Data Protection in the Context of Competition Law Investigations: An Overview of the Challenges

Abstract

The interface between data protection law and competition rules has become a growing area of interest for companies and lawyers. First, in the course of unannounced inspections (the so-called dawnraids), European Commission and national competition authority officials typically review company records and search employees’ e-mails and electronic files and records (including those which people thought had been deleted). They will make hard and/or soft copies of relevant documents and in certain cases may even seize entire hard discs. This raises the question of whether such intrusions are compatible with data protection rules and thus which restrictions such rules impose on the ability of competition officials to collect and process data seized during inspections. Another intersection between competition law and data protection law arises where companies need to collect and further process data from their employees to respond to a competition authority’s request for information or a statement of objections in the course of a pending competition law investigation. Companies may also wish to access and review e-mails and other employee records so as to uncover potential competition law infringements (e.g., in the context of a compliance programme) or to prepare a leniency application.Against this background, this paper seeks to identify the limits that may be placed by data protection law on competition authorities, on the one hand, and companies, on the other hand, to collect and further process personal data in the context of competition law investigations.This paper is divided into four sections. Section II briefly sets out the legal framework for data collection and processing in the EU. Section III explains the key data protection principles and Section IV identifies the key players in the context of EU data protection law. Section V elaborates on the key data protection principles and how they apply to competition authorities on the one hand and companies on the other hand. Section VI discusses the legal consequences of non-compliance with data protection rules. Section VII concludes.