Back to articles

Personal Data Processing in the Acquisition of a Company

by Gabriele Borghi


The attention to national and EU data-protection legislation has currently become increasingly (and incessantly) relevant in the evaluation process of a corporate acquisition transaction, since it is aimed at eliminating – or rather, reducing – the risk for the potential purchaser to be subject to the application, by the competent Supervisory Authority, of considerable administrative sanctions under art. 83 of the GDPR, or to run into considerable management (and advisory) expenses in order to adapt the newly acquired company to the aforementioned legislation: therefore, the execution, during the due diligence process, of a thorough investigation of the adequacy of the so-called target company, is of crucial importance.

In this regard, the exemplification of the Starwood Hotel & Resorts/Marriot International case is absolutely emblematic. In September 2016, Marriott Hotel Group completed the acquisition of Starwood, although unaware that, back in 2014, Starwood had suffered a major and significant data breach involving approximately 339 million stakeholders: an event discovered only in November 2018, i.e. two years after the closing of the abovementioned corporate transaction.

Following the incident, on 30 October 2020, the Information Commissioner’s Offce (ICO) fined Marriott – even though not directly responsible for the personal data breach – EUR 20 million, since Marriott had failed to undertake suffcient due diligence in the acquisition of Starwood and should also have done more to secure its systems.

20 July 2021

Baldi & Partners