A year since the implementation of the GDPR, decisions were handed down in the UK and Germany revealing how the regulation has a direct impact on M&A transactions. In one ruling, the Supervisory Authority in the UK announced a GBP 99 million potential fine for objectionable due diligence. In another, the Conference of the German Federal and National Data Protection Authorities (Datenschutzkonferenz) published a decision on what data can be transferred within the context of an Asset Deal (more information here).

Fine to major hotel chain

According to the statement from the UK Information Commissioner's Office (ICO), one of the country's major hotel chains is likely to face a fine of GBP 99 million. The alleged infringement occurred in 2014 through the IT system of the hotel group that it now owns, in which approximately 300 million guest records globally were exposed. Although the hotel chain acquired the group two years after the data leak, the ICO stated the chain is facing this fine due to its failure to undertake "sufficient due diligence" when it acquired the group.

Evaluation and consequences

This ICO's decision underscores the tension that currently exists between M&A and the GDPR. On the one hand, from a compliance point of view, management boards must protect themselves from data breaches since such infringements carry the threat of fines of up to EUR 20 million or 4% of worldwide annual turnover. On the other hand, from a professional point of view, M&A transactions should be completed as simply and confidentially as possible.

In the context of corporate transactions, detailed and comprehensive due diligence must be carried out in the area of data-protection compliance.

This concerns the technical aspects of the due-diligence process, encompassing issues such as the data that can be disclosed and its context, the requirements for redaction and the precautions that can be implemented to minimise potential compliance risks without creating further complexities in the M&A process. (See our checklist).

The discovery of possible breaches of data protection is of the upmost importance during due diligence. The nature and scope of a due diligence, however, depends on the individual circumstances of the case. For example, the hotel chain's takeover was public at the time, which meant that a comprehensive due diligence was simply not possible.

The lesson from this seems to be: if risks of potential data protection infringements are discovered or if a due diligence has been limited or is not possible, the buyer should add safeguards to the purchase agreement, including guarantees or indemnities.

Alternatively, the identified risk can be accounted for with a corresponding reduction in the purchase price. In any case, any breaches of data protection must be remedied either immediately or after takeover at the latest.