21.8.2019

M&A: As Buyer Liabilities Increase, Due Diligence Must Cover New Ground

Related services

Data breaches, cartels, money laundering, bribery… In today’s world, there are a number of risks that may go unseen in a traditional due diligence review. This has led to the rise of compliance due diligence, which seeks to address these issues as part of the M&A process. In Germany, law firm Hengeler & Mueller and the Goethe-Universität of Frankfurt recently carried out a survey about compliance due diligence among German investors and corporate executives responsible for M&A. According to the results, 95% of them find that buyers are increasingly aware of compliance risks. Three quarters found that compliance due diligence was a relevant part of the M&A process, and 85% thought that it had become increasingly important in recent years.  The factors that favour carrying out compliance due diligence included previous violations by the target company, business in high-risk countries or a high number of clients in the public sector.

Liability May Arise on Grounds of Stakes Already Sold

The foreword of the survey report cites a case that illustrates the importance of compliance for buyers. The buyer in this case was a large international investment bank that had been a shareholder and the indirect parent company of a cable manufacturer, which was subsequently found to have participated in a cartel. The European Commission fined the cable manufacturer 100 million euros. Roughly a third of the total was jointly and severally payable by the company and the investment bank as its former owner. According to the Commission, the investment bank had exercised decisive influence in the cable company and could therefore be considered liable for the cartel, even though there was no evidence that the bank’s representatives had been aware of the cartel plans or had participated in the cartel’s implementation. This position was confirmed by the Court of Justice of the European Union.

Buyers Cannot Afford to Neglect Data Protection

This July, the British Information Commissioner’s Office issued a notice of its intention to impose a fine of 110 million euros on a major accommodation group for breaches of data protection law. The group had suffered a cyber attack that could be traced back to a corporate acquisition made in 2016: the target company’s information systems had become vulnerable well before the merger. The ICO found that the buyer had not carried out sufficient due diligence upon the acquisition. In a statement, Information Officer Elizabeth Denham said:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition,  and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.  If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

The ICO’s decision is not final, but it sends a strong message to companies considering an acquisition. Buyers must carefully inspect how the target has addressed data protection. It is possible that they will no longer be able to fulfil their duty of care with a customary desktop analysis completed with management interviews. Instead, European data protection authorities may require a thorough assessment of the technical security and adequacy of the target’s data systems. The General Data Protection Regulation has been enforceable for a bit over a year now, and authorities have taken the initiative and imposed fines for non-compliant processing of personal data in several dozens of cases.

Look Deep

Neglected compliance risks can be costly for buyers in M&A. Violations may undermine the profitability of a deal and permanently damage the buyer’s reputation. Moreover, authorities are eager to intervene in suspected breaches.

Properly addressing compliance risks in due diligence helps avoid unpleasant surprises. In addition to reviewing documents, we recommend that buyers have a separate compliance session with the compliance officers of the seller or the target. This helps grasp the target’s performance and identify operations that warrant a further review.

Latest insights

Article published 9.7.2025 – FDI Regulatory Service Defence sector investments and acquisitions – key facts about the Finnish FDI regulation
Kiti Karvinen
Markus Rahnu

Kiti Karvinen & Markus Rahnu

 Article published 25.3.2025 – Private M&A How to successfully run a large-scale cross-border M&A project?
Carola Lindholm
Samuli Tarkiainen

Carola Lindholm & Samuli Tarkiainen

 Article published 10.3.2025 – Private M&A Navigating uncharted waters: M&A and defence tech in the age of geopolitical uncertainty
Markus Rahnu

Markus Rahnu

 Article published 2.5.2024 – Private Equity Strong momentum in life sciences and health tech industry: Castrén & Snellman sees a significant uptick in deal-making 
Karlo Siirala
Hanna Paloheimo
Sakari Lukinmaa
Tero Tuomisto
Antti Kaakkola

Karlo Siirala, Hanna Paloheimo, Sakari Lukinmaa, Tero Tuomisto & Antti Kaakkola
Insights

Latest references

Yellow Film Studios – Merger of Yellow Film Studios and REinvent Studios
We advised Yellow Film Studios, the largest independent film and television production company in the Nordics, in its strategic merger with Danish film industry sales and financing studio REinvent Studios. Together they form Reinvent Yellow, a unified hub for television and film production, sales, financing and innovation, combining over three decades of production experience and a vast catalogue of titles.
Case published 8.10.2025
Vapaus Group – Acquisition of Azfalte
We represented Vapaus Group, a leading provider of employee bicycle benefit services, in its cross-border acquisition of Azfalte, a French corporate bicycle solutions company. The acquisition accelerates Vapaus Group’s international expansion and strengthens its position in sustainable mobility by combining Vapaus’s digital platform and circular-economy capabilities with Azfalte’s established enterprise programs and partner network in France. The transaction advances Vapaus’s growth strategy and increases its ability to help employers meet well-being and sustainability goals in one of Europe’s most dynamic cycling markets. Vapaus Group is at the forefront of sustainable mobility services and has been a pioneer in the employee bicycle benefit sector since 2020 with a vision to become the leading bicycle benefit service in Europe. Vapaus has automated the employee bicycle process through its technology platform, covering payroll, invoicing, logistics, insurance, and financing. Azfalte, founded in 2020, is a pioneer of corporate cycling in France, optimizing financing, tailored bikes, insurance, maintenance, assistance, training, and carbon tracking for the benefit of its clients.
Case published 1.9.2025
Wise Group – Sale of Wise People Group
We advised Wise Group AB (publ) in its sale of all shares in Wise Group’s Finnish subsidiary Wise People Group Oy (“WPG”) to Tetos Oy. The sale involves the divestment of Wise Group’s Finnish operations, and the purpose for the transaction is Wise Group’s ongoing streamlining of its operations, with a focus on the Swedish market. Wise Group’s companies specialise in recruitment, consultant hiring, HR consulting and leadership development. Wise Group is listed on Nasdaq Stockholm’s Small Cap list, with offices in Stockholm, Gothenburg, Malmö and Helsinki.
Case published 1.9.2025
Merger of Oomi and Lumme Energia
We are acting as the joint legal advisor to Oomi Oy and Lumme Energia Oy in a transaction whereby Lumme Energia will merge with Oomi. As from the completion of the merger, the combined entity will be the largest electricity retail and service company in the Finnish market. In 2024, Oomi reported a turnover of EUR 373.9 million and had approximately 110 employees. Lumme Energia’s turnover for the same year was approximately EUR 314.6 million and it had approximately 50 employees. The transaction is primarily driven by the recent developments in the electricity market and the strategic goal to develop competitive products and services. Another key objective is to further enhance the customer experience, which is a shared value between the two companies. As a result of the merger, Lumme Energia’s customers will transfer to Oomi, and Lumme Energia will become one of Oomi’s shareholders. The completion of the transaction is subject to an approval by the Finnish Competition and Consumer Authority.
Case published 29.8.2025
All cases