Legal Brain

#lclegalproof #databreach #dataprivacy #personaldata #GDPR

There is no doubt that the management’s focus is on the continuous growth of the business, but such endeavours need to happen in a legally compliant manner.

Each department of a business has its own, specific, legal challenges. One topic, though, is or to some extent should be, a common concern of all departments, namely the topic of data privacy compliance.

To a certain degree, personal data is processed by the HR department, but also by marketing, sales, accountancy, even by the administrative department which handles the correspondence of the company through the office desk or is doing the continuous monitoring of the spaces through the CCTV system.

These topics are for sure not new or unfamiliar to businesses. That is why, the aim of this article is to recall some of them which are still disregarded or not properly implemented, and which raise major red flags in respect of data privacy compliance. If technical/IT protection measures are given a high enough importance, in most cases those of an organizational nature, which seem less likely to generate risks, are given a low importance even though, in most cases, human error is the biggest source of risk.

Hence, from practical perspective, how much, to what extent and in what circumstances the collection and use of private information about individuals is allowed might still be current questions to ask each time the company needs to process personal data.

Let’s see some examples of non-compliant practices that companies need to eliminate from their daily data processing activity.

Why eliminate them? Because every manager needs:

• to protect the business growth from fines;

• to protect the company’s image and reputation on the relevant market;

• to make sure that the company is compliant with the contractual obligations undertaken by it towards its business partners.

Here is our blacklist for data privacy related conduct that companies need to keep away from:

1. Sending significant quantities of personal data by email, without protection or communication of passwords needed for accessing it using the same means of communication or, even worse, in the same email. Protecting the documents sent by email with passwords is a safety belt in case, by mistake, the sender chooses the wrong email address from the Outlook address book. The risk of sending an email to a wrong addressee is potentially higher than a cyberattack on the email server! So, use the safety belt and use password protection or other secured way of transmission of data.

2. Disregarding the fact that the business email addresses containing the name of the company’s employees/representatives are personal data too and the prior consent from such data subjects for sending marketing communications is needed.

3. Sending marketing communications even after the targeted individuals exercised their opposition right to such processing or even the right to be forgotten. Keeping up to date records of those contact details which opted-out for marketing communication or required the erasure of their personal data is highly recommended.

4. Disregarding the minimization principle. Do not collect and use more personal data that you need for the specific purpose you envisage. The person in charge with the processing for a specific purpose should make up a list of the categories of personal data that might be needed for that purpose and then ask herself why each category is needed. It should not come as a surprise to see that they will not find a reasonable and objective explanation for processing some categories of personal data. If such happens, for that purpose, there is no need to process such category of data.

5. Starting the processing activity without the prior notification of the data subjects. Provide Notice of information to individuals before collecting their personal data. They need to know, before disclosing their personal data what the company is going to do with their data and for how long. Use the contracts signed with individuals or legal entities to provide such Notice of Information, use the company’s website to communicate such information, use the company’s social media account(s) for this purpose. The most important aspect is to communicate it to the data subjects in a way that ensures that they are properly informed.

6. Asking for the consent of the employees for the processing of their data for labour purposes. Relying on consent, as legal basis for processing, should be avoided in a labour relationship. The processing of data related to labour contracts has other legal grounds of processing, such as, the execution and performance of the labour contract, fulfilment of legal obligations and the employer’s legitimate interest. We note that there might be cases when the legal basis for processing employees’ personal data should be consent; however, they need to be analysed on a case-by-case basis.

7. Not applying the “clean desk” rule and forgetting printed documents at the printer or elsewhere, in unsecured places of the office. If someone takes the paper comprising personal data, this is clearly a data leak and a potential security incident.

To management: have you recently asked yourself whether any of the members of your staff could be in a position of conflict of interests?

If this is a topic that was already approached by your company and, as a result, rules in this regard have been implemented within the organisation, this is a great thing! The company’s compliance team may now concentrate their efforts on reminding such rules to the staff from time to time and on being sure that they are properly observed.

If not, maybe this is the right time for a close introspection into the organization to see whether:

- the concept of conflict of interests has ever been brought to the staff’s knowledge,

- it has been understood well, whether

- there are comprehensive guidelines in place to allow staff members to find answers should their actions ever come in conflict with the company’s interests, and whether

- the active avoidance of situations raising conflict of interests is on your staff members’ agenda.

Why do you need to be prepared and take a cautious stance? At least for three reasons:

1. to protect your company’s business,

2. to protect your company’s image and

3. to avoid breaching any contractual obligations you might have with your clients.

