Top 5 GDPR Risks in Business Transfers

When buying or merging with a company, GDPR compliance can make or break the deal. Ignoring privacy risks could leave you with millions in fines or liabilities. Here’s what you need to know:

• Hidden Data Breaches: Past violations, like undisclosed breaches, transfer to the buyer and could cost millions.
• Weak Vendor Contracts (DPAs): Missing or flawed agreements with third-party processors create compliance gaps.
• Illegal Data Transfers: Outdated or missing Standard Contractual Clauses (SCCs) for cross-border data flows lead to irrevocable liabilities.
• Data Subject Rights Violations: Mishandling access, deletion, or other requests can result in fines or lawsuits.
• Poor Security Measures: Weak safeguards risk long-term exposure to GDPR penalties.

Key takeaway: Conduct detailed privacy due diligence before closing any deal. Engaging fractional CFO services can help ensure financial and regulatory risks are fully assessed during this process. Missing this step could leave you exposed to regulatory fines, lawsuits, and reduced deal value.

Navigating Data Privacy in Mergers & Acquisitions: A DPO's Perspective

sbb-itb-e766981

1. Hidden Data Breaches or Past Non-Compliance

When you acquire a company, you also take on its entire compliance history - good or bad. This includes any undisclosed data breaches, unresolved regulatory investigations, or pending complaints from data subjects that existed before the acquisition. Unlike other liabilities, these issues often don't appear on a balance sheet, making them harder to spot.

Impact on Compliance and Liability

After the deal closes, your company assumes the role of data controller, which means you're now the primary focus for regulatory scrutiny. While a single breach can be damaging, ongoing or systemic compliance failures add layers of liability until they’re fully resolved.

Take the Marriott-Starwood case as an example. Marriott bought Starwood Hotels in 2016, only to discover in 2018 that a data breach had been active since 2014 - two years before the acquisition. This breach compromised around 339 million guest records. Because Marriott inherited the liability, they were fined £18.4 million (about $23 million) by the UK Information Commissioner's Office in 2020. The penalty was tied to Marriott’s failure to conduct proper due diligence and secure the systems they had acquired ^[3].

Potential Financial or Legal Consequences

Privacy violations can lead to more than just fines - they transfer long-term risks to the acquiring company. Fines under regulations like GDPR can range from millions to hundreds of millions of euros, even for issues unrelated to breaches, such as flawed data processing agreements or unlawful consent practices. Some violations, like improper international data transfers without the correct safeguards, can’t be fixed retroactively. This means any liability tied to those transfers becomes your problem. To make matters worse, standard representations and warranties insurance often doesn’t adequately cover these risks or may exclude them entirely ^[1].

Mitigation Strategies to Address the Risk

Addressing these risks requires swift and detailed action. Start by requesting the target company’s Record of Processing Activities (RoPA), as mandated by GDPR Article 30. If they can’t provide a complete RoPA, it’s a major warning sign of a weak compliance program. In such cases, you may need to reconstruct their compliance history using forensic system logs and network data to identify unauthorized data processing.

To ensure the integrity of evidence, use hash-verified methods like SHA-256 for screenshots and compliance documentation. This helps confirm that no records were altered during the transaction. Additionally, review how consent was collected, along with timestamps. Invalid consent records could mean that data processing lacked a lawful foundation from the outset. Finally, any identified compliance gaps should be clearly outlined and factored into the deal terms before the acquisition is finalized.

2. Missing or Weak Data Processing Agreements with Third Parties

When a company relies on third-party vendors - like cloud providers, marketing platforms, or HR systems - to handle customer data, GDPR Article 28 mandates a legally binding Data Processing Agreement (DPA). Without this agreement, the company is instantly in violation of GDPR. If you acquire such a business, you also inherit any gaps in their vendor contracts. Worse, violations that occurred before the acquisition can’t be undone for data that’s already been processed ^[4]. This lack of proper contractual safeguards not only breaches regulations but also opens the door to complicated liability issues.

Impact on Compliance and Liability

One of the major pitfalls is misclassification. Many companies mistakenly identify themselves as "processors" when they’re actually "controllers." This is especially common among SaaS businesses that use customer data for analytics or product development. Such misclassification disrupts consent accuracy and contractual obligations ^[1]. Under GDPR Article 82, both controllers and processors can be held jointly liable for damages to a data subject, meaning weak DPAs can lead to shared financial risks ^[6].

Another issue arises with sub-processors. If a DPA doesn’t require vendors to notify you before using sub-processors, your company could face liability for unauthorized data processing ^[1]. In the U.S., poorly defined vendor contracts under laws like the CCPA/CPRA might even be interpreted as the "sale" of personal information, leading to retroactive opt-out violations ^[1].

