We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Compliance in M&A transactions


Compliance is on the agenda of almost every company. Most companies of a certain size have even appointed their in-house compliance officer in charge for all compliance related issues.

Nevertheless, the significance of compliance in M&A transactions is often underestimated or not appreciated at all. Traditionally, the focus in this context is on issues such as merger control and, within the due diligence, on labour or environmental issues. The results are then incorporated into an acquisition agreement e.g. by means of conditions precedent (obtaining clearance from the competent anti-trust authority) or guarantees and/or indemnity clauses (as in the case of environmental risks). But compliance involves much more.

Data protection

The new data protection regulations make it necessary to reflect on how to conduct a due diligence in conformity with the law before starting the latter.

In the course of a due diligence a large number of documents are provided by the potential seller, which are often confidential and in some cases also contain personal data (like employees’ names for example). It is thus common to sign non-disclosure agreements. But such an agreement is only binding on the signatories (the seller and the potential buyer) but does not mean that the possibly affected third party (e.g. employee, customer or supplier) also agrees to the disclosure of his data to the prospective buyer. Normally, this is not the case even if such a third party has provided to the company for sale a statement of consent to the processing of its data because such statement of consent usually refers to the (contractual) relationship between the parties (employer/employee, customer/supplier) and the associated data processing but does not include the disclosure of the data to a potential buyer. There are two solutions to this problem:
  • When making the data available or setting up the data room, care is taken to ensure that all personal data is made unrecognizable, although this is likely to be extremely difficult in practice.
  • The target company and/or the seller and the potential buyer justify the lawfulness of the disclosure of data by a legitimate interest of the controller and the third party (Article 6 (1) f) GDPR), which is the sale being not viable without a prior analysis of the company by the potential buyer. The parties should sign an agreement regulating the purpose of data processing by the potential buyer as well as the security measures to be complied with and, possibly, the deletion of the data after completion of the due diligence.

Competition law

Another problem is that the disclosure of information may be contrary to the principle of competition law saying that no strategic information (e.g. relating to prices, conditions or other confidential information e.g. about new products) may be made available to competitors. Though the seller will not be inclined to reveal such information before the transaction is concluded, potential buyers often insist on obtaining at least some information they regard as essential for deciding whether or not to buy the company.

A possible solution in such a scenario is to make available certain sensitive information only to a very narrow group of people, often only the consultants of the potential buyer (the so-called clean team). In this case, data may be analysed but the result of the analysis is disclosed to the potential buyer only in filtered form, e.g. by stating that no special risks have been identified. This helps prevent the potential buyer – who is at the same time often the seller’s competitor, at least until the acquisition is completed – from drawing any advantages from such information, or the parties from concluding collusive arrangements.


Other aspects of compliance that might have to be taken into account in M&A transactions include:
  • Sell-side background check (Know Your Customer  KYC) including shareholders and management because pending proceedings against them may affect permits or authorisations held by the target company.
  • Structuring the transaction from the tax perspective in due consideration of the new so-called DAC 6 regulations because, depending on the given structure, it might be reportable to the competent tax authorities. Due to limited space, it is not possible to exhaustively explain the DAC 6 regulations in this article but a detailed description can be found in our  Special theme issue


Compliance is becoming more and more important also in M&A transactions and it touches on subject areas one would not necessarily think of immediately in this context. It is therefore all the more important to think about this in good time and to provide for appropriate measures and agreements.

 From the newsletter


Contact Person Picture

Stefan Brandes


+39 02 6328 841
+39 02 6328 8420

Send inquiry

 Experts explain


Deutschland Weltweit Search Menu