Czech Republic: How the EU’s General Data Protection Regulation (GDPR) applies to due diligence reviews and M&A transactions
© shutterstock/ Ruslan Grumble
Share >

Czech Republic: How the EU’s General Data Protection Regulation (GDPR) applies to due diligence reviews and M&A transactions

Privacy protection plays a vital role in every transaction, whether in assessing the risks for the buyer, should personal data in the target company not be handled correctly, or in considering how to deal with personal data obtained within the framework of legal due diligence. It affects sellers, buyers and target companies alike.

The EU’s General Data Protection Regulation, which came into effect throughout the EU on 25th May, 2018, not only affects the day-to-day running of companies and their marketing departments, but, as it turns out, also has a major impact on M&A transactions. Every company processes personal data, be it that of its employees, customers, or business partners, and uses this data, for example, to send special offers to email addresses, or to create a large customer database, or for customer profiling. Moreover, this data is often shared among several companies within a concern or group.

Mgr. Roman Macháček, senior lawyer and insolvency trustee, ECOVIS ježek, advokátní kancelář s.r.o., Prague, Czech Republic

We can provide assistance to businesses needing to adapt their structures to the new GDPR.

The obligations set out in the new GDPR therefore force all parties involved in acquisition transactions to review their existing procedures and to adopt new measures to protect personal data. This primarily concerns personal data that is made available to the buyers and their advisers within a legal due diligence review of the purchased company. In this case, the buyers will become personal data controllers once they gain access to the data room where the data is located, explain Ecovis’ experts.

However, both the seller and the purchased company should pay attention to the protection of personal data. It is these persons who have to ensure that personal data is made available in accordance with the GDPR, only on a need-to-know basis necessary for the completion of the transaction, and exclusively to authorised persons. Personal data must also be sufficiently protected from unauthorised handling and, in the event of unsuccessful acquisition, demonstrably liquidated.

JUDr. Mojmír Ježek, Ph.D., Managing Partner, ECOVIS ježek, advokátní kancelář s.r.o., Prague, Czech Republic

It is imperative that businesses adhere to the conditions of the EU’s General Data Protection Regulation if they wish to avoid drastic penalties in the case of contravention.

Should any participating party breach its obligations under the GDPR, it is liable to a fine of up to EUR 20 million or, in the case of an enterprise, up to 4% of the total annual worldwide turnover for the previous financial year, whichever is higher.

The GDPR’s entry into force therefore necessitates a re-evaluation of the entire acquisition process, in particular in relation to the due diligence review of a company and establishment of a data room, and the setting up of new privacy rules that will be in line with the GDPR. For more information, please visit:

Sign up to our newsletter!