Go back to menu

The impact of GDPR on M&A transactions

The perspective from Poland

21 December 2017

To date the practical risk of significant fines for inadequate protection of personal data was marginal in Poland. Despite the fact that the current regulations were rarely fully observed, personal data was usually not a risk factor in Polish M&A transactions. This may change after 25 May 2018, when the EU General Data Protection Regulation (GDPR) comes into force.


Prior to 25 May 2018 every business must review the way it processes data, create its own procedures for protecting data, including for reporting every infringement and ensure that the new legal requirements protecting personal data are applied in practice (including training employees). The GDPR also grants a number of new rights of those persons who are data subjects and imposes on entrepreneurs much more detailed and burdensome reporting obligations. Changes in agreements with service providers and, in many cases, changes in IT systems and products (e.g. mobile applications) will be necessary.

For many Polish companies the proper implementation of the GDPR will be a considerable challenge requiring the involvement of the entire organisation, and not only the HR department, lawyers, marketing and IT staff. Noncompliance may result in fines of up to the higher of the following amounts for each infringement (i) EUR 20,000,000 or (ii) 4% of the infringer's worldwide turnover.

The GDPR will be effective in the entire European Union, but in certain areas, especially HR, it will be supplemented by national regulations, which may vary significantly among themselves.


The GDPR will force a new approach by businesses to data protection in their day-to-day activity. However, the tougher regime and higher penalties will also have an impact on M&A transactions.

Innovative businesses are more and more frequently dependent on information technologies and data processing. Innovations create value, but without proper compliance and effective cyber security strategy and sound procedures for dealing with a breach of cyber security, this area may become a significant risk factor on M&A transactions.

It is worth identifying this risk during the due diligence process and addressing it in the documentation. An entrepreneur who entrusts the processing of personal data to others must adapt its agreements to the requirements under the GDPR and make sure that the service provider has properly implemented the GDPR. This is why agreements concerning data processing will now require special attention during a due diligence exercise irrespective of their value. In the case of advanced IT technologies an additional technological audit in terms of compliance with the GDPR and cyber security may be necessary.

Although there is still some time left until May 2018, the state of preparations for the implementation of the GDPR should already be reviewed - those who have not yet commenced the implementation process might not make it on time.