This includes customers credit information and risk profiles

As a result, local law restructuring and insolvency reforms balancing the interest of stakeholders in a more equitable way, in the manner that we have recently seen in Spain, Italy, Cyprus and Greece and, very importantly, their commercial and timely application and interpretation by domestic courts, will continue to be an area of crucial importance when assessing the attractiveness of a European jurisdiction as a secondary NPL market.

2. Data Protection and NPL Transactions

The European General Data Protection Regulation (GDPR) introduces the potential for high fines (of up to 4% of worldwide annual turnover) and regulatory sanctions which brings into sharp focus the need for compliance. However, less widely understood are the implications that GDPR holds for NPL transactions. Virtually all NPL transactions will, after all, include the need to process personal data by virtue of the information in the underlying loans.

Under the GDPR, the concept of personal data is widely cast and encompasses any information relating to an identified or identifiable natural person. Specific examples given in the GDPR include name, identification numbers and references. Personal data is therefore not limited to the identifiers themselves but also includes almost anything linked to those identifiers. A “data controller” is an entity which, alone or jointly, determines the purposes and means of processing, and both the seller and the potential buyer will usually be data controllers.

Almost any interaction with personal data will amount to processing including collecting, organising, storing, altering, retrieving, using and erasing. Given the wide scope of personal data and processing activities, data protection requirements are therefore most likely to impact an NPL transaction at two stages: the Due Diligence stage and the Completion stage.

Lawful Basis of Processing

A fundamental principle of the European data protection regime is that all processing of personal data must be lawful. This means that processing activities must fall within one of the six lawful bases set out in Article 6 of the GDPR. The most appropriate lawful basis for processing in the context of an NPL transaction is “legitimate interest”. While this is the most flexible basis, it does require organisations to assess and document their assessment of the interests of the seller versus the interests of the individual, giving consideration to the impact on their fundamental rights and freedoms (Legitimate Interest Assessment)pleting such an assessment is not an easy exercise and requires due consideration to the purpose of disclosure, the impact on the individual and, indeed, whether the purpose of processing can be achieved without the disclosure of the personal data.

From an accountability perspective, the Legitimate Interest Assessment should be prepared by the counsel to the seller, considered carefully by the board, the deal team and the responsible data protection officer and a detailed record thereof should be retained by the seller as part of its data protection governance documentation.

Due Diligence and Data Minimisation

The seller should consider whether the personal data being disclosed in the dataroom (or otherwise) is necessary for the purpose. This is the principle of data minimisation. Typically, where data is not necessary for the purpose, it should be removed or redacted. Redaction exercises can be costly, difficult and time consuming. It is important to note that redaction may not be required in every instance and sellers should agree a scope of documents required for the due diligence exercise and may wish to consider a phased approach to the exercise.

From a data governance perspective, while the potential buyers will be considered a controller, any NDAs entered into for access to the dataroom should include relevant controls limiting the use of personal data similar to those used for other confidential information.

Open chat
bonjour comment nous pouvons vous aider