Privacy due diligence a must in a company takeover?
11-07-2019
In November 2018, the Information Commissioner’s Office (ICO, the British privacy regulator) discovered a data leak at a business unit of the Marriott hotel chain. This business unit was taken over by Marriott in 2016. The hotel chain is now facing a penalty of £99,200,396 (more than €110 million) for failing to carry out sufficient investigations into the protection of personal data during the takeover.
This data leak exposed personal data, including names, telephone numbers and e-mail addresses, of approximately 339 million hotel guests. Of these hotel guests, approximately 30 million are residents of the European Economic Area (EEA).
The data leak probably originated in 2014 in the reservation system of the Starwood Hotel Group, but was not discovered by Marriott until 2018. In 2016 Marriott took over the Starwood Hotel Group. The ICO finds that Marriott did not carry out enough research when it bought Starwood and should have done more to secure the systems.
Under the General Data Protection Regulation (GDPR), Marriott is the data controller with respect to the personal data it processes. An ICO spokesperson said that in the event of a corporate takeover an appropriate investigation should be carried out to assess not only what data is being processed but also how it is protected.
Marriott has thus far cooperated with the ICO’s investigation and the security system has been tightened up. The company still has the possibility to submit an opinion against the intended decision of the ICO before the ICO takes a final decision.
This judgement of the ICO is of great importance for companies intending to take over another company. If personal data is not sufficiently protected at the acquired company, the company cannot hide behind the fact that this was the responsibility of the previous owner. It is important to make proper arrangements in the takeover agreement about any (future) consequences of the previous owner’s failure to comply with privacy legislation.
This is a Legal Update by team Information Technology & Privacy.
