Mexico City, December 14th, 2022

Privacy and personal data protection regarding legal due diligence operations for M&A.

One of the most significant topics in ESG, is the privacy and personal data protection considerations that companies must apply as a fundamental benchmark with respect to corporate governance and ethical practices.

Among the operations in which a company's privacy and personal data protection policies and procedures or the lack thereof, become particularly important are though the due diligence process in M&A transactions.

In this regard, the privacy and data protection aspects to be considered in this type of operations are the following:


Legal Due Diligence.

In M&A process one the most relevant steps is the legal due diligence of the company or companies to be acquired or that will participate in the merger.

During this process, the company to be sold or merged grant access to the potential acquirer to information related to its customers, suppliers and employees, among others; such information may include personal data subject to the Federal Law for the Protection of Personal Data in Possession of Private Parties (by its acronym in Spanish "LFPDPPP").

By virtue of the foregoing, some of the considerations to take into account are the following:

  • Verify that the selling company determines and identifies the information and personal data that will potentially be disclosed as part of the due diligence. For such purposes, the privacy notices of the selling party must be provided, in order to confirm that such notices comply with the requirements established by the data protection regulations in Mexico. The potential acquirer must also determine who will be given access to the protected data, including external advisors who will participate in the due diligence process.
  • Prior to the disclosure of personal data, it is essential to confirm with the seller that it has the necessary consents to carry out the disclosures.
  • Assuming that the corresponding authorizations are in place, once the terms and scope of the disclosure is determined and delimited, both the selling party and the purchasing party and the other parties involved, such as the company that is the object of the transaction, or its shareholders (depending on the scope of the transaction), must enter into a data transfer agreement in which they will establish the provisions related to the scope and content of the transfer. In addition, the third party must be provided with a copy of the privacy notice that was provided to the data subjects so that the receiving data controller processes the data in the same manner as the transferring data controller.

All data processing by the receiving controller must be in accordance with the privacy notice and will assume the same obligations under the LFPDPPP as the controller that transferred the data.

The above is a process that must be carefully reviewed, since the confidentiality of the operation and the handling of communications with external advisors, stakeholders, such as employees or clients, also comes into play. As well as the rest of the obligations regarding data protection, depending on the scope of the operation, it will be relevant to guarantee within the selling company, for example, to have the necessary and proportional security measures in place.

  • After the execution of the aforementioned agreement, the selling company must provide the potential buyer with the personal data for analysis following the terms and conditions established in the agreement.
  • Finally, for the closing of the legal due diligence from the point of view of data protection, there are two possible scenarios: either the transaction is completed and therefore the transfer of "control" over the data is confirmed, or the transaction is not completed and therefore the potential buyer does not assume such "control". In this regard, if the transaction takes place, then the information will be controlled by the acquirer who must respect the terms of the privacy notice under which the information was obtained or obtain a new consent of the data subjects under its own notice or, if the transaction is not completed, the potential acquirer must return, destroy or delete the information used in the audit according to the terms of the data transfer agreement that has been entered into.

Renata Denisse Buerón Valenzuela


Gerson Vaca