21.8.2019

M&A: As Buyer Liabilities Increase, Due Diligence Must Cover New Ground

Related services

Data breaches, cartels, money laundering, bribery… In today’s world, there are a number of risks that may go unseen in a traditional due diligence review. This has led to the rise of compliance due diligence, which seeks to address these issues as part of the M&A process. In Germany, law firm Hengeler & Mueller and the Goethe-Universität of Frankfurt recently carried out a survey about compliance due diligence among German investors and corporate executives responsible for M&A. According to the results, 95% of them find that buyers are increasingly aware of compliance risks. Three quarters found that compliance due diligence was a relevant part of the M&A process, and 85% thought that it had become increasingly important in recent years.  The factors that favour carrying out compliance due diligence included previous violations by the target company, business in high-risk countries or a high number of clients in the public sector.

Liability May Arise on Grounds of Stakes Already Sold

The foreword of the survey report cites a case that illustrates the importance of compliance for buyers. The buyer in this case was a large international investment bank that had been a shareholder and the indirect parent company of a cable manufacturer, which was subsequently found to have participated in a cartel. The European Commission fined the cable manufacturer 100 million euros. Roughly a third of the total was jointly and severally payable by the company and the investment bank as its former owner. According to the Commission, the investment bank had exercised decisive influence in the cable company and could therefore be considered liable for the cartel, even though there was no evidence that the bank’s representatives had been aware of the cartel plans or had participated in the cartel’s implementation. This position was confirmed by the Court of Justice of the European Union.

Buyers Cannot Afford to Neglect Data Protection

This July, the British Information Commissioner’s Office issued a notice of its intention to impose a fine of 110 million euros on a major accommodation group for breaches of data protection law. The group had suffered a cyber attack that could be traced back to a corporate acquisition made in 2016: the target company’s information systems had become vulnerable well before the merger. The ICO found that the buyer had not carried out sufficient due diligence upon the acquisition. In a statement, Information Officer Elizabeth Denham said:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition,  and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.  If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

The ICO’s decision is not final, but it sends a strong message to companies considering an acquisition. Buyers must carefully inspect how the target has addressed data protection. It is possible that they will no longer be able to fulfil their duty of care with a customary desktop analysis completed with management interviews. Instead, European data protection authorities may require a thorough assessment of the technical security and adequacy of the target’s data systems. The General Data Protection Regulation has been enforceable for a bit over a year now, and authorities have taken the initiative and imposed fines for non-compliant processing of personal data in several dozens of cases.

Look Deep

Neglected compliance risks can be costly for buyers in M&A. Violations may undermine the profitability of a deal and permanently damage the buyer’s reputation. Moreover, authorities are eager to intervene in suspected breaches.

Properly addressing compliance risks in due diligence helps avoid unpleasant surprises. In addition to reviewing documents, we recommend that buyers have a separate compliance session with the compliance officers of the seller or the target. This helps grasp the target’s performance and identify operations that warrant a further review.

Latest insights

Article published 28.4.2026 – Private M&A Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Benjamin Bade
Maiju Mäkinen
Samuli Salminen

Benjamin Bade, Maiju Mäkinen & Samuli Salminen

 Article published 17.10.2025 – Intellectual Property Is your IP safe? Eight real-life tips to avoid costly mistakes
Lauri Laatunen
Janne Koivisto

Lauri Laatunen & Janne Koivisto

 Article published 9.7.2025 – FDI Regulatory Service Defence sector investments and acquisitions – key facts about the Finnish FDI regulation
Kiti Karvinen
Markus Rahnu

Kiti Karvinen & Markus Rahnu

 Article published 25.3.2025 – Private M&A How to successfully run a large-scale cross-border M&A project?
Carola Lindholm
Samuli Tarkiainen

Carola Lindholm & Samuli Tarkiainen
Insights

Latest references

G&W Electric – Acquisition of Safegrid
We advised G&W Electric with its acquisition of Safegrid Oy, a leading provider of intelligent grid monitoring solutions based in Finland. The acquisition accelerates G&W Electric’s long-term strategy to integrate intelligent monitoring and predictive analytics into its power distribution portfolio, strengthening its offering to utility customers worldwide. Founded in 1905 and headquartered in Bolingbrook, Illinois, G&W Electric is a global leader in innovative power grid solutions, with a presence in over 100 countries. The company is known for advanced load and fault interrupting switches, reclosers, sensors, system protection equipment, power grid automation, intelligent grid monitoring, and transmission and distribution cable accessories. Safegrid is a Finnish technology company headquartered in Espoo, Finland. The company develops the Intelligent Grid System®, a grid monitoring solution that combines instant-on wireless sensors with advanced analytics to deliver real-time insight into grid conditions, enabling utilities to identify emerging issues, anticipate failures, and reduce outage duration across medium and high voltage distribution and transmission networks.
Case published 8.5.2026
Kiwa – Acquisition of Sertio
We advised Kiwa in its acquisition of Sertio Oy, a Finnish notified body designated by the authority in accordance with the EU Regulation on in vitro diagnostic medical devices (IVDR). Sertio provides conformity assessment services in accordance with IVDR. Kiwa is one of the world’s leading testing, inspection, and certification companies, operating in over 35 countries. 
Case published 7.5.2026
Metsäkonepalvelu – Acquisition of Junnonen Forest and the business operations of Lamerit
We advised Metsäkonepalvelu Oy in its acquisition of the entire share capital of Junnonen Forest Oy, a Finnish timber harvesting services company, and the timber harvesting services business of Lamerit Oy. The acquisition supports Metsäkonepalvelu’s growth strategy and strengthens the company’s position, particularly in southeastern Finland. Metsäkonepalvelu is a portfolio company of A. Ahlström Oy, a Finnish family-owned industrial owner. The company provides mechanical timber harvesting services to forest companies, large private forest owners, and the public sector in Finland and Sweden. Metsäkonepalvelu Group employs nearly two hundred forestry professionals.
Case published 6.5.2026
Scanreco – Acquisition of CrossControl
We acted as Finnish counsel to Scanreco in its acquisition of CrossControl. Mannheimer Swartling (Sweden) acted as lead counsel for Scanreco. CrossControl, founded in Sweden, is a high-tech supplier of advanced display computers and central vehicle computing solutions for industrial vehicles and machines. Scanreco is a world leading supplier of professional radio remote control systems to international machinery, heavy equipment, and crane manufacturers. The combined group comprises approximately 600 employees and generates annual revenue of around SEK 1.4 billion.
Case published 5.5.2026
All cases