Diritti interna

Doveri interna

ricerca avanzata

Provisions Applying to Corporate Mergers and Split-Ups [1625292]

[doc. web n. 1625292]
versione italiana

Provisions Applying to Corporate Mergers and Split-Ups - 8 April 2009
As published in the Official Journal no. 106 dated 9 May 2009

THE ITALIAN DATA PROTECTION AUTHORITY

Having convened today, in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Filippo Patroni Griffi, Secretary General;

Having regard to legislative decree no. 196 dated 30 June 2003 (Personal Data Protection Code), in particular to sections 2(2), 11(1)a., and 154(1)c. and h. thereof;

Taking account of the recent decisions made by the Garante following corporate mergers and/or split-ups, with particular regard to a few companies in the banking sector (see decisions dated 11 December 2008, web doc No. 1584328, and 19 December 2008, web doc. No. 1584272);

Whereas the above operations – which entail the processing of personal data related to an often considerable number of data subjects (e.g. employees, suppliers, customers) – may also happen to be performed by companies making business in other industry sectors;

Whereas it is appropriate to clarify the requirements to be met by the data controllers that are concerned by mergers and/or split-ups in order to ensure that the processing is compliant with personal data protection legislation, which applies especially to the mechanisms that can be deployed to inform data subjects of the change that has occurred in the data controllership following the merger and/or split-up;

Whereas the absorbing company takes over any and all rights and duties vested in the company being absorbed following the merger by absorption and replaces the latter company in any and all legal relationships – including procedural relationships – set up prior to the merger (under section 2504-bis(1) of the Civil Code); whereas this effect is also produced in connection with a merger by amalgamation of several companies giving rise to a new company;

Whereas the personal data processed by the company being absorbed (and/or the companies participating in the merger) will also be processed seamlessly by the absorbing company (and/or the company resulting from the merger), insofar as they concern relationships that are intended to be taken up by the latter company;

Noting that, following the merger, the absorbing company (and/or the company resulting from the merger) becomes accordingly the sole data controller in respect of such personal data as were processed beforehand, without any (new) data collection being involved;

Noting that the Italian Court of Cassation also recently ruled that there exists "continuity" between the entities involved in a merger pursuant to the amendments brought about by legislative decree no. 6/2003 to section 2504-bis(1) of Italy´s Civil Code – whereby "… it has been finally clarified that the merger of companies as per section 2501 et seq. of Italy´s Civil Code does not entail the dissolution of the company being absorbed and/or the incorporation of a new entity in case of a merger by amalgamation; in fact, it brings about the unification of the companies participating in the merger by way of their mutual integration. Accordingly, there is no dissolution of a company with simultaneous incorporation of a new entity, the whole process consisting rather … in the  evolution and modification of the same entity, which retains its identity  albeit within a new organizational framework." (see decision no. 2637 of Italy´s Court of Cassation dated 8 February 2006)

Whereas corporate split-ups are also relevant in terms of data protection as they represent the evolution and modification of the company being split; whereas account should be taken in this regard of the new definitions provided by section 2506 of Italy´s Civil Code, whereby corporate split-ups are said to consist in the allocation of the assets and liabilities of the company being split rather than in the assignment of such assets and liabilities – which was the wording used in section 2504-septies of the Civil Code  beforehand; whereas section 2506(3) of Italy´s Civil Code allows the company being split to be dissolved without having to be wound up, whereby the company in question can continue its business via the different organizational framework resulting from the corporate split-up (see decision no. 1687 by the Regional Administrative Court of Tuscany dated 26 June 2008);

Whereas the aforementioned continuity in legal relationships as related to corporate mergers and split-ups can be also inferred from section 57(4) of legislative decree no. 385 dated 1 September 1993 (Consolidated Statute on Banking and Credit), whereby "any and all privileges and guarantees, by whomsoever provided and/or in any way existing for the benefit of banks absorbed by other banks …. and/or split-up banks, shall continue to be applicable, without any formalities and/or registration being required, to the absorbing bank, the bank resulting from the merger, and the assignee bank in case of a split-up, respectively.";

