Carve-out data separation and GDPR compliance is the workstream that decides whether Newco lawfully holds personal data from Day One or inherits silent regulatory exposure. The work covers controller and processor mapping, lawful basis, transfer mechanisms, retention, deletion, and breach response. This article sits inside the broader carve-out advisory program and frames the privacy controls Newco needs before close.
A carve-out moves personal data. Customer records move. Employee files move. Vendor contacts move. Telemetry, support tickets, financial reconciliation logs, recordings of customer calls, training data, and analytics warehouses all contain personal data that must move with the business it serves. The General Data Protection Regulation treats every one of those movements as a controlled act, with conditions on who can hold the data, where it can flow, and what the data subjects must be told.
Day One is the test. From the moment Newco operates as an independent legal entity, it is a controller in its own right for the personal data it processes. The seller cannot continue to act as the controller for Newco's data after the transfer of business. The data flowing through Newco systems requires a fresh lawful basis under Newco's name, a fresh set of privacy notices, a fresh accountability framework, and fresh data processing agreements with every vendor that touches the data.
The TSA complicates the picture. During the TSA, the seller continues to process Newco data on shared systems. That arrangement is a processor relationship under GDPR. It needs a data processing agreement that runs alongside the TSA, with explicit purposes, retention limits, security commitments, and audit rights. Programs that fail to paper the processor relationship operate outside the law from Day One.
Regulators expect privacy by design in carve-outs. A poorly executed data separation program creates exposure that surfaces in audits, in complaints, and in supervisory authority enquiries. The fines under GDPR for serious controller failures reach 4 percent of global turnover. Privacy planning needs senior leadership attention from signing forward.
The first task is a controller and processor map. Every data set that crosses the carve-out boundary needs an explicit statement of who controls it on Day One, who processes it on Day One, what the lawful basis for the transfer is, and what notices the data subjects need. The map is a working document that starts in diligence and matures through close. Programs that skip the map make ad hoc decisions in flight and produce inconsistencies that are difficult to remediate.
Employees, customers, suppliers, and third-party data subjects each need separate treatment. Employee data may transfer under works council agreements and local labour law. Customer data may transfer under legitimate interest, with notice obligations and the right to object. Supplier contact data may transfer under contract. Each category has its own lawful basis analysis. A single statement that says all data moves under legitimate interest is not credible to regulators.
Special category data needs explicit attention. Health data, biometric data, trade union membership, criminal records, and similar categories have stricter conditions for processing. The carve-out treatment for special category data needs explicit legal review, often a data protection impact assessment, and sometimes consent renewal. The volumes are smaller than ordinary data, but the regulatory weight is much higher.
The privacy notice refresh is mandatory. Data subjects need to be told that their data has moved to a new controller. The notice covers the identity of Newco, the data categories, the purposes, the legal basis, the recipients, the retention, the rights, and the complaint route. Programs that defer notice updates rely on continuing implied consent that may not survive scrutiny.
Cross-border data transfers attract extra controls. Where the seller hosts data inside the European Economic Area and Newco hosts data outside, the transfer needs an approved mechanism. Standard contractual clauses are the most common. Binding corporate rules can apply where Newco is part of a group with an existing programme. Adequacy decisions cover transfers to listed third countries. Programs that move data across borders without an approved mechanism face direct supervisory exposure.
The transfer impact assessment is a structured review of whether the destination country provides essentially equivalent protection to GDPR. The assessment covers government access laws, redress mechanisms, and supplementary measures that may be needed. Where the destination law allows broad surveillance access, supplementary measures such as encryption with Newco controlled keys may be required. The assessment needs documentation that survives a regulator request.
Cloud platforms add complexity. Many carve-outs inherit cloud configurations where data sits in regions the carve-out planning never explicitly chose. The data residency map needs to reflect the actual storage location, not the assumed one. Where the carve-out structure changes the data residency requirements, migrations may be needed. The migration plan needs to be sequenced with the rest of the carve-out workstreams, since data residency moves typically take weeks to execute.
Sub processor chains need explicit treatment. The seller's cloud, SaaS, and managed service vendors all process data on the seller's behalf. After close, those vendors process data on Newco's behalf, which means new data processing agreements, new sub processor lists, and new transfer mechanisms with each one. The list is often longer than expected. The procurement context is in the carve-out procurement strategy.
Retention schedules transfer with the data, and Newco needs to be ready to enforce them. The seller's retention rules reflect the seller's risk appetite. Newco may inherit those rules at close, or may adopt a stricter or looser framework. Either choice needs a documented retention schedule, technical enforcement, and the audit trail to prove compliance. Programs that operate without an enforced retention schedule accumulate data that becomes hard to defend in any audit.
Deletion at the seller is a critical control. After the carve-out, the seller usually retains backups, logs, and archives that contain Newco data. The TSA needs to address how long the seller retains those copies, under what controls, and when they are deleted. Open ended retention by the seller is a controller risk for Newco, since data the seller still holds remains within the seller's processing scope and any breach affecting that data still touches Newco subjects.
Data subject rights need to work from Day One. Subjects have rights to access, rectification, erasure, restriction, portability, and objection. The Newco team needs to receive, route, and respond to those requests within statutory deadlines, often 30 days. Programs that wait until a request arrives to build the response process miss deadlines. The response runbook needs to exist, the responsible team needs to be staffed, and the workflow needs to be tested before close.
Records of processing under Article 30 are the audit trail. Newco needs a documented record of every processing activity, including purposes, categories, retention, and recipients. The record needs to be available to supervisory authorities on request. The Day One record is a frozen snapshot that the privacy team updates as the operating model evolves. The Day One programme context is in carve-out Day One readiness.
Personal data breaches do not wait for the carve-out to finish. Newco needs a breach response process that works from the first hour after close. The process covers detection, internal escalation, severity assessment, supervisory authority notification within 72 hours where required, and data subject notification where the risk is high. The cybersecurity controls feed the privacy response. The cyber programme context is in carve-out cybersecurity for Day One.
The TSA needs to address breach scenarios that involve shared systems. If the breach occurs on a system the seller operates under TSA, Newco still owes the controller obligations to its data subjects and supervisors. The seller's breach response and the Newco breach response need to be coordinated, with explicit timing commitments, information sharing protocols, and authority over public communications. Programs that leave this undefined often miss the 72 hour window.
A data protection officer or equivalent privacy lead needs to be in place by Day One where the regulation requires it. The role needs the right reporting line, the right authority, the right tooling, and the right contact point published in the privacy notice. Programs that defer the appointment carry compliance exposure that any incident will expose. Where Newco is too small for a dedicated officer, an external privacy lead under retainer is the usual answer.
The first 90 days are also when supervisory authorities are most likely to receive complaints. Carve-out announcements draw attention. Subjects who notice that their data has moved without clear notice file complaints. The complaint volume in the first 90 days is a leading indicator of programme maturity. Programs that have notices, response runbooks, and named contacts ready see the volume drop quickly.
The control stack the privacy programme depends on.
Read the article →Where data moves, what carries it, and when it lands.
Read the article →The Day One readiness programme any carve-out structure requires.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
A representative $120M-revenue carve-out runs a Transition Services Agreement across eight functions in five jurisdictions. Borders multiply every separation by entity, regulator, and data-residency rule. The moves below cut the exit from a 17-month drift to an 8-month managed exit and remove $2.7M of mark-up and stranded cost — with the long-lead-time items, not the systems, on the critical path.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →