21.8.2019

M&A: As Buyer Liabilities Increase, Due Diligence Must Cover New Ground

Related services

Data breaches, cartels, money laundering, bribery… In today’s world, there are a number of risks that may go unseen in a traditional due diligence review. This has led to the rise of compliance due diligence, which seeks to address these issues as part of the M&A process. In Germany, law firm Hengeler & Mueller and the Goethe-Universität of Frankfurt recently carried out a survey about compliance due diligence among German investors and corporate executives responsible for M&A. According to the results, 95% of them find that buyers are increasingly aware of compliance risks. Three quarters found that compliance due diligence was a relevant part of the M&A process, and 85% thought that it had become increasingly important in recent years.  The factors that favour carrying out compliance due diligence included previous violations by the target company, business in high-risk countries or a high number of clients in the public sector.

Liability May Arise on Grounds of Stakes Already Sold

The foreword of the survey report cites a case that illustrates the importance of compliance for buyers. The buyer in this case was a large international investment bank that had been a shareholder and the indirect parent company of a cable manufacturer, which was subsequently found to have participated in a cartel. The European Commission fined the cable manufacturer 100 million euros. Roughly a third of the total was jointly and severally payable by the company and the investment bank as its former owner. According to the Commission, the investment bank had exercised decisive influence in the cable company and could therefore be considered liable for the cartel, even though there was no evidence that the bank’s representatives had been aware of the cartel plans or had participated in the cartel’s implementation. This position was confirmed by the Court of Justice of the European Union.

Buyers Cannot Afford to Neglect Data Protection

This July, the British Information Commissioner’s Office issued a notice of its intention to impose a fine of 110 million euros on a major accommodation group for breaches of data protection law. The group had suffered a cyber attack that could be traced back to a corporate acquisition made in 2016: the target company’s information systems had become vulnerable well before the merger. The ICO found that the buyer had not carried out sufficient due diligence upon the acquisition. In a statement, Information Officer Elizabeth Denham said:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition,  and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.  If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

The ICO’s decision is not final, but it sends a strong message to companies considering an acquisition. Buyers must carefully inspect how the target has addressed data protection. It is possible that they will no longer be able to fulfil their duty of care with a customary desktop analysis completed with management interviews. Instead, European data protection authorities may require a thorough assessment of the technical security and adequacy of the target’s data systems. The General Data Protection Regulation has been enforceable for a bit over a year now, and authorities have taken the initiative and imposed fines for non-compliant processing of personal data in several dozens of cases.

Look Deep

Neglected compliance risks can be costly for buyers in M&A. Violations may undermine the profitability of a deal and permanently damage the buyer’s reputation. Moreover, authorities are eager to intervene in suspected breaches.

Properly addressing compliance risks in due diligence helps avoid unpleasant surprises. In addition to reviewing documents, we recommend that buyers have a separate compliance session with the compliance officers of the seller or the target. This helps grasp the target’s performance and identify operations that warrant a further review.

Latest insights

Article published 17.10.2025 – Intellectual Property Is your IP safe? Eight real-life tips to avoid costly mistakes
Lauri Laatunen
Janne Koivisto

Lauri Laatunen & Janne Koivisto

 Article published 9.7.2025 – FDI Regulatory Service Defence sector investments and acquisitions – key facts about the Finnish FDI regulation
Kiti Karvinen
Markus Rahnu

Kiti Karvinen & Markus Rahnu

 Article published 25.3.2025 – Private M&A How to successfully run a large-scale cross-border M&A project?
Carola Lindholm
Samuli Tarkiainen

Carola Lindholm & Samuli Tarkiainen

 Article published 10.3.2025 – Private M&A Navigating uncharted waters: M&A and defence tech in the age of geopolitical uncertainty
Markus Rahnu

Markus Rahnu
Insights

Latest references

SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Nomios – Acquisition of Intragen Group
We advised Nomios, a portfolio company of the European growth buyout investor Keensight Capital, with its cross-border acquisition of Intragen Group, a leading European expert in digital identity and access management. The acquisition marks a major milestone in Nomios’ growth strategy and further strengthens its position as the global trusted partner for cybersecurity across Europe. Nomios is one of Europe’s leading providers of cybersecurity services. Keensight Capital is a European growth buyout investor with deep expertise in technology and healthcare.  
Case published 17.11.2025
Stena Line – Acquisition of NLC Ferry (Wasaline)
We are acting as legal adviser to Stena Line on its acquisition of NLC Ferry Ab Oy (Wasaline), strengthening Stena Line’s position in the Baltic Sea and enabling it to take over operations of the ferry route between Umeå in Sweden and Vaasa in Finland. The acquisition further strengthens Stena Line’s position as one of the leaders in sustainability within the ferry industry and enhances the company’s access to alternative fuels whilst providing a strong intermodal transport link towards Gothenburg and Trelleborg, and onwards to the European continent. NLC Ferry, operating under the auxiliary name Wasaline, were owned by Kvarken Link, a company jointly owned 50/50 by the cities of Umeå and Vaasa. Wasaline is the world’s northernmost shipping company, operating daily passenger and freight services between Vaasa, Finland and Umeå, Sweden, and is the first carbon-neutral ferry operator in the Baltic Sea with its hybrid vessel, Aurora Botnia, which runs on biogas and batteries. Stena Line is one of Europe’s leading ferry operators, with 20 routes across the continent. The company is family-owned, was founded in 1962 and is headquartered in Gothenburg, with 6,550 employees and an annual turnover of 19.6 billion SEK. The transaction is conditional to the approval of the respective municipal councils of Umeå and Vaasa as well as customary closing conditions such as authority approvals. The completion of the transaction is expected to take place in the beginning of the year 2026. Castrén & Snellman is collaborating with CMS Wistrand, Stena Line’s advisor on Swedish law matters in connection with the transaction.
Case published 4.11.2025
SRV – Sale of SRV Infra
We advised SRV Group Plc in its sale of SRV Infra Ltd to Kreate Ltd. The completion of the transaction is subject to regulatory approvals. The parties expect the transaction to be closed by the end of 2025. SRV, established in 1987, is a Finnish developer and innovator in the construction industry. The company is listed on the Helsinki Stock Exchange. In 2024, SRV’s revenue totalled EUR 745.8 million.
Case published 27.10.2025
All cases