In case you are wondering, the answer is no, your company, a business acting in the private sector, is not so well protected by the applicable Romanian law. Hence the need for your company to create its own internal rules in this regard. In their absence, proving a breach of the loyalty obligation based on some conflicts of interest would be quite challenging for you.

While Romanian legislation concerning the public sector is quite generous in regulating conflict of interests of those holding a public office, in the private sector employers may rely on a single provision of the Labour Code (article 39 para. 2 letter d) which indicates that “employees have the obligation of loyalty to the employer in the course of performing their duties”. Nothing else!

What does this “loyalty obligation” mean though? We are quite sceptical that the immediate reaction of an employee reading about this obligation in their labour agreement (a standard provision) would be to think about situations concerning conflict of interests.

In the absence of clear guidelines, relying on the staff members’ due care and capacity to correctly assess a potential conflicting circumstance might not lead to the desired outcome. This would not necessarily be a result of bad baith, but merely a consequence of knowledge and awareness in this regard.

What is “conflict of interests” though?

“Conflict of interests” refers to a situation where an employee, acting in the performance of their duties within the company, takes actions or decisions that are favourable to them, personally, and that are less favourable (or even harmful) for the company, as employer.

To avoid being in a situation of conflict of interests when performing their duties, employees should avoid any circumstances in which their decisions would be influenced by their own personal interests.

Is “personal interest” related only to employees?

The concept also covers conflicting interests relating to the employee’s spouse and close relatives (such as children, parents). This means that, in the context of their work, employees should not act in favour of their close ones, but solely in the company’s favour.

What limits should be set for employees when they are mandated to bind the company in contractual relationships with third parties (e.g. services providers) and what rules should they observe to avoid drawing a personal gain for them or for their family members?

The answers to such questions depend on the company’s activity and industry field, as well as on the nature of the job positions in the organizational chart. Generally, employees should not be allowed to bind the company in acquiring services or products which, directly or indirectly, benefit themselves or their spouses/relatives. Otherwise, such actions may be found in conflict with the company’s interests and result in the – bluntly said – exploitation of the company’s interests for personal gains.

Clear rules, periodical declarations of conflict of interest and the prior approval of the management for any decision that might give rise to a case of conflict of interests are absolutely necessary for a good protection of any business.

In our previous article on reps and warranties, we mentioned that these are qualified by reference to information disclosed/known to the seller/buyer. Two important concepts are highly relevant for determining what "disclosed", "buyer's knowledge", "seller's knowledge" actually mean: the concept of due diligence (sometimes translated in Romanian as "legal/tax/financial analysis, etc.", although probably an accurate translation would be "due diligence [of the transaction]") and the concept of disclosed information.

Due diligence is the analysis carried out by the potential buyer on the target company (sometimes the seller prepares such an analysis for the benefit of the buyer, with the nuance that, in this case, the buyer will be able to rely on the conclusions of experts (lawyers, financial consultants, tax consultants) as if they had been hired by the buyer). In Anglo-Saxon literature and practice, due diligence has received several definitions, all leading to the idea of diligence, of research effort in order to identify risks.[1]

The Romanian Civil Code refers to the concept of due diligence in the context of the warranty for defects that the seller owes to the buyer for the object of sale. According to Art. 1707 para. (2) of the Civil Code, "A defect is concealed if, at the date of delivery, it could not have been discovered, without expert assistance, by a prudent and diligent buyer." Thus, Romanian civil law (i) starts off from the premise that a buyer should be prudent and diligent; but (ii) also indicates that the fact of calling on expert assistance has the concrete effect of limiting the seller's liability, as a result of the hidden defects becoming known to the buyer. Thus, disclosed information – that was brought to the attention of the experts providing assistance to the buyer - has the effect of limiting/excluding the seller's liability for hidden defects. The important nuance to bear in mind is that the above provision concerns the immediate object of the sale (in this case, the shares) and not the target company itself. For the latter, the allocation of risk between the parties to the transaction will remain contractual.

Due diligence analysis usually covers a wide range of issues concerning the target company, including: the financial situation of the target company and forecasts for the coming financial years, legal assessment of the target to identify legal risks, tax assessment of the target to identify tax risks, environmental implications (e.g. if the target operates in an industry with environmental impact).

From a contractual point of view, however, due diligence analysis is a buyer risk management tool,[2] because it is of crucial importance in determining what is meant by disclosed information and, consequently, in defining the buyer's knowledge of the subject matter of the sale, with consequences on the possibility of limiting the seller's liability. As mentioned in our previous article, according to the Romanian Civil Code (art. 1707 para. 4), the seller does not owe a warranty against defects of which the buyer was aware when the contract was concluded.

