M&A transactions under PIPA (Bermuda)

Published: 14 Apr 2025
Type: Insight

Mergers and business acquisitions are among the many different types of business transactions that require the disclosure and use of personal information between the prospective parties.


The types of personal information that may be necessary to disclose for due diligence, valuation and integration planning purposes may include customer information, employee information — including employment agreements — obligations or liabilities owed to individual third parties, and other human resource records, including dispute resolution files.

Normally, the initial stages of any M&A discussion between the parties will begin with, and will be governed by, some sort of commencement agreement.

That may be as simple as a confidentiality or non-disclosure agreement, or it may take the form of an exclusivity agreement, a terms sheet or a binding memorandum of understanding.

Regardless of form, the kick-off agreement for an M&A transaction will usually have three features that are directly related to the necessary disclosure of personal information in an M&A transaction: to recognise the proprietary and confidential nature of all provided information; that such information can only be used for the sole purpose of the transaction; and that, if the transaction does not proceed, all such information must, without qualification, either be destroyed or returned to the disclosing party.

Those preliminary engagement norms for M&A transactions are well addressed by the Personal Information Protection Act 2016, which came into force on January 1, to ensure that any personal information that is necessary for an M&A transaction can, based on certain conditions, be shared between the parties without the consent of the subject individuals.

In that regard, section 46 of Pipa provides that an organisation may, both leading up to the transaction and for its completion, use personal information for the purposes of a business transaction without the consent of the individuals, where the parties have an agreement that restricts such use for the purposes of the transaction and otherwise only for the purpose for which it was originally collected, and if the transaction does not proceed, all such information must either be destroyed or returned to the disclosing party.

Therefore, any contractual qualification to Pipa’s required agreement provisions — eg, that may allow disclosed personal information to not be destroyed or returned, and to be held by the recipient for reasons other than for the business transaction — may not permit any personal information to be shared with the other party to the transaction.

Pipa also provides an additional disclosure condition whereby the disclosing party must determine that such a disclosure is necessary for the proposed M&A transaction to be considered, proceeded with, or to be completed. Such determinations can be internally documented by either an executive of the disclosing party or by its privacy officer.

Should the disclosing party to the M&A transaction wish to secure the consent of any subject individuals for any purpose beyond the M&A transaction, Pipa provides that “…nothing in this section (restricts) a party to a business transaction from obtaining the consent of a person to (use) personal information… for purposes beyond the purposes for which the party obtained the personal information”.

It is interesting to note that the business transaction allowances in Pipa do not apply where the primary purpose, objective or result of the proposed transaction is “the purchase, sale, lease, transfer, disposal or disclosure of personal information”. However, even though Pipa only applies to “every organisation that uses personal information in Bermuda”, the words “purchase”, “sale”, and “lease” are not included in Pipa’s definition of “use”.

Parties to an M&A transaction must also consider whether any personal information that is being disclosed for the purpose of that transaction is being transferred to an overseas third party.

If so, then at least one of the export allowance options of section 15 of Pipa must be met before any such export from Bermuda is permitted. That is also true where the due diligence “data room” is located outside of Bermuda.

Those engaging in M&A transactions should ensure that their preliminary engagement agreements include the above noted provisions to allow the disclosure of personal information for the proposed transaction.

Standard form M&A engagement agreements, including NDAs, may need to be reviewed and updated to reflect Pipa’s grounds to allow such transactional use and possibly export from Bermuda.

Further, all merged or amalgamated entities that use personal information in Bermuda should ensure that the data protection policies and procedures for the combined organisation are revised for consistency, particularly with regard to the combined organisation’s compliance “measures and policies” and privacy notices.

The implications of Pipa for the use of personal information will have to be considered at each step along all M&A transactions.

First Published in The Royal Gazette, Legally Speaking column, April 2025

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.