Data Protection in M&A Transactions in Italy

    View Author January 2021

    Since the entry into force of European Regulation 679/2016, (GDPR), on 25 May 2018, GDPR compliance has become an increasingly relevant element in M&A processes in Italy.

    The main issues giving rise to the increased focus on GDPR in the context of Italian M&A transactions include heightened awareness that:

    1. Buyers may ultimately have to bear the costs for historical data protection breaches committed by the target, which can trigger heavy administrative fines from the Italian Data Protection Authority, Garante per la Protezione dei Dati Personali (Garante).

    2. Data security breaches that have occurred pre-completion but are not detected until post-completion, may result in significant costs, penalties and claims. Data protection compliance breaches can also prevent the buyer from exploiting valuable personal data of the target.

    In this context, GDPR compliance has acquired a far more relevant role in the overall due diligence process in Italy, and, indeed, in the related business negotiations.