Almost every company processes personal data since customer and employee related data usually also contains personal data. The new European General Data Protection Regulation will be accompanied by amendments to the rules and penalties for non-compliance may run into tens of millions of euros. Therefore, it is critical to immediately begin paying special attention to personal data processing in the context of M&A transactions.
8.9.2016
How to Take Data Protection into Account in M&A Transactions – 6 Tips
Annamari Friskopf
Related services
As regards transactions, careful consideration must be given to when, and on what basis, the disclosure of personal data is permitted. From the buyer’s point of view, it is necessary to become thoroughly well-informed concerning the target of the transaction, whereas the seller may only disclose personal data as permitted by law.
We have put together six tips that will help you take data protection into account at each stage of a transaction.
1) Agree on Data Protection in the Non-Disclosure Agreement
Parties to a transaction often enter into a non-disclosure agreement (NDA) which governs the way in which confidential information about the target may be processed during the transaction. It is worth agreeing already in the NDA how necessary information about the target may be disclosed to the buyer without unlawfully disclosing personal data. Taking data protection into account by agreement at an early stage of the transaction may make it easier for the parties to prove that they have acted within the limits of the law.
2) Note the Restrictions Concerning Disclosure of Personal Data
As a rule in personal data processing, the controller, who is the person or body responsible for personal data processing, shall not disclose personal data to any third party. According to this rule, the seller shall not disclose personal data to the buyer in the context of a transaction before executing the transaction.
The personal data of the employees or customers of the target company shall only be disclosed to the buyer with the consent of those persons, or in cases in which those persons are deemed to be aware of the disclosure. As transactions are often highly confidential, asking for such consent or informing such persons of such disclosure is usually out of the question. However, an exception to this is the situation in which the know-how of key persons of the company is being sold, and such key persons are aware of the transaction. Additionally, data which is publicly available, such as the personal data of the company’s management, may be disclosed.
3) Consider Alternatives to the Disclosure of Personal Data
The seller may refrain from unlawfully disclosing data to the buyer by anonymising personal data by, for example, concealing personal data in documents or by delivering model agreements instead of actual employment and customer agreements to the buyer. Summaries, statistics and profiles of different kinds are also permitted provided that no individual person can be identified from the contents thereof.
When considering whether to disclose data, the necessity requirement should be borne in mind: only data necessary for executing the transaction may be disclosed and, as a rule, not until the execution of the transaction. The buyer rarely needs individual information for the purposes of determining value or for identifying risks, and in most cases there is usually an alternative available.
4) Take Care of Data Protection Comprehensively
While disclosing data of the target to the buyer as a part of the due diligence review, the seller must also ensure security of that data in relation to other parties to the transaction. For example, if the seller uses virtual data room services, it is also recommended to agree with the service provider on the non-disclosure, security, and return of the data.
It is important that confidential data be returned and is not left behind after execution of the transaction. Accordingly, do not send privileged information relative to the transaction, or material containing personal data, by email.
5) Manage Data Protection Related Risks in the Sale and Purchase Agreement
The manner in which the target company has processed personal data and documented its stages of processing is valuable information for the buyer. Due diligence enables the buyer to detect possible data security threats or inadequacies in the target’s data processing. Based on its findings, the buyer can prepare for any possible subsequent penalties by agreeing with the seller on the handling of such liabilities.
Appropriate processing of personal data also pays off from the seller’s point of view as it may increase the value of the target sold. This is emphasised in industries like healthcare and wellbeing, and digital services destined for consumers, in which personal data is extensively processed.
6) Remember Obligations Following the Execution of the Transaction
When the transaction is executed, the disclosure of personal data, such as employees’ data, to the buyer is finally authorised. In a business purchase transaction, the buyer becomes the party responsible for that personal data and the seller is no longer authorised to process employee or customer related data. The buyer must take care to ensure lawful processing of the personal data and must update the file descriptions, among other measures.
However, in some cases the seller may continue to have access to the personal data which is in the buyer’s possession after the execution. This may be the case, for example, if the seller provides services relating to payroll or personnel administration to the target company. Such services are often provided during the transitional period after execution until the buyer itself is able or has the time to organise such services. In cases like this, the buyer or the target company shall agree in writing on responsibilities relating to the processing of personal data for the period during which the seller shall act as the controller of personal data on behalf of the buyer or the target company.
Timeline of an M&A Transaction from the Point of View of Data Protection
Latest insights
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 17.10.2025 – Intellectual Property
Is your IP safe? Eight real-life tips to avoid costly mistakes
Article published 9.7.2025 – FDI Regulatory Service
Defence sector investments and acquisitions – key facts about the Finnish FDI regulation
Article published 25.3.2025 – Private M&A
How to successfully run a large-scale cross-border M&A project?
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Lauri Laatunen & Janne Koivisto
Kiti Karvinen & Markus Rahnu
Carola Lindholm & Samuli Tarkiainen
Latest references
G&W Electric – Acquisition of Safegrid
We advised G&W Electric with its acquisition of Safegrid Oy, a leading provider of intelligent grid monitoring solutions based in Finland. The acquisition accelerates G&W Electric’s long-term strategy to integrate intelligent monitoring and predictive analytics into its power distribution portfolio, strengthening its offering to utility customers worldwide. Founded in 1905 and headquartered in Bolingbrook, Illinois, G&W Electric is a global leader in innovative power grid solutions, with a presence in over 100 countries. The company is known for advanced load and fault interrupting switches, reclosers, sensors, system protection equipment, power grid automation, intelligent grid monitoring, and transmission and distribution cable accessories. Safegrid is a Finnish technology company headquartered in Espoo, Finland. The company develops the Intelligent Grid System®, a grid monitoring solution that combines instant-on wireless sensors with advanced analytics to deliver real-time insight into grid conditions, enabling utilities to identify emerging issues, anticipate failures, and reduce outage duration across medium and high voltage distribution and transmission networks.
Case published 8.5.2026
Kiwa – Acquisition of Sertio
We advised Kiwa in its acquisition of Sertio Oy, a Finnish notified body designated by the authority in accordance with the EU Regulation on in vitro diagnostic medical devices (IVDR). Sertio provides conformity assessment services in accordance with IVDR. Kiwa is one of the world’s leading testing, inspection, and certification companies, operating in over 35 countries.
Case published 7.5.2026
Metsäkonepalvelu – Acquisition of Junnonen Forest and the business operations of Lamerit
We advised Metsäkonepalvelu Oy in its acquisition of the entire share capital of Junnonen Forest Oy, a Finnish timber harvesting services company, and the timber harvesting services business of Lamerit Oy. The acquisition supports Metsäkonepalvelu’s growth strategy and strengthens the company’s position, particularly in southeastern Finland. Metsäkonepalvelu is a portfolio company of A. Ahlström Oy, a Finnish family-owned industrial owner. The company provides mechanical timber harvesting services to forest companies, large private forest owners, and the public sector in Finland and Sweden. Metsäkonepalvelu Group employs nearly two hundred forestry professionals.
Case published 6.5.2026
Scanreco – Acquisition of CrossControl
We acted as Finnish counsel to Scanreco in its acquisition of CrossControl. Mannheimer Swartling (Sweden) acted as lead counsel for Scanreco. CrossControl, founded in Sweden, is a high-tech supplier of advanced display computers and central vehicle computing solutions for industrial vehicles and machines. Scanreco is a world leading supplier of professional radio remote control systems to international machinery, heavy equipment, and crane manufacturers. The combined group comprises approximately 600 employees and generates annual revenue of around SEK 1.4 billion.
Case published 5.5.2026