitive information only upon specific request.

Referring to recommendation six, the following can be noted: to keep a possible M&A transaction in the preparatory phase strictly confidential, protect business and industrial secrets as much as possible, and comply with the above data protection principles, it has become standard that target companies sign confidentiality agreements/NDAs at the outset of the transaction process, before starting the due diligence. In general, these agreements contain provisions regarding the storage, return or destruction of information and are secured by a contractual penalty for non-performance. Furthermore, the agreements usually provide that accessed information shall not be forwarded by the recipient to any third party and exclusively used for the evaluation and assessment of the target company. Commonly, the agreed non-disclosure duty and confidentiality obligation, respectively, shall survive both (i) in case a transaction contract between the parties is concluded and (ii) in case the parties discontinue to proceed with the transaction.

Considering that virtual data rooms may regularly be accessed from everywhere in the world, and because in international transactions parties and advisors in various jurisdictions need to assess the disclosed information, disclosure is often considered an international data transfer. Accordingly, if jurisdictions are involved which do not guarantee an adequate data protection level, respective contractual guarantees have to be entered into.

In case information is protected by statutory confidentiality provisions (see the seventh recommendation) or other highly sensitive information needs to be disclosed, it may be considered to use the concept of 'advisors only disclosure', also known as clean team approach. The advisors have to undertake that they will convey to their client no details of the reviewed documentation but only generic information.

Summary and conclusion

The protection of personal data and compliance with the respective legal framework has – at least in EU jurisdictions and Switzerland – become an important and sensitive topic, especially when it comes to M&A and particularly due diligence. As Swiss data protection provisions protect not only data of natural but also legal persons, good M&A practice requires that disclosure of personal data, not only of employees but also of customers and suppliers, is only made lawfully, ie in line with the applicable data protection rules.

Needless to say, that the obligation to protect data does not end with the due diligence but also extends to the completion of the M&A transaction.

Sufficient human resources and time have to be reserved so the transaction and particularly the due diligence process can be diligently planned and structured in a way which is compliant with the relevant rules and which secures the right of personality of all involved data subjects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions