Corporate transactions and service provision changes (employment)—data protection issues under the GDPR
Corporate transactions and service provision changes (employment)—data protection issues under the GDPR

The following Employment guidance note provides comprehensive and up to date legal information covering:

  • Corporate transactions and service provision changes (employment)—data protection issues under the GDPR
  • Key initial considerations
  • Preliminary issue—consider whether TUPE applies
  • Employee liability information (ELI)
  • The data protection issues that are likely to arise
  • The data protection principles to consider
  • Personal data—identify a lawful processing condition
  • Anonymisation and pseudonymisation
  • Whether lawful and specific processing condition—consent likely to apply
  • Whether lawful processing condition—compliance with legal obligation likely to apply
  • more

This Practice Note considers the employment-related data protection issues arising in relation to:

  1. a share purchase, by which the buyer takes over ownership of the company carrying on the business (the target company), acquiring as a result all of its assets, obligations and liabilities (whether or not the buyer was aware of them)—see: General issues (share purchase)—overview

  2. an asset purchase, by which, rather than acquiring the target company, the buyer selects the assets and liabilities it wishes to acquire from the seller (explicitly excluding those which it does not wish to acquire) and purchases them, together with the business in which those assets are used—see: General issues (asset purchase)—overview

  3. a first- or second-generation outsourcing, or an insourcing, also known as a service provision change (SPC)—see Practice Note: Outsourcing—employment issues

For the purposes of this Practice Note, references to ‘seller’ include the transferor (whether client or first-generation contractor) on an outsourcing, and references to ‘buyer’ include the transferee (whether contractor or client) on an outsourcing or insourcing.

Key initial considerations

The parties’ obligations under Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) are likely to vary depending on:

  1. the nature of the transaction and, in particular, whether it amounts to a relevant transfer under the Transfer of Undertakings (Protection of Employment) Regulations 2006,