Deal
Due diligence

Data protection in due diligence: personal data and the GDPR in a company acquisition

Data protection in due diligence and at closing: legal basis for the data room, data minimisation and clean team, transmission at closing and GDPR compliance of the target company.

BRANDAUER Rechtsanwälte
Your law firm

BRANDAUER Rechtsanwälte

Salzburg law firm for corporate, company and transaction law

Every transaction is handled by a coordinated team of lawyers, legal staff and specialists. In company acquisition matters we look at structure, contract, tax and liability together.

26 June 2026 · Mag. Bernhard Brandauer, Rechtsanwalt

On the purchase of a company numerous items of personal data become visible: personnel files, salaries, customer lists and contracts with private individuals. As soon as this data enters the data room or passes to the buyer at completion, the General Data Protection Regulation applies. Data protection is therefore not a side issue of the transaction but a review subject in its own right.

This post shows what matters in data protection in due diligence and at closing. The focus is on the legal basis for disclosure in the data room, data minimisation through redaction and a clean team, the transmission of the data at the asset-deal closing as well as the data protection compliance of the target company itself.

From a lawyer perspective data protection requires a double view: the transaction itself must run in compliance with data protection law, and at the same time the data protection maturity of the target company must be reviewed. Both feed into the valuation and into the warranties of the purchase contract.

Classify your data protection in the review

Is the disclosure of the data compliant with data protection law?

Answer one or two questions on the legal basis and protective measures. You receive an initial classification of the most important data protection points to check.

Already know you want to get in touch? Go straight to the enquiry form.

01 Question 1

Is there a legal basis for disclosing personal data in the data room?

Employee and customer data in the data room are personal data. Their disclosure needs a basis under the GDPR, usually the legitimate interest.

All paths at a glance

Overview of all answers.

01

Without a legal basis the disclosure of data in the data room is inadmissible.

Whoever places employee or customer data in the data room without a legal basis risks a breach of the GDPR. Clarify the basis of disclosure before opening the data room, as a rule the legitimate interest under Art 6 GDPR, and document the balancing of interests required for it. Only then does the data belong in the data room. How the review is built overall is shown in the post on the due diligence checklist.

Only with a clean legal basis can the review of the data begin without a data protection risk.

02

Basis and protective measures are in place, now the clean implementation matters.

If the legal basis and protective measures are present, the data protection side is well set up. Pay attention in addition to the transmission of the data at closing, to any processors and to the information duties towards employees and customers. How data protection fits into the warranties is shown in the post on the warranty catalogue.

A short legal review ensures that the disclosure and the later transmission of the data are handled in compliance with data protection law.

03

The protective measures are incomplete, sharpening them is advisable.

As long as the data in the data room is not protected by redaction, pseudonymisation and need-to-know, there is a risk of excessive disclosure of personal data. Limit the disclosure to what is necessary for the review, agree a clean team for particularly sensitive data and define the circle of authorised persons. How the data protection compliance of the target company is to be reviewed beyond that is covered in the post on IP and IT in due diligence.

Have the protective measures completed before opening the data room. Data once disclosed cannot be retrieved.

Legal basis for disclosure in the data room

The data that a seller discloses in the data room regularly contains personal information: names of employees and customers, salaries, contracts and sometimes health or other sensitive data. Every processing of such data needs a legal basis under the GDPR. For disclosure within a transaction, practice usually relies on the legitimate interest under Art 6 GDPR.

The legitimate interest requires a balancing between the interest of the parties in the review and the interests of the data subjects. This balancing should be documented, so that it is provable in case of dispute. With particularly sensitive data the legitimate interest is often not sufficient; here an additional safeguard is needed.

It is important to clarify the legal basis before opening the data room. Whoever first discloses data and only later looks for the basis has already carried out the processing. How this question fits into the overall review is shown in the post on the due diligence checklist.

Data minimisation, need-to-know and clean team

Even with a legal basis the principle of data minimisation applies. Only what the review actually requires should be disclosed. In practice this means redaction and pseudonymisation: names are removed, salaries aggregated, individual persons no longer made directly identifiable. In this way the economic substance of the information can be reviewed without unnecessarily disclosing the data subjects.

