Inadequate data protection due diligence in M&A transactions can lead to high fines

11 Jul 2019

For the second time this week, the UK’s Data Protection Authority (ICO) announced its intention to impose a major fine for data breach under GDPR.

The ICO announced that, after an extensive investigation, Marriott International may face a £99 million fine for negligence in the course of an acquisition procedure completed in 2016. According to the ICO, Marriott International did not conduct its data protection due diligence with sufficient care, which led to a security breach in its systems and to exposure of customer information.

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” Elizabeth Denham, UK Information Commissioner.

It should be noted that the decision to fine is not final yet as Marriott International still has the right to defend itself. Furthermore, other data protection authorities involved still have the possibility to express their opinion on the matter.

The bottom line is, seeing the stakes involved, that data protection considerations have to be properly addressed when considering merger and acquisition operations.


Contact us

Leen Van Goethem

Leen Van Goethem

Senior Managing Associate, PwC Legal BV/SRL

Tel: +32 485 23 36 82

Follow us