Hi privacy pros
Great to see a new forum for privacy matters popping up!
Let’s say company A sells a division of its business to another company B (both companies are EU based). This includes taking over some employees. It is my understanding that an employee’s emails on their company mailbox have to be treated very carefully since the employee’s fundamental rights to privacy apply.
I am now wondering in how far company A may transfer mailboxes of employees and archives of former employees containing still partially business relevant emails may be transferred to company B.
What’s the best way of tacking this issue in your view? In particular curious about:
1. Can company A use its legitimate interest to transfer those emails as part of the whole business transfer to company B and just transfer them automatically?
2. If consent is the correct legal ground, should the companies leave this up to each employee to export and import their own mailbox at their own willingness (to not risk obtaining invalid consent due to the imbalance in the employer-employee relationship)?
3. Anything else to keep an eye out for?
Thanks in advance for your valuable insights!
Dave_Wylie
For me this SHOULD have all been covered by the Due Diligence in the the Buy and Sell / Merger and Acquisition phase by the parties that were involved.
Seller Side: Data Protection “Pack” to assist the sale of the business in terms of validation and completion of the ROPA and the other artefacts that support the Risk profile of the systems and assets and supply chain as part of the sale.
Buyer Side: Conversely on the Buying side the same understanding of their business ROPA and the other artefacts that support their Risk profile of the systems and assets and supply chain.
During the Due Diligence phase the Businesses and the privacy teams of both should have been looking into the semantics of DP integration …
Maturity like this is currently a pipe dream but it NEEDS to happen
Chris Roberts
As it happens @Dave_W_ComlianceClarity talked about this very topic a week ago. The DPO of one of my clients called me late last year and said “Chris I can’t believe it, the MD called me into his office this morning and told me part of the business had been sold and the deal was completed last night”. To say he was angry and disappointed doesn’t even cover it!
Another client has engaged me to ensure, in his own words “We can maximise the sale value of the business when we come to sell in 3-4 years time”. This is the right approach – embed the right practices and M&A (from a DP/Cyber perspective) will be fairly routine.
Merger and Acquisition (M&A) has to include assessment of the GDPR and Cyber-Risks and it is still not happening as it should.
Yorkie82
What is company A’s policy on the use of company email accounts? Is the private use of the emails allowed, forbidden or tolerated?
When the emails have been achieved have they already been privacy sanitised i.e. private email been removed?