The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission
Transfer of ownership of Business

Arrangements in relation to Employees


Business mergers and acquisitions will generally involve the disclosure of employee data during evaluation of assets and liabilities prior to the final merger or acquisition decision. Ideally, such an eventuality should be foreseen in an organisation's Data Protection Policy. The policy should provide that certain specifiable personal data may be disclosed in the context of acquisition discussions, particularly because secrecy may be a condition of negotiations. In any event, the processing (including disclosure of personal information which may be required during this process) should be subject to a confidentiality agreement to protect the privacy of the individuals concerned.


Adherence to Data Protection requirements is vital in this process. Disclosure to the prospective buyer of non-sensitive personal data may be based on the legitimate interests of the employer as provided by section 2A (1) (d) of the Acts. Disclosure of sensitive data, such as individual employees' health data or union membership details, should be avoided unless one of the provisions of section 2 B of the Acts can be relied upon which is unlikely in most acquisition processes. Section 2 D of the Acts requires that data subjects be informed of disclosures of their personal data.

The following general guidelines should be followed in these situations:

1. Ensure, wherever practicable, that information handed over to another organisation in connection with a prospective acquisition or merger is anonymised.  Disclosure of sickness records will entail the processing of sensitive personal data and must be avoided – only aggregate data relating to absence levels should be disclosed.

2. Only hand over personal information prior to the final merger or acquisition decision after securing formal assurances that:

?        it will be used solely for the evaluation of assets and liabilities;

?        it will be treated in confidence and will not be disclosed to other parties; and

?        it will be destroyed or returned after use.

3. Advise workers, wherever practicable, if their employment records are to be disclosed to another organisation before an acquisition or merger takes place. If the acquisition or merger proceeds, make sure that employees are aware of the extent to which their records are to be transferred to the new employer.

4. Ensure that if you intend to disclose sensitive personal data a sensitive personal data condition is satisfied. Generally, such disclosures should not be necessary in the context of due diligence exercises.

5. Where a merger or acquisition involves a transfer of information about an employee to a country outside the European Economic Area (EEA), ensure that there is a proper basis for making the transfer.

6. New employers should ensure that the records they hold as a result of a merger or acquisition are accurate and relevant and do not include excessive information. Within a few months of the merger or takeover the new employers should review the records they have acquired (for example, by checking the accuracy of a sample of records with the workers concerned) and should make any necessary amendments.

Arrangements in relation to Customer Personal Data

It is, of course, likely that customer data may need to be accessed as part of a prospective acquisition.  In these circumstances, all such data, where it constitutes personal data, must be anonymised prior to disclosure to a prospective buyer as there is no basis in the Data Protection Acts for the release of such information as part of the consideration of a merger or acquisition process.

Obviously, following a merger or acquisition, customer personal data, where it continues to be processed for a purpose, may become available to the new owner/partner.  This prospect should be envisaged in the service terms and conditions for the customer to allow for fair processing of their data.  This can be handled by a relatively straightforward clause informing the customer of the possibility that their personal data may be available to any legal successors of the company in question.