In addition the need-to-know principle applies: access is granted only to those who need the data for their task. For particularly sensitive information, such as competitive data or individual salaries, the clean team has proven its worth. Here a narrowly limited, often external circle sees the raw data and passes only aggregated results to the parties.

These measures protect not only the data subjects but also the parties themselves, for example against competition-law concerns in an exchange of sensitive competitive data. We explore the concept of due diligence on our focus page on due diligence.

Transmission of the data at closing

At completion of the transaction the data protection question arises again. In an asset deal the data passes to the buyer along with the business; this transfer is a separate processing with its own legal basis and its own information duties. Employees and customers must be informed of the new controller as soon as the business passes over.

In a share deal, by contrast, the data remains with the company, because only the holder of the shares changes. A transmission to a new controller does not take place; the information duties depend on the specific situation. This distinction follows the general structure that the post on the warranty catalogue takes up for the contractual safeguard.

Existing processor arrangements must also be observed. If the company uses service providers, for instance for payroll or cloud, the corresponding contracts must be continued or newly concluded. Where IT and cloud process personal data, data protection interlocks with the IT contracts, as the post on IP and IT in due diligence shows.

The most important points

What matters in data protection in the transaction

These points decide on the data-protection-compliant handling. Check each one individually.

Data protection points to check in due diligence and at closing with recommended drafting and possible risk
Point Recommended Possible risk
Legal basis Legitimate interest documented Balancing before opening the data room Disclosure without a tenable basis
Data minimisation Redaction and pseudonymisation Only what is necessary for the review disclosed All data openly accessible
Clean team Sensitive data sealed off Only aggregated results to the parties Competitive data exchanged unfiltered
Transmission Separate basis at closing Information duties towards data subjects met Data transfer without informing the data subjects
Compliance Maturity of the target company reviewed Record of processing and TOMs present Open data breaches and missing measures

The specific design of the measures depends on the sensitivity of the data. Special categories of personal data demand stricter protection than general business contacts.

Caution with unprotected disclosure: Whoever places personal data in the data room without a legal basis or transmits the data at closing without informing the data subjects risks a breach of the GDPR and serious consequences. Have the data protection of the transaction reviewed before opening the data room. Booking an initial consultation (72 euro) can quickly bring clarity.

Data protection compliance of the target company

Alongside the transaction itself, the data protection maturity of the target company is a review subject in its own right. Reviewed are the record of processing activities, the technical and organisational measures, the handling of data breaches and the fulfilment of data subject rights such as access and erasure. A company with incomplete compliance carries a latent risk.

Such findings affect the valuation and the warranties. Common are warranties on compliance with the GDPR, on the presence of the records of processing and on the absence of open data protection proceedings. Identified risks, for example an ongoing supervisory review, can be covered by a targeted indemnity.

In practice it is worth involving data protection early in the review, because it touches the disclosure, the closing and the valuation at the same time. An initial assessment of the overall risks is provided by our M&A transaction risk profile.

Frequent questions

Data protection in due diligence in a company acquisition.

Do I need a data protection basis for the data room? +

Yes, as soon as the data room contains personal data, the disclosure needs a legal basis under the GDPR. In practice the disclosure usually relies on the legitimate interest under Art 6 GDPR, combined with a documented balancing of interests. This basis should be clarified before opening the data room.

What is a clean team in due diligence? +

A clean team is a narrowly limited, often external circle of persons that may view particularly sensitive data and passes only aggregated results to the parties. It serves data minimisation and at the same time protects against competition-law concerns in the exchange of sensitive competitive data, such as individual prices or salaries.

Is the data transmission at closing relevant to data protection? +

In an asset deal the data passes to the buyer along with the business; this transfer is a separate processing with its own basis and information duties towards employees and customers. In a share deal, by contrast, the data remains with the company, because only the holder of the shares changes. The information duties then depend on the specific situation.

Topics
Data protectionGDPRData roomClean teamDue diligence

Structuring a deal, reviewing a contract, securing the risks?

When buying a company, structure, review and contract decide. Call us directly or send an email, callback within one business day.

Contact

A direct line to the firm.

Address

BRANDAUER Rechtsanwälte GmbH Giselakai 51 5020 Salzburg