Potential Financial or Legal Consequences

These compliance gaps can have serious financial repercussions. Flawed DPAs can lead to tiered GDPR fines. Processor-related violations may result in fines of up to $10 million or 2% of global annual revenue, whichever is greater. More severe breaches, such as processing data without a lawful basis, could result in fines as high as $20 million or 4% of global annual revenue ^[4][2][5]. As Alex Lubyansky, M&A Attorney at Acquisition Stars, puts it:

"Privacy errors like missing Standard Contractual Clauses or vendor misclassification can generate nine-figure liability" ^[1].

Such liabilities can impact deal valuations or even derail transactions entirely.

Mitigation Strategies to Address the Risk

The first step is to perform a thorough inventory of DPAs across all vendor relationships, including SaaS tools, cloud services, marketing platforms, and HR systems. Examine each agreement to ensure it contains the required GDPR Article 28 elements. Update any outdated references to the 2010 SCCs with the mandatory 2021 version, as using old SCCs may result in Chapter V violations ^[4][1].

Automated tools can help map data flows and match them to your DPA inventory. This approach also uncovers "shadow IT", revealing unauthorized tools that may be processing data without proper agreements. For EU-to-U.S. data transfers, ensure a Transfer Impact Assessment (TIA) has been conducted. This assessment evaluates whether U.S. surveillance laws compromise the assurances provided by your Standard Contractual Clauses ^[1]. Any gaps discovered during this process should be documented and considered in the purchase price before closing, as inherited violations can create ongoing liability risks.

3. Illegal Cross-Border Data Transfers

Illegal cross-border data transfers bring their own set of challenges, much like hidden breaches and weak DPAs in business transfers. Under GDPR, transferring personal data from the European Economic Area (EEA) to non-EEA countries - like the United States - requires a valid legal mechanism. Without approved tools such as Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules, the transfer is non-compliant from the outset. During acquisitions, buyers inherit the liability for any past non-compliant transfers. Even if safeguards are put in place after the deal is finalized, prior violations remain. As Alex Lubyansky, M&A Attorney at Acquisition Stars, points out:

"Defective or missing Standard Contractual Clauses for EU-to-US transfers create irrevocable liabilities. Buyers acquiring targets with EU data flows and no SCC documentation are inheriting historical violations" ^[1].

This reality highlights the importance of thorough due diligence to ensure proper international data transfer mechanisms are in place.

Impact on Compliance and Liability

The Schrems II ruling reshaped how cross-border data transfers must be handled. Companies can no longer rely solely on Standard Contractual Clauses; they must also conduct a Transfer Impact Assessment (TIA). This assessment evaluates whether laws in the destination country - such as U.S. surveillance laws like FISA Section 702 or Executive Order 12333 - compromise GDPR protections. Many businesses still use outdated 2010 SCCs instead of the updated 2021 version, creating compliance risks. Misclassifying a company as a processor instead of a controller can further undermine the entire transfer framework.

Potential Financial or Legal Consequences

Failing to comply with GDPR’s cross-border transfer rules can lead to hefty fines: up to $20 million or 4% of global annual revenue, whichever is higher ^[8]. Beyond financial penalties, regulators could order companies to stop data transfers altogether, potentially halting operations. While these risks might not show up on balance sheets, they can result in liabilities so severe - sometimes reaching nine figures - that they could reprice or even derail an acquisition ^[1].

Mitigation Strategies to Address the Risk

To tackle these risks, businesses should:

• Audit all SCCs to confirm they align with the 2021 version, as outdated clauses jeopardize compliance.
• Verify the validity of Data Privacy Framework (DPF) certifications for U.S. transfers, ensuring they cover the specific data types being transferred. Keep SCCs as a backup, given the uncertain future of adequacy agreements.
• Examine actual data flows, not just contractual claims, to identify unauthorized transfers or "shadow IT" lacking safeguards.
• Conduct a Transfer Impact Assessment for each country without an adequacy decision, and implement supplementary measures like encryption or pseudonymization if risks are found.
• Document findings and adjust the purchase price to reflect any compliance gaps uncovered during due diligence.

These steps can help reduce exposure to liabilities tied to cross-border data transfers during acquisitions.

4. Ignoring Data Subject Rights During Transfer

When a business changes hands, the rights of individuals over their personal data don't just disappear - they stay fully enforceable. Under GDPR, individuals are entitled to rights like accessing their data, correcting inaccuracies, requesting erasure (the "right to be forgotten"), data portability, and objecting to certain processing activities ^[1]. These rights remain intact during a business transfer, meaning any compliance issues from the seller are passed on to the buyer. Essentially, if the target company mishandled data subject rights, the new owner inherits those liabilities.