Noting, accordingly, that corporate mergers and split-ups are regulated specifically and in detail in Italy´s Civil Code as well as in the Consolidated Statute on Banking and Credit, and that such regulations should be taken into account given their possible impact on personal data protection issues; noting that the regulations in question include measures that can ensure the continuation of the legal relationships underlying corporate operations by simplifying the applicable requirements and safeguarding the legitimate interests vested in the various entities that are concerned by such mergers and split-ups on different grounds;

Whereas the legislation on the protection of personal data requires the latter to be processed "fairly" (under section 11(1)a. of the DP Code) by ensuring a high level of protection to fundamental rights and freedoms "in compliance with simplification, harmonization, and effectiveness principles" as per section 2(2) of the DP Code;

Considering that the aforementioned safeguards can be ensured by providing data subjects with the required updates of the information made available by the split-up company and/or the companies being absorbed and/or participating in the merger, and in particular by specifying the new name of the data controller and the identification information applying to the new data processor, if any, in order for data subjects to exercise the right of access to their personal data along with such other rights as are set forth in section 7 of the DP Code;

Noting that the updates in question can be performed via the web sites of the companies concerned by the mergers and/or split-ups whenever the latter take place as well as via individual notices that can be provided to the data subjects when first getting in touch with them for whatever purposes, also upon completion of the corporate mergers and/or split-ups – e.g., as regards customers, on the occasion of mailing standard commercial communications;

Considering that the above communication arrangements can contribute to making available thorough information in a timely manner on such processing features as may change on account of the corporate operations in question, pursuant to the fairness principle set forth in section 11(1)a. of the DP Code;

Considering, additionally, that the absorbing company (and/or the company resulting from the merger) is required, in the case of a merger by absorption, to give notification to the Italian DPA (and/or to supplement such notification where already submitted) if any processing operations are performed following the absorption that fall within the scope of notification obligations;

Considering, furthermore, that the company/companies resulting from a split-up is/are required to give notification to the Italian DPA if any processing operations are performed following the split-up that fall within the scope of notification obligations;

Having regard to the records on file;

Having regard to be considerations made by the Office as submitted by the Secretary General in pursuance of Article 15 of the Garante´s rules of procedure no. 1/2000;

Acting on the report submitted by Mr. Giuseppe Chiaravalloti;

NOW, THEREFORE, THE ITALIAN DATA PROTECTION AUTHORITY ORDER

1. under section 154(1)c. and h. of the DP Code, that any companies concerned by corporate mergers and/or split-ups should provide data subjects with the required updates of the information notices made available by both the split-up company and the companies participating in the merger – including, in particular, the new name of the data controller and the identification information related to the new data processor, if any, to be applied to in order to exercise access rights – in accordance with the following arrangements:

a. via the websites of the companies involved in the corporate mergers and/or split-ups at the time the latter take place;

b. via individual notices delivered to the data subjects when first contacting them, also for different purposes;

2. under sections 37, 38, and 154(1)c. and h. of the DP Code, that

a. the absorbing company (and/or the company resulting from the merger) should notify the processing (and/or supplement the notification submitted beforehand) in case of a merger by absorption, if any processing operations are performed following the absorption that fall within the scope of notification obligations;

b. the company/companies resulting from the split-up should notify the processing in case of a split-up, if any processing operations are performed following the said split-up that fall within the scope of notification obligations;

3. that a copy of this decision be forwarded to the Ministry of Justice – Ufficio pubblicazione leggi e decreti in order for it to be published in the Official Journal of the Italian Republic.

Done in Rome, this 8th day of April 2009

THE PRESIDENT
Pizzetti

THE RAPPORTEUR
Chiaravalloti

THE SECRETARY GENERAL
Patroni Griffi