The impact of the GDPR on M&A transactions
The impact of the GDPR on M&A transactions

The following Corporate guidance note provides comprehensive and up to date legal information covering:

  • The impact of the GDPR on M&A transactions
  • Brexit impact
  • The GDPR
  • Seller and buyer considerations
  • Changes under the GDPR
  • Sanctions
  • Territorial scope
  • ‘Personal data’ definition and data protection principles
  • Transparency and accountability
  • Preliminary Documents
  • more

Brexit impact

The law as set out in this Practice Note may be affected by Brexit. For further details of its impact, see Practice Note: Brexit—impact on private M&A transactions.


The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) introduced substantial amendments to data protection law in the UK, replacing the Data Protection Act 1998 (DPA 1998) and Directive 95/46/EC (the Data Protection Directive). The GDPR became directly applicable and fully enforceable in all EU Member States from 25 May 2018.

On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

Under the GDPR, Member States are allowed to introduce further domestic provisions in a number of areas, although specific implementing legislation is not required. The