DE  |   -- EN  |   -- RU

Data Protection in M&A Transactions in Germany

Advice on data protection in the purchase of companies

Given the large amount of data processed during an M&A transaction in Germany, the question of a data protection-compliant design of the transaction process is raised in accordance with the General Data Protection Regulation (GDPR).

Which data protection obligations apply when acquiring a company?

In the absence of special provisions in the GDPR for M&A transactions, the same principles apply here as for any other data processing. The GDPR applies as soon as the purchasing or the selling company is based in the European Union.

Due to its extraterritorial effect, the GDPR must also be taken into account in corporate transactions in which the participating companies are based outside the EU. This is usually the case if the company to be sold offers its goods or services within the European Union and personal data are processed within that scope.

Personal data are processed from the outset

When the potential contracting parties get to know each other for the first time, they often prepare a so-called term sheet. This is when personal data is processed for the first time. In most cases, buyer and seller start talks in which the conditions and the tools used for the transaction are agreed upon. By entering into such negotiations, the parties involved already share responsibility for the processed data as defined by Art. 26 of the GDPR.

If the parties involved have appointed a data protection officer, the latter must be involved in the data protection-relevant issues right from the beginning.

Clarify the distribution of liability for M&A data breaches in advance

Before an interested company starts Due Diligence, the parties should agree on the allocation of liability in case of a data breach. This is because although the seller side discloses the majority of the data, both are initially jointly and severally liable. In addition, unlawful transfer of data to third parties must be prevented by clarifying the conditions for involving external service providers from the outset, for example regarding the establishment of virtual data rooms for performing Due Diligence.

Companies are committed to transparency

The buying company usually has to inform those concerned about the processing of their personal data in accordance with Art. 14 GDPR at the beginning of the transaction process. This often conflicts with the interests of the transaction participants to carry out the company purchase confidentially. It becomes particularly problematic when legal requirements oblige the parties to keep the negotiations confidential (e.g. through the Securities Trading Act).

Valuing the result of the Due Diligence

After a completed Due Diligence, the question often arises as to how to deal with uncovered gaps in the implementation of the GDPR in the object of the transaction and the associated liability risk. In addition to a reduction of the purchase price, consideration should be given to an exclusion of the buyer's liability for any resulting damages.

Data Protection in Asset Deal and Share Deal

The type of transaction agreed upon determines which data protection procedure of the buyer after signing is appropriate. In the case of a Share Deal, the buyer only has to inform affected parties again about data processing if this data is to be disclosed again as part of a corporate integration. On the other hand, in the case of an Asset Deal, the affected party must be informed as the data processing is carried out by a legally different company.

Your attorney for data protection in M&A transactions in Germany

We support you in the purchase or sale of your company! Our contacts for all questions regarding your transaction are Attorney Olga Stepanova and Attorney Phillipp von Raven. You can easily reach us by e-mail ( or by phone (+49 (0)69 76 75 77 80).

"Privacy Law": Recent blog posts

Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

- Patricia Jechel

Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

Do Companies in Germany Need to Report Ransomware Attacks?

- Olga Stepanova

Do Companies in Germany Need to Report Ransomware Attacks?

EU Commission Adopts New GDPR Standard Contractual Clause

- Olga Stepanova

EU Commission Adopts New GDPR Standard Contractual Clause


1635343074 > 1641855600

We congratulate our colleagues, Olga and Philipp, on the newly awarded specialist titles of specialization.


1635343074 > 1638226800

WINHELLER is represented by three lawyers in the 2021 Best Lawyers Ranking.





Juve AwardLegal 500 Germany 2019
azur100: Top Employer for Lawyers 2021


Stay up to date with our quarterly German Business Law newsletter!

Subscribe for free