Impact on Compliance and Liability

Alex Lubyansky, an M&A Attorney at Acquisition Stars, sums it up perfectly:

"A buyer that closes an acquisition without conducting structured privacy diligence inherits every pre-closing violation of the target." ^[1]

For instance, if the target company ignored deletion requests, failed to respond to access requests, or missed the 30-day deadline for Subject Access Requests (SARs), the buyer takes on both the historical violations and the ongoing risks ^[1]. A backlog of unresolved SARs or a pattern of delays could signal deeper compliance issues that demand immediate attention after the acquisition.

A real-world example? In July 2025, the Austrian non-profit noyb filed GDPR complaints against TikTok and SHEIN for failing to adequately respond to data access requests regarding transfers to China ^[9]. This case highlights how unresolved data subject requests can escalate into major regulatory headaches, harming both reputation and finances.

Potential Financial or Legal Consequences

Failing to address these issues can lead to steep penalties. GDPR violations can result in fines of up to $20 million or 4% of global annual revenue, whichever is higher ^[2]. Beyond fines, individuals can seek compensation if their rights are breached ^[7].

The stakes are climbing, too. Data subject access requests have surged by 50% in just two years ^[9]. In 2025, noyb also filed a cease and desist against Meta over objections to its AI training practices, with potential legal claims reaching an eye-watering $220 billion ^[9]. If a company refuses to comply with a request, it must inform the individual of their right to file a complaint with a Data Protection Authority or pursue a judicial remedy ^[10].

Mitigation Strategies to Address the Risk

To limit the risks tied to data subject rights, buyers need to approach privacy diligence with care. Here are some practical steps:

• Audit the target’s SAR processes: Review the volume of requests, response times, and any backlogs to identify gaps in compliance ^[1].
• Verify erasure request handling: Ensure requests are properly managed internally and communicated to all sub-processors ^[1].
• Maintain detailed records: Keep logs of all requests, including how and when they were resolved, to demonstrate compliance ^[10].
• Stick to response deadlines: Respond to SARs within one month. For complex cases, notify the individual within that timeframe about a possible extension of up to two additional months ^[10][11].
• Update privacy notices post-transfer: Reflect the new data controller’s identity and any changes in processing activities immediately after the transaction ^[1].

5. Weak Technical and Organizational Security Measures

Weak technical and organizational security measures don’t just create cybersecurity risks - they can also lead to ongoing GDPR compliance failures. These failures don’t disappear after a single breach; instead, they accumulate over time. When a buyer acquires a company with lax security practices, they inherit not only the existing violations but also the continued exposure to legal and financial risks.

Impact on Compliance and Liability

Weak security controls create a ripple effect of compliance challenges. GDPR Article 30 requires data controllers to maintain a detailed Record of Processing Activities (RoPA), documenting the technical and organizational measures in place to protect personal data. An incomplete or missing RoPA signals deeper compliance issues, such as undocumented employee data, untracked third-party analytics tools, or overlooked B2B contact processing.

Misclassifications add another layer of risk. Many SaaS companies incorrectly identify themselves as "processors" while acting as controllers by using customer data for analytics. This leads to errors in privacy notices and flawed vendor Data Processing Agreements (DPAs).

Alex Lubyansky, M&A Attorney at Acquisition Stars, highlights the hidden nature of these risks:

"Privacy violations are often invisible in the data... [and] have liability that does not appear on the balance sheet and that standard representations and warranties insurance may exclude or undervalue."

Potential Financial or Legal Consequences

GDPR violations tied to weak security measures or flawed data processing agreements have led to fines reaching hundreds of millions of euros. These liabilities can easily surpass $100 million, potentially delaying or derailing transactions ^[1]. Regulators are increasingly targeting systemic processing errors, rather than just reacting to breaches. Inadequate safeguards - like missing multi-factor authentication (MFA), irregular penetration testing, or the absence of a documented incident response plan - are now under greater scrutiny. The updated GLBA Safeguards Rule also mandates these measures, further emphasizing their importance.

Mitigation Strategies to Address the Risk

Buyers need to go beyond SOC 2 reports to fully understand data flows and processing responsibilities. Automated tools can help map actual data flows when the RoPA is incomplete, revealing gaps that might otherwise go unnoticed.

Ensuring modern security standards is critical. This includes implementing multi-factor authentication, conducting regular penetration testing, and maintaining a documented incident response plan. Vendor contracts should also be reviewed to confirm compliance with GDPR Article 28, including up-to-date sub-processor details.

