Welcome to the next in our series of departmental newsletters. The focus this time is on our Corporate and Commercial department. In this issue we talk about the launch of our new Business Advice Centre, a Change of Control clause and Data Protection.
DBF Launches New Business Advice Centre
Last month we launched our brand new Davis Blank Furniss Business Advice Centre.
The aim is to provide practical information on the key legal issues that affect companies of all sizes including Credit Control, Terms & Conditions, Employment, Shareholder Agreements and much more.
Our expert team has filmed a series of videos and also drafted supporting articles which are all free to access.
You can watch and read by clicking this link.
Andy McNish – partner in our Corporate and Commercial department – discusses a Change of Control clause.
Hidden away amongst the ‘boilerplate’ (standard) clauses that tend to fill out commercial contracts, you can often find something called a ‘Change of Control’ clause.
This isn’t to be confused with a ‘Change Control’ clause – which is a mechanism for a customer to request a change in products or services being supplied under a long-term agreement.
A Change of Control clause gives a party a right (most usually the right to terminate the agreement) in the event of a change of control of the other party. They usually trigger both on the sale of a major part of the other party’s business to another (asset transfer), or if the shareholders/owners of that party change enough so that ‘control’ of it is gained or lost. The clause needs to be read carefully to see exactly what it covers and when it triggers. On a technical level, analysing these clauses can be quite difficult as although ‘control’ of a company is defined in various legislation, ‘change of control’ itself is not.
Usually the right to terminate is absolute if the change of control occurs – it doesn’t have to be exercised reasonably – so even the most technical change of control can give a party looking for it the ability to extract themselves from an agreement.
Putting a shareholding into the joint names of a spouse or into a family trust, transferring assets around inside a group – as well as the more obvious sale of all a company’s shares or assets to an outsider – can therefore trigger the clause.
Sometimes a change of control is even framed as a breach of contract (or ‘event of default’ in bank facility agreements) and the party with the benefit of the clause can terminate and/or claim additional sums (in facility agreements, banks will be able to increase the default rate of interest payable if a change of control occurs).
From the point of view of a commercial rationale, these clauses shouldn’t be automatically included in commercial contracts. They really only make sense if the individuals behind a party are key to the ongoing arrangement or as a get-out if a competitor or other unsuitable person gains control of an entity you are contracting with.
Any party subject to such a clause should therefore seek to limit its use to circumstances where the new owners are competitors or otherwise may reasonably be regarded as unsuitable.
If you have an existing long term agreement that is key to your business and are thinking of doing any restructuring (or want to get out of it) , it’s important to check whether or not it contains a change of control clause.
When negotiating new agreements, consider if you wish such a clause to be inserted for your benefit and (as none of us can be sure what the future may hold) either refuse, or limit as much as possible, the effect of such clauses which may trigger on a change of control of your company.
For more information on Andy and his work, please click here.
Charlotte Lowe – solicitor in our Dispute Resolution department – discusses Data Protection.
What is data protection?
We all provide information to third parties. The Data Protection Act 1998 (the “Act”) limits the way in which data can be stored or used to limit the risk to the individual of it being misused, unintentionally disclosed or misplaced.
Whose data is protected?
The Act protects the data of any “data subject”. A data subject is any individual about whom personal data is processed and includes individuals on contact or marketing databases, employees, contractors, consultants, suppliers and customers.
Is data about a Company protected?
A Company cannot be a data subject as it is not an “individual”. This means that the Act does not protect information about a Company. If the Company provides information to third parties which it wishes to remain confidential then it should take steps to protect the data. For example, when entering into a contract a Company can seek to include a clause in the contract which states any information provided to the other party must remain confidential.
What data is protected?
The Act only protects “personal data”. This includes basic information such as names, addresses, telephone numbers, job titles and dates of birth. However, other information will also be protected including any information by which the person could be identified and information expressing an opinion about an individual (for example a manager’s opinion of an employee). The information does not need to be confidential in order for the protection to apply. However, if data is anonymous and the individual cannot be identified then the data is not protected.