Due diligence analysis is usually carried out by third parties, professionals in the subject matter of the analysis, and is finalised by a due diligence report summarising the relevant issues identified. The legal due diligence report is an essential document for the buyer, as it contains details of, among other things:

• title to the object of sale (e.g. title on shares);

• any ancillary rights in rem which may encumber it (mortgages);

• any onerous obligations assumed by the target company (e.g. the obligation to pay substantial bonuses on termination of management contracts - so-called golden parachutes), and of

• other existing exposures of the target company, not materialised through fines or other sanctions, but within the applicable limitation periods and with the potential to materialise (e.g. potential significant liability of the target company for past breaches of law: breaches of tax, competition, environmental or data protection laws or the existence of significant litigation/disputes with significant financial stakes).

The level of accuracy of the reporting in the legal due diligence report depends to a large extent on two aspects: (i) the quantity and quality of the information provided by the seller to the buyer's team of experts; (ii) the level of professionalism and knowledge of the law, as well as the ability to think critically and in a flexible, commercial way (and not rigidly and outside business realities) of the lawyers involved in the process.

As regards the first element, the consequence of insufficient or incomplete information is that the seller will not be able to rely on a limitation of his/her/its liability on the basis of the disclosed information, since it has not been disclosed in a way which enables the buyer to know and appreciate the risk (fully and fairly disclosed).

As to the second element, the seller will be able to rely on the limitation of its liability to the extent that the information disclosed is sufficient and accurate, even if the buyer's advisers (including lawyers) did not have the ideal agility, knowledge or even time to identify the risks and expose them to the buyer.[3] Here then is the importance of involving lawyers in the due diligence process: ultimately, if the information about the target company is fully and fairly disclosed (as is the market standard) i.e. in a full and fair manner and in sufficient detail to enable the buyer to identify the nature and implications of the disclosed problem, then the buyer's ability to correctly manage the legal (and, to an important extent, the financial) risk of completing the acquisition depends to a substantial extent on the quality of the legal advice received.

Due diligence - a stage in M&A processes that consumes resources, time, patience, but is necessary and without which it is not possible to move forward in the context of a realistically thought out and committed acquisition process.

[1] Robert F. Bruner, Applied Mergers and acquisitions (Wiley 2004), p. 208 - “Due diligence is research. Its purpose in M&A is to support the valuation process, arm negotiators, test de accuracy of representations and warranties contained in the merger agreement, fulfil disclosure requirements to investors, and inform the planners of postmerger integration. Due diligence is conducted in a wide variety of corporate finance settings, and is usually connected with the performance of a professional or fiduciary duty. It is the opposite of negligence. One dictionary declared that “due diligence” is: <<Such a measure of prudence, activity, or assiduity, as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent man under the particular circumstances; not measured by any absolute standard, but depending on the relative facts of the special case.>> (From page 457, Black’s Law Dictionary, 6th ed., 1990, Henry Campbell Black, ed., St. Paul, MN: West Publishing Company). In a classic definition, a court defined diligence as: <<Vigilant activity; attentiveness; or care, of which there are infinite shades, from the slightest momentary thought to the most vigilant anxiety. Attentive and persistent in doing a thing; steadily applied; active; sedulous; laborious; unremitting; untiring.>> (National Steel & Shipbuilding Co., v. U.S., 190 Ct.Cl.247, 419 F.2nd 863, 875)”. [2] Ibid. p. 209 - “(…) due diligence is a risk management device. Investing in due diligence is like investing in R&D [n.n. research and development]: you’re not sure what the payoff will be, but the right to find out is worth enough to buy. (…) risk bearing is always costly. There is no free lunch. Making a fair comparison, broad and narrow reviews are equally costly (your acquisition target will try to make you think otherwise). To take an absurd example, it would seem to be cheapest to go without any due diligence review. But this judgement of expense ignores that in doing so you bear the risk entirely, like self-insuring your car or health, which can be dangerous (though it may have cash flow benefits in the short term).” [3] Ibid. p. 7 - “Due diligence. This is the structured search for risk. Here again, we have a discovery process that depends on both organized inquiry and agile thinking. […] due diligence is least successful when reduced to rote fact checking. Instead, the right way to discover hidden risks is to research curious details, anomalies, inconsistencies, and discontinuities – all under tight time pressure and efforts by the seller to put a gloss on things. Here, the uncertainty of conduct arises from the investigator’s stamina, care, and capacity for critical thinking.”