← Blog/Compliance

GDPR Exposure in Cross-Border Acquisitions

January 2026·7 min read·JuristVault Research

Why post-close GDPR liability is the most underestimated risk in European M&A transactions — and the 5 clauses missing from most SPAs.

Why GDPR Liability is the Most Underestimated M&A Risk

When M&A practitioners assess deal risk, they typically focus on financial, operational, and legal contingencies in that order. GDPR compliance — if it appears at all — is usually a box-ticking exercise in the final stages of due diligence.

This is a structural oversight with increasingly severe financial consequences. Under the GDPR, fines can reach €20M or 4% of global annual turnover — whichever is higher. Following an acquisition, the acquirer inherits the target's GDPR liability in full. There is no clean-break principle for data protection violations.

The European Data Protection Board has made clear that a change of control does not affect the ongoing liability of a data controller. If the target was processing personal data unlawfully before closing, the acquirer becomes responsible for that unlawful processing on day one of ownership — and for any enforcement action that follows.

What Happens to Data After Closing

Closing triggers a series of data-related events that most SPA frameworks are not designed to handle:

→ Controller status transfer. The acquirer becomes the data controller for all personal data held by the target. If the target's privacy notices didn't contemplate a change of control, the continued processing of that data may lack a valid legal basis.

→ Cross-border transfer triggers. In cross-border acquisitions, data that was lawfully held in one jurisdiction may now be accessible to entities in another. Without adequate safeguards (SCCs, BCRs, or adequacy decisions), this constitutes an unlawful transfer.

→ Processor contract inheritance. The target's data processing agreements with third-party processors are inherited by the acquirer. If those agreements don't meet GDPR Article 28 requirements, the acquirer is immediately non-compliant.

The 5 GDPR Clauses Missing from Most SPAs

01

Data Processing Register Warranty

Most SPAs warrant that the target "complies with applicable data protection law" — a warranty so broad it is effectively unenforceable. A properly drafted SPA should include a specific warranty that the target maintains an accurate Record of Processing Activities (ROPA) under Article 30, with a representation that it was up to date at signing.

02

Lawful Basis for Processing Representation

The target should represent, for each category of personal data processed, the specific legal basis under Article 6 (and Article 9 for special categories) relied upon. Absent this representation, the acquirer cannot assess whether continued processing post-closing is lawful.

03

Data Breach Notification History

GDPR requires notification of personal data breaches within 72 hours of discovery. Targets frequently have unreported incidents that were classified internally as non-notifiable. A specific indemnity covering pre-closing breach notification failures is essential — and almost never included in standard SPAs.

04

Data Subject Rights Compliance Indemnity

Targets with large consumer datasets often have backlogs of outstanding data subject requests — access, erasure, portability requests that were not fulfilled within the statutory timeframe. Each unfulfilled request is a separate violation. An indemnity covering pre-closing non-compliance with data subject rights should be a standard SPA provision in consumer-facing acquisitions.

05

Cross-Border Transfer Mechanism Certification

If the target transfers personal data to third countries, the SPA should include a representation that valid transfer mechanisms are in place for each transfer, and an indemnity covering any SCCs that were invalidated by the Schrems II or subsequent decisions. The Schrems II fallout created a wave of unlawful transfers that many companies have not fully remediated.

Real Exposure: Companies Fined Post-Acquisition

The regulatory record is clear: supervisory authorities do not provide post-acquisition grace periods. Three enforcement patterns are particularly relevant for M&A practitioners:

Marriott / Starwood

$123M ICO fine for a breach that occurred pre-acquisition and was inherited post-closing. Marriott had not performed adequate GDPR due diligence before acquiring Starwood.

British Airways

£20M fine for a breach that involved systems and data processing practices that predated the GDPR enforcement date — demonstrating that regulators assess practices holistically, not just from enforcement date.

Post-closing notification failures

Several enforcement actions in France, Germany, and the Netherlands have targeted acquirers who failed to issue new privacy notices to data subjects following a change of control — a requirement that is almost never addressed in SPA closing conditions.

Due Diligence Checklist for GDPR Compliance

A minimum GDPR due diligence checklist for cross-border acquisitions involving EU personal data:

1
Request and review the target's ROPA (Record of Processing Activities)
2
Map all personal data categories and confirm lawful basis for each
3
Review all data processing agreements with third-party processors
4
Confirm cross-border transfer mechanisms and post-Schrems II remediation status
5
Review data breach log and all DPA correspondence for the past 3 years
6
Confirm data subject request backlog and outstanding unfulfilled requests
7
Review privacy notices for change-of-control disclosure obligations
8
Obtain specific GDPR indemnity for pre-closing non-compliance
9
Include GDPR closing condition: delivery of updated DPAs on closing date
10
Plan post-closing data subject notification within 30 days

GDPR-aware analysis

JuristVault flags GDPR exposure automatically.

Every SPA analysis includes GDPR compliance flags, missing clauses, and cross-border transfer risk assessment.

Start Free Trial