Is all data the same?
No, certain data is considered to be sensitive personal data and has extra protections. Information relating to race, political opinion, health, religious beliefs, trade union membership or criminal records is considered to be sensitive personal data. You have to be very careful when processing sensitive data and if you regularly deal with such data you should seek advice on this issue.
I hold personal data; do I have to protect it?
You have to protect data if you are a “data controller” under the Act. A data controller is anyone who processes personal data. Processing is very widely defined and essentially it means that almost any individual, business or government department in the UK which holds information about individuals (including employees) would be a data controller and have to take steps to protect the data which they hold.
Do I have to appoint a data controller?
No. A data controller is not a role which can be nominated to a certain individual in the same way as a compliance or financial officer. Any individual who handles data in your organisation is a data controller. This means that any person who handles data within your organisation has the potential to breach the Act and should receive training about how to deal with data to minimise the risk.
How is the data protected?
The Act sets out seven principles to protect data:
1. Fair and lawful processing: This is perhaps the most important of the data protection principles. It is often easy to determine if processing is unlawful. For example, processing will be unlawful if it relates to information contained in a stolen document. However, fairness is a more difficult concept. When determining whether the processing of data is fair, the paramount consideration is the consequence of the processing on the individual to whom the data relates.
2. Data must only be obtained for specified lawful purposes and not further processed in a manner which is incompatible with those purposes: This principle means that if information is obtained for one purpose (say, for joining a membership organisation) and it is used for another (say, to credit check an individual) then it is likely that this principle has been breached. If, however, the individual has consented to the second use then the data can be used in that way.
3. Data must be adequate, relevant and not excessive in relation to the purposes for which it is processed: The practical effect of this is that you should not obtain more information than is needed at the outset and data controllers should regularly review whether the data they hold is being used. If the data is not being used it should be deleted.
4. Data must be accurate and, where necessary, kept up to date: If you hold a large database then ensuring all information is accurate can be a difficult task. Case law has established that in order to meet the obligation to keep data up to date, a data controller needs to take reasonable steps to ensure its accuracy. What would constitute reasonable steps is decided on a case by case basis.
5. Data must not be kept for longer than necessary: Once data has been used for the purpose it was collected then it should be deleted. For example, if data was collected for a specific marketing campaign then it should be deleted once that campaign is complete.
6. Data must be processed in accordance with the data subjects rights under the Act: The Act gives the data subject various rights including the right to access the information held by a data controller and the right to object to the processing of their data. A data controller must ensure that these rights are adhered to.
7. Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss or destruction or damage to personal data: A data controller must keep data secure. Not infrequently we hear stories of laptops being left of trains holding huge amounts of personal data. This would be in breach of this principle.
What do I do if I have breached the Act?
What action you should take will depend upon the scale of the breach. The accidental release of one individual’s information will need to be dealt with very differently to a situation where a whole database is compromised. Depending on the situation you may need to contact the individual(s) concerned; make a report to the Information Commissioners Office and/or review your policies and procedures.
How can Davis Blank Furniss help?
Davis Blank Furniss can assist you in taking preventative measures to reduce the risk breaching the Act. We have prepared numerous data protection policies to help businesses reduce the risk of breaches occurring. We can also assist you if you are in the unfortunate situation where a breach has already occurred. We have assisted clients previously where they have accidentally released entire databases. In addition, to advising them as to the legal situation, we were able to assist them on a practical level; for example how to deal with the Information Commissioners Office and the Individuals whose data had been compromised. If you want to take preventative steps or suspect that a breach has already occurred and you like some assistance, please speak with Charlotte Lowe.
For more information on Charlotte and her work, please click here.
If you have any queries or require any further information, please do not hesitate to contact our team of specialist solicitors on 0161 832 3304.