Almost every company processes personal data since customer and employee related data usually also contains personal data. The new European General Data Protection Regulation will be accompanied by amendments to the rules and penalties for non-compliance may run into tens of millions of euros. Therefore, it is critical to immediately begin paying special attention to personal data processing in the context of M&A transactions.
8.9.2016
How to Take Data Protection into Account in M&A Transactions – 6 Tips
Annamari Friskopf
Related services
As regards transactions, careful consideration must be given to when, and on what basis, the disclosure of personal data is permitted. From the buyer’s point of view, it is necessary to become thoroughly well-informed concerning the target of the transaction, whereas the seller may only disclose personal data as permitted by law.
We have put together six tips that will help you take data protection into account at each stage of a transaction.
1) Agree on Data Protection in the Non-Disclosure Agreement
Parties to a transaction often enter into a non-disclosure agreement (NDA) which governs the way in which confidential information about the target may be processed during the transaction. It is worth agreeing already in the NDA how necessary information about the target may be disclosed to the buyer without unlawfully disclosing personal data. Taking data protection into account by agreement at an early stage of the transaction may make it easier for the parties to prove that they have acted within the limits of the law.
2) Note the Restrictions Concerning Disclosure of Personal Data
As a rule in personal data processing, the controller, who is the person or body responsible for personal data processing, shall not disclose personal data to any third party. According to this rule, the seller shall not disclose personal data to the buyer in the context of a transaction before executing the transaction.
The personal data of the employees or customers of the target company shall only be disclosed to the buyer with the consent of those persons, or in cases in which those persons are deemed to be aware of the disclosure. As transactions are often highly confidential, asking for such consent or informing such persons of such disclosure is usually out of the question. However, an exception to this is the situation in which the know-how of key persons of the company is being sold, and such key persons are aware of the transaction. Additionally, data which is publicly available, such as the personal data of the company’s management, may be disclosed.
3) Consider Alternatives to the Disclosure of Personal Data
The seller may refrain from unlawfully disclosing data to the buyer by anonymising personal data by, for example, concealing personal data in documents or by delivering model agreements instead of actual employment and customer agreements to the buyer. Summaries, statistics and profiles of different kinds are also permitted provided that no individual person can be identified from the contents thereof.
When considering whether to disclose data, the necessity requirement should be borne in mind: only data necessary for executing the transaction may be disclosed and, as a rule, not until the execution of the transaction. The buyer rarely needs individual information for the purposes of determining value or for identifying risks, and in most cases there is usually an alternative available.
4) Take Care of Data Protection Comprehensively
While disclosing data of the target to the buyer as a part of the due diligence review, the seller must also ensure security of that data in relation to other parties to the transaction. For example, if the seller uses virtual data room services, it is also recommended to agree with the service provider on the non-disclosure, security, and return of the data.
It is important that confidential data be returned and is not left behind after execution of the transaction. Accordingly, do not send privileged information relative to the transaction, or material containing personal data, by email.
5) Manage Data Protection Related Risks in the Sale and Purchase Agreement
The manner in which the target company has processed personal data and documented its stages of processing is valuable information for the buyer. Due diligence enables the buyer to detect possible data security threats or inadequacies in the target’s data processing. Based on its findings, the buyer can prepare for any possible subsequent penalties by agreeing with the seller on the handling of such liabilities.
Appropriate processing of personal data also pays off from the seller’s point of view as it may increase the value of the target sold. This is emphasised in industries like healthcare and wellbeing, and digital services destined for consumers, in which personal data is extensively processed.
6) Remember Obligations Following the Execution of the Transaction
When the transaction is executed, the disclosure of personal data, such as employees’ data, to the buyer is finally authorised. In a business purchase transaction, the buyer becomes the party responsible for that personal data and the seller is no longer authorised to process employee or customer related data. The buyer must take care to ensure lawful processing of the personal data and must update the file descriptions, among other measures.
However, in some cases the seller may continue to have access to the personal data which is in the buyer’s possession after the execution. This may be the case, for example, if the seller provides services relating to payroll or personnel administration to the target company. Such services are often provided during the transitional period after execution until the buyer itself is able or has the time to organise such services. In cases like this, the buyer or the target company shall agree in writing on responsibilities relating to the processing of personal data for the period during which the seller shall act as the controller of personal data on behalf of the buyer or the target company.