For high-risk activities, such as targeted advertising or handling sensitive data, conducting a Data Protection Impact Assessment before closing a deal can uncover and address vulnerabilities. Post-acquisition, integrating data systems should be treated as a compliance project, not just an IT task. Skipping updated privacy notices or renewed consents during integration can lead to fresh violations. These steps are essential for safeguarding against inherited security weaknesses and ensuring long-term compliance.

Risk Mitigation Checklist

This checklist breaks down the key GDPR risks and the steps to address them into practical actions for both the pre- and post-transfer phases. Each step plays a crucial role in ensuring a smooth transition during business transfers.

After the deal closes, it’s essential to update privacy notices and obtain new consents when combining data processing activities. As Alex Lubyansky, M&A Attorney at Acquisition Stars, emphasizes:

"Post-close privacy notice integration is not a routine IT task. Merging two companies' data processing activities without updating privacy notices... can constitute a violation of every privacy law applicable" ^[1].

Refer to the table above for a clear roadmap of action items to guide you through the due diligence and integration stages effectively.

Conclusion

GDPR compliance has become a critical factor in shaping modern business transfers. As Alex Lubyansky, M&A Attorney at Acquisition Stars, explains:

"A buyer that closes an acquisition without conducting structured privacy diligence inherits every pre-closing violation of the target" ^[1].

Privacy liabilities often fly under the radar, hidden from balance sheets, yet they can bring staggering costs - sometimes reaching nine figures - that have the potential to derail entire deals ^[1].

These risks are not isolated but systemic. Privacy violations tend to build up over time, creating significant exposure. For instance, missing Standard Contractual Clauses tied to historical data transfers result in liabilities that cannot be retroactively fixed ^[1]. Furthermore, EU regulators have imposed fines amounting to hundreds of millions of euros for GDPR violations unrelated to breaches - such as improper consent mechanisms or flawed data processing agreements. To make matters worse, standard representations and warranties insurance often excludes or undervalues these privacy-related risks, leaving buyers vulnerable ^[1].

In M&A transactions, starting privacy diligence early is key. This includes conducting deep-dive reviews, analyzing data flows, auditing vendor contracts, and planning post-close integration. These steps allow companies to identify gaps, estimate costs for remediation, and incorporate those findings into deal terms before finalizing the transaction. By addressing GDPR risks upfront, businesses can protect both deal valuation and operational continuity. Phoenix Strategy Group's M&A advisory services specialize in helping companies navigate these complex GDPR requirements, ensuring smooth transitions and safeguarding company value.

FAQs

What GDPR liabilities can’t be fixed after closing?

When it comes to GDPR, certain liabilities simply can’t be fixed after a deal is closed. For example, missing or invalid Standard Contractual Clauses (SCCs) for data transfers between the EU and the US can create serious complications. Similarly, unresolved violations related to how data is classified, whether proper consent was obtained, or issues with privacy notices can leave you exposed.

These aren’t just minor oversights - they could result in inheriting past violations, along with hefty legal and financial consequences.

What documents should I request for GDPR due diligence?

To effectively assess GDPR compliance during due diligence, the following documents are crucial:

• Data Processing Activities: Detailed records outlining how personal data is collected, processed, stored, and shared. This should include information on the purposes of processing and the categories of data subjects and personal data involved.
• Privacy Policies: Up-to-date privacy notices that explain how data is handled, including transparency obligations required under GDPR, such as informing individuals about their rights and how to exercise them.
• International Data Transfer Mechanisms: Documentation for mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to ensure lawful cross-border data transfers.
• Vendor Agreements: Contracts with third-party vendors or processors that outline GDPR-compliant terms, including data protection clauses, security measures, and breach notification requirements.
• Records of Data Subject Consents: Evidence that consent was obtained lawfully, including when, how, and for what purpose consent was given. This ensures compliance with GDPR's strict consent requirements.
• Disclosure Records: Logs or records showing when and how personal data has been disclosed to third parties, ensuring transparency and accountability.

Having these documents readily available not only demonstrates GDPR compliance but also provides a clear framework for data protection practices during due diligence reviews.

How do I verify EU-to-U.S. data transfers are compliant?

To stay compliant with GDPR when transferring data from the EU to the U.S., it's crucial to use approved mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Start by conducting detailed data mapping to identify and track all cross-border data flows. This helps pinpoint any compliance gaps that need addressing.

Keep your privacy policies and vendor contracts up to date by including the necessary clauses for GDPR compliance. Regular audits are also essential to ensure ongoing adherence. Be aware that missing or improperly implemented SCCs can result in violations, so regular assessments of your processes and agreements are a must.

Related Blog Posts

• Data Privacy Due Diligence for Cross-Border M&A
• M&A Risks: Data Breach Compliance in Cross-Border Deals
• Privacy Impact Assessments in M&A: Key Steps
• GDPR Risks in Cross-Border M&A Deals