21.8.2019

M&A: As Buyer Liabilities Increase, Due Diligence Must Cover New Ground

Data breaches, cartels, money laundering, bribery… In today’s world, there are a number of risks that may go unseen in a traditional due diligence review. This has led to the rise of compliance due diligence, which seeks to address these issues as part of the M&A process. In Germany, law firm Hengeler & Mueller and the Goethe-Universität of Frankfurt recently carried out a survey about compliance due diligence among German investors and corporate executives responsible for M&A. According to the results, 95% of them find that buyers are increasingly aware of compliance risks. Three quarters found that compliance due diligence was a relevant part of the M&A process, and 85% thought that it had become increasingly important in recent years.  The factors that favour carrying out compliance due diligence included previous violations by the target company, business in high-risk countries or a high number of clients in the public sector.

Liability May Arise on Grounds of Stakes Already Sold

The foreword of the survey report cites a case that illustrates the importance of compliance for buyers. The buyer in this case was a large international investment bank that had been a shareholder and the indirect parent company of a cable manufacturer, which was subsequently found to have participated in a cartel. The European Commission fined the cable manufacturer 100 million euros. Roughly a third of the total was jointly and severally payable by the company and the investment bank as its former owner. According to the Commission, the investment bank had exercised decisive influence in the cable company and could therefore be considered liable for the cartel, even though there was no evidence that the bank’s representatives had been aware of the cartel plans or had participated in the cartel’s implementation. This position was confirmed by the Court of Justice of the European Union.

Buyers Cannot Afford to Neglect Data Protection

This July, the British Information Commissioner’s Office issued a notice of its intention to impose a fine of 110 million euros on a major accommodation group for breaches of data protection law. The group had suffered a cyber attack that could be traced back to a corporate acquisition made in 2016: the target company’s information systems had become vulnerable well before the merger. The ICO found that the buyer had not carried out sufficient due diligence upon the acquisition. In a statement, Information Officer Elizabeth Denham said:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition,  and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.  If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

The ICO’s decision is not final, but it sends a strong message to companies considering an acquisition. Buyers must carefully inspect how the target has addressed data protection. It is possible that they will no longer be able to fulfil their duty of care with a customary desktop analysis completed with management interviews. Instead, European data protection authorities may require a thorough assessment of the technical security and adequacy of the target’s data systems. The General Data Protection Regulation has been enforceable for a bit over a year now, and authorities have taken the initiative and imposed fines for non-compliant processing of personal data in several dozens of cases.

Look Deep

Neglected compliance risks can be costly for buyers in M&A. Violations may undermine the profitability of a deal and permanently damage the buyer’s reputation. Moreover, authorities are eager to intervene in suspected breaches.

Properly addressing compliance risks in due diligence helps avoid unpleasant surprises. In addition to reviewing documents, we recommend that buyers have a separate compliance session with the compliance officers of the seller or the target. This helps grasp the target’s performance and identify operations that warrant a further review.

Latest references

We advised SRV Group plc when it sold its 50% holding in the Pearl Plaza shopping centre in St. Peterburg to CP Invest Limited. The sale was the final part of SRV’s actions to exit from all of its operations in Russia which began in 2022. The sales price of SRV´s ownership of the shopping centre was approximately 11 million euros. SRV is a Finnish developer and innovator in the construction industry. SRV was established in 1987 and is listed on the Helsinki Stock Exchange.
Case published 17.2.2025
We advised Valio Oy in its acquisition of Raisio Oyj’s plant protein business, related fixed assets and the Härkis® and Beanit® fava bean brands. The fixed assets include, among other things, the production equipment of the factory that makes plant protein products in Kauhava. The transaction supports Valio’s strategy to grow from a dairy company to a food company. This business acquisition will make us an even more significant developer and producer of plant-based protein products. The demand for these products will grow in the long term, and a great deal of growth potential still remains. In 2022, we acquired the Gold&Green® business and, since then, we have been carrying out strong product development and renewed the brand. Following successful product launches, sales in the last quarter of 2024 increased by about 50% from the previous quarter. With this acquisition, we are building our own production capacity. The production equipment of the Kauhava factory is just right for our needs and situation. says Kimmo Luoma, Valio’s Senior Vice President. Valio is a Finnish dairy and food company founded in 1905 and owned by Finnish dairy cooperatives. Valio has subsidiaries in Sweden, Estonia, the United States and China. In 2023, the Group had a turnover of EUR 2 278 million and more than 4 000 employees.
Case published 14.2.2025
We advised Sanok Rubber Company S.A. in connection with a transaction where the Polish International Development Fund 2 FIZ AN acquired 30% of the shares in Teknikum Group Ltd from Sanok Rubber Company S.A. Teknikum Group is a European polymer technology company serving industrial customers in need of reliable rubber, plastic, silicone, polyurethane, and foam solutions. The group has approximately 600 employees and operates four production plants in Finland and one in Hungary, and a sales office in Germany. Sanok Rubber Company S.A. is the European leader in the field of rubber products, rubber-to-metal articles and combination of rubber with other materials for the automotive, construction, agriculture, pharmacy and household appliances. Sanok Rubber Company S.A. is listed on the Warsaw Stock Exchange and employs more than 3,000 people in Europe and North America. Polish International Development Fund 2 FIZ AN is one of two specialised foreign expansion funds managed by PFR TFI. The fund’s aim is to co-finance foreign investments of Polish companies. We advised Sanok Rubber Company S.A. together with the Polish law firm Rymarz Zdort Maruta.
Case published 3.2.2025
Castrén & Snellman is acting as the legal advisor to the City of Pori in its sale of a 49% stake in Pori Energia to Polhem Infra. Pori Energia, a multi-utility company, operates in various sectors including district heating, electricity distribution, and electricity generation through CHP and renewable sources. The company also provides wind power services and industrial energy solutions in the Satakunta region. This strategic partnership between the City of Pori and Polhem Infra aims to enhance Pori Energia’s financial stability and investment capabilities, enabling the company to further its efforts in the energy transition and continue delivering high-quality energy services to its customers. Polhem Infra, owned by Swedish state pension funds, focuses on investments in critical infrastructure, including renewable electricity generation, energy storage, energy distribution, digital infrastructure, and transport infrastructure. The transaction values Pori Energia at EUR 905 million. 
Case published 31.1.2025