Timeline of an M&A Transaction from the Point of View of Data Protection
Latest insights
Article published 17.10.2025 – Intellectual Property
Is your IP safe? Eight real-life tips to avoid costly mistakes
Article published 9.7.2025 – FDI Regulatory Service
Defence sector investments and acquisitions – key facts about the Finnish FDI regulation
Article published 25.3.2025 – Private M&A
How to successfully run a large-scale cross-border M&A project?
Article published 10.3.2025 – Private M&A
Navigating uncharted waters: M&A and defence tech in the age of geopolitical uncertainty
Lauri Laatunen & Janne Koivisto
Kiti Karvinen & Markus Rahnu
Carola Lindholm & Samuli Tarkiainen
Markus Rahnu
Latest references
Taaleri – Acquisition of a majority stake in Nordic Science Investments
We are acting as legal adviser to Taaleri Plc on its acquisition of a 51 per cent ownership stake in Nordic Science Investments Oy (NSI), marking Taaleri’s expansion into deeptech-driven venture capital. Through the transaction, Taaleri broadens its private equity offering into early-stage venture capital funds as well as the commercialisation and scaling of research-driven innovations. NSI is a Finnish venture capital fund manager operating across the Nordic and Baltic regions, focusing on early-stage investments in research- and science-based technologies. Its portfolio companies develop, among other things, health technologies, life sciences, advanced materials and AI-driven solutions. In addition to providing growth capital, NSI supports spin-out companies with strategic guidance, access to networks and assistance in building teams during the early phases of business development. NSI’s first fund, the EUR 45 million NSI Nordic Science I Ky, was established in 2024 and has to date invested in 22 early-stage companies in Finland, Sweden and the Baltic countries. Taaleri is a specialist in investments, private asset management and non-life insurance, with a strong position in renewable energy, bioindustry and housing investments as well as credit risk insurance. Taaleri has EUR 2.7 billion of assets under management in its private equity funds, co-investments and single-asset vehicles, employs approximately 130 people and is listed on Nasdaq Helsinki. The founders of NSI will continue in their operational roles following the transaction. The completion of the transaction is subject to approval by the FIN-FSA.
Case published 13.4.2026
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026
Jensen-Group – Acquisition of Vestek
We advised Jensen-Group with its acquisition of Oy Vestek Ab, the long-standing distributor of Jensen solutions in Finland. The strategic step underlines Jensen-Group’s long-term commitment to the Nordic region and its ambition to further expand sustainable and future-oriented laundry automation solutions in Finland. Jensen-Group, listed on Euronext Brussels, is a global leader in heavy‑duty laundry technology, known for designing and manufacturing industrial laundry machines, systems, and turnkey automation solutions. Oy Vestek Ab is a Finnish import company founded in 1961. The company’s main activity is to import supplies and machinery, including providing products and services for the health care and laundry industries, from Europe and the USA and to act as a wholesale dealer on the Finnish market.
Case published 16.3.2026
CapMan Growth – Investment in Kuntokeskus Liikku
We are assisting CapMan Growth in its significant investment in Kuntokeskus Liikku, a Finnish gym chain known for its high-quality self-service facilities and excellent value for money. The investment will further strengthen Liikku’s position as a market leader and support the continued execution of its growth strategy. Liikku is one of Finland’s leading fitness chains, with more than 70 locations across the country serving nearly 90,000 members. The company’s concept is to offer high-quality self-service gyms at an exceptionally competitive price point which, combined with strong operational efficiency, provides a solid foundation for profitable growth. The company’s main shareholder is COR Group, a long-time partner of CapMan Growth, and a Finnish health and wellness conglomerate known for active ownership and long-term value creation. CapMan Growth is a leading Finnish growth investor that makes significant investments in entrepreneur-led growth companies with a turnover of €10–200 million. CapMan Growth is part of CapMan, which is a leading Nordic private equity investor engaged in active value creation work. CapMan has been listed on the Helsinki Stock Exchange since 2001.
Case published 27.2.2026