Buying a cat in a sack: why data protection matters during M&A transactions

2022 12 08

M&A transaction does not always mean a successful, aggressive expansion for the company. Sometimes it may also come with an additional “gift” of a hefty fine from the regulator.

One Italian company had to learn the importance of properly-conducted legal due diligence the hard way when it received a fine of EUR 1,400,000 for an entire series of GDPR infringements raising from past mergers.

The Italian company retained and used the acquired company’s customer contact details for direct marketing. Yet, it did not have (and did not “inherit” from the acquired company) valid consents to use such data. Moreover, the company failed to inform such customers that a transaction had taken place and also failed to delete inactive customers’ data.

WALLESS experts share their insights to help you avoid this fate when entering M&A transactions:

  • Assess whether the target company processed personal data legally, and whether it has all required documentation, i.e., notices to data subjects, consents, etc.
  • Assess what personal data will be acquired, whether it is still relevant, etc.
  • Assess whether the target company had adequate technical and organizational measures in place
  • Assess the level of awareness of data protection in the target
  • Inform individuals (target’s clients, employees, etc.) that there is a change of data controller due to the transaction

Have this in mind to ensure that your new purchase will be a valuable asset, not a liability.

#GDPR #privacy #M&A

WALLESS Weekly Review

Subscribe and receive the summary of the Lithuanian Supreme Court's rulings every week in your inbox. The information is prepared by the WALLESS Arbitration and Dispute Resolution Team.

Please note that review is in Lithuanian.