21.8.2019

M&A: As Buyer Liabilities Increase, Due Diligence Must Cover New Ground

Related services

Data breaches, cartels, money laundering, bribery… In today’s world, there are a number of risks that may go unseen in a traditional due diligence review. This has led to the rise of compliance due diligence, which seeks to address these issues as part of the M&A process. In Germany, law firm Hengeler & Mueller and the Goethe-Universität of Frankfurt recently carried out a survey about compliance due diligence among German investors and corporate executives responsible for M&A. According to the results, 95% of them find that buyers are increasingly aware of compliance risks. Three quarters found that compliance due diligence was a relevant part of the M&A process, and 85% thought that it had become increasingly important in recent years.  The factors that favour carrying out compliance due diligence included previous violations by the target company, business in high-risk countries or a high number of clients in the public sector.

Liability May Arise on Grounds of Stakes Already Sold

The foreword of the survey report cites a case that illustrates the importance of compliance for buyers. The buyer in this case was a large international investment bank that had been a shareholder and the indirect parent company of a cable manufacturer, which was subsequently found to have participated in a cartel. The European Commission fined the cable manufacturer 100 million euros. Roughly a third of the total was jointly and severally payable by the company and the investment bank as its former owner. According to the Commission, the investment bank had exercised decisive influence in the cable company and could therefore be considered liable for the cartel, even though there was no evidence that the bank’s representatives had been aware of the cartel plans or had participated in the cartel’s implementation. This position was confirmed by the Court of Justice of the European Union.

Buyers Cannot Afford to Neglect Data Protection

This July, the British Information Commissioner’s Office issued a notice of its intention to impose a fine of 110 million euros on a major accommodation group for breaches of data protection law. The group had suffered a cyber attack that could be traced back to a corporate acquisition made in 2016: the target company’s information systems had become vulnerable well before the merger. The ICO found that the buyer had not carried out sufficient due diligence upon the acquisition. In a statement, Information Officer Elizabeth Denham said:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition,  and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.  If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

The ICO’s decision is not final, but it sends a strong message to companies considering an acquisition. Buyers must carefully inspect how the target has addressed data protection. It is possible that they will no longer be able to fulfil their duty of care with a customary desktop analysis completed with management interviews. Instead, European data protection authorities may require a thorough assessment of the technical security and adequacy of the target’s data systems. The General Data Protection Regulation has been enforceable for a bit over a year now, and authorities have taken the initiative and imposed fines for non-compliant processing of personal data in several dozens of cases.

Look Deep

Neglected compliance risks can be costly for buyers in M&A. Violations may undermine the profitability of a deal and permanently damage the buyer’s reputation. Moreover, authorities are eager to intervene in suspected breaches.

Properly addressing compliance risks in due diligence helps avoid unpleasant surprises. In addition to reviewing documents, we recommend that buyers have a separate compliance session with the compliance officers of the seller or the target. This helps grasp the target’s performance and identify operations that warrant a further review.

Latest insights

Article published 17.10.2025 – Intellectual Property Is your IP safe? Eight real-life tips to avoid costly mistakes
Lauri Laatunen
Janne Koivisto

Lauri Laatunen & Janne Koivisto

 Article published 9.7.2025 – FDI Regulatory Service Defence sector investments and acquisitions – key facts about the Finnish FDI regulation
Kiti Karvinen
Markus Rahnu

Kiti Karvinen & Markus Rahnu

 Article published 25.3.2025 – Private M&A How to successfully run a large-scale cross-border M&A project?
Carola Lindholm
Samuli Tarkiainen

Carola Lindholm & Samuli Tarkiainen

 Article published 10.3.2025 – Private M&A Navigating uncharted waters: M&A and defence tech in the age of geopolitical uncertainty
Markus Rahnu

Markus Rahnu
Insights

Latest references

Taaleri – Acquisition of a majority stake in Nordic Science Investments
We are acting as legal adviser to Taaleri Plc on its acquisition of a 51 per cent ownership stake in Nordic Science Investments Oy (NSI), marking Taaleri’s expansion into deeptech-driven venture capital. Through the transaction, Taaleri broadens its private equity offering into early-stage venture capital funds as well as the commercialisation and scaling of research-driven innovations. NSI is a Finnish venture capital fund manager operating across the Nordic and Baltic regions, focusing on early-stage investments in research- and science-based technologies. Its portfolio companies develop, among other things, health technologies, life sciences, advanced materials and AI-driven solutions. In addition to providing growth capital, NSI supports spin-out companies with strategic guidance, access to networks and assistance in building teams during the early phases of business development. NSI’s first fund, the EUR 45 million NSI Nordic Science I Ky, was established in 2024 and has to date invested in 22 early-stage companies in Finland, Sweden and the Baltic countries. Taaleri is a specialist in investments, private asset management and non-life insurance, with a strong position in renewable energy, bioindustry and housing investments as well as credit risk insurance. Taaleri has EUR 2.7 billion of assets under management in its private equity funds, co-investments and single-asset vehicles, employs approximately 130 people and is listed on Nasdaq Helsinki. The founders of NSI will continue in their operational roles following the transaction. The completion of the transaction is subject to approval by the FIN-FSA.
Case published 13.4.2026
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics. 
Case published 27.3.2026
Jensen-Group – Acquisition of Vestek
We advised Jensen-Group with its acquisition of Oy Vestek Ab, the long-standing distributor of Jensen solutions in Finland. The strategic step underlines Jensen-Group’s long-term commitment to the Nordic region and its ambition to further expand sustainable and future-oriented laundry automation solutions in Finland. Jensen-Group, listed on Euronext Brussels, is a global leader in heavy‑duty laundry technology, known for designing and manufacturing industrial laundry machines, systems, and turnkey automation solutions. Oy Vestek Ab is a Finnish import company founded in 1961. The company’s main activity is to import supplies and machinery, including providing products and services for the health care and laundry industries, from Europe and the USA and to act as a wholesale dealer on the Finnish market.
Case published 16.3.2026
CapMan Growth – Investment in Kuntokeskus Liikku
We are assisting CapMan Growth in its significant investment in Kuntokeskus Liikku, a Finnish gym chain known for its high-quality self-service facilities and excellent value for money. The investment will further strengthen Liikku’s position as a market leader and support the continued execution of its growth strategy. Liikku is one of Finland’s leading fitness chains, with more than 70 locations across the country serving nearly 90,000 members. The company’s concept is to offer high-quality self-service gyms at an exceptionally competitive price point which, combined with strong operational efficiency, provides a solid foundation for profitable growth. The company’s main shareholder is COR Group, a long-time partner of CapMan Growth, and a Finnish health and wellness conglomerate known for active ownership and long-term value creation. CapMan Growth is a leading Finnish growth investor that makes significant investments in entrepreneur-led growth companies with a turnover of €10–200 million. CapMan Growth is part of CapMan, which is a leading Nordic private equity investor engaged in active value creation work. CapMan has been listed on the Helsinki Stock Exchange since 2001.
Case published 27.2.2026
All cases