Personal information concerns when conducting due diligence

Transactional attorneys are intimately familiar with due diligence requests (“DDR”). A prospective buyer (“Buyer”) will typically deliver to a target company (“Target”) a DDR which includes a section requesting information related to a Target’s employees and the circumstances of their employment. In Taiwan, we advise Buyers to take steps to ensure they do not inadvertently collect such employees’ personal information, thus violating Taiwan’s Personal Information Protection Act (“PIPA”).[1]

PIPA permits personal information to be collected and processed only in situations where there exists: (i) a specified purpose for such collection and processing; and (ii) one or more of six qualifying conditions.


Although the specified purpose must be reasonable, the data collector or processor is largely left free to determine the purpose for collecting or processing any personal information. There is no indication that due diligence associated with an acquisition transaction would not be considered a reasonable purpose for the collection or processing of personal information under PIPA.

Qualifying Conditions

Unlike the purpose requirement, the list of qualifying conditions is strictly limited to the specific conditions delineated in the statute. In the context of an acquisition transaction, the relevant qualifying conditions would likely be one or more of the following:

  1. a contractual or contract-like relationship between data processor or collector and the data subject; or
  2. the data subject’s consent.

Contract or contract-like relationship

In an acquisition context, a Buyer, as data collector, is not in direct privity of contract with Target’s employees; therefore, no direct contractual relationship exists between the data collector and the data subject. However, PIPA and related regulations allow for a less formal contract-like relationship to suffice as a qualifying condition for personal data collection. Such relationships are typically found to exist in pre-contract negotiations or contract formation processes. For example, a contract-like relationship would exist between an employer and a potential employee during the hiring process, prior to any contract actually being signed. Given that Buyers normally do not negotiate with a Target’s employees during the pre-signing phase of a transaction, it is extremely doubtful that any contract-like relationship would be found to exist which would justify the collection of Target employees’ personal information.

We note that this reading of the PIPA creates a slight tension with Taiwan’s Business Merger and Acquisition Act (“BMAA”) pursuant to which a Buyer may negotiate with a Target to determine which of Target’s employees will be retained post-closing. However, the intention of the BMAA to allow such negotiations is not a basis to find that a Buyer has a contract-like relationship with a Target’s employees sufficient to justify collection of their personal information.


If there is neither a contractual nor contract-like relationship between the Buyer and Target’s employees, the only remaining qualifying condition that would allow for the collection of the employees’ personal information would be receipt of consent from the employees themselves. In the vast majority of cases, this is both impractical and undesirable as Buyers normally wish to keep transactions as confidential as possible.

Personal information

Absent a clear cut path to the legal collection of Target employees’ personal information, we encourage prospective Buyers to take steps to ensure that no personal information is collected from Taiwan data subjects.

In Taiwan, personal information is defined as any information that can directly or indirectly identify a natural person. Buyers should, therefore, request any Target to redact employees’ names, national identification numbers, addresses, and any other information that could identify an employee from all employment agreements before disclosing such agreements. Similarly, payroll information can be disclosed only if employees’ names and other identifying information are redacted.

We recommend that any DDR sent by a Buyer to a Taiwan Target clearly request that any and all employee information to be provided pursuant to such a DDR must not contain employees’ personal information.

For more information on data protection and privacy matters in Taiwan, please contact Christine Chen at

[1] It is important to note that a Buyer’s liability extends to the acts of its agents and professional advisors. So, a Buyer would remain liable even if a DDR were sent out on its behalf by its lawyers or other professional advisors.

Written February 21, 2017 By Christine Chen.