The impact of the EU GDPR and UK GDPR on M&A transactions
The impact of the EU GDPR and UK GDPR on M&A transactions

The following Corporate practice note provides comprehensive and up to date legal information covering:

  • The impact of the EU GDPR and UK GDPR on M&A transactions
  • Conceptual changes under the EU GDPR and UK GDPR
  • Sanctions
  • Territorial scope
  • ‘Personal data’ definition and data protection principles
  • Transparency and accountability
  • Preliminary Documents
  • Confidentiality agreement/non-disclosure agreement
  • Seller’s pre-disclosure assessments
  • More...


The General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) became directly applicable and fully enforceable in all EU Member States from 25 May 2018. It introduced substantial amendments to EU data protection law and, in the UK, it replaced the Data Protection Act 1998 (DPA 1998) and Directive 95/46/EC (the Data Protection Directive).

On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continued to be subject to EU law. The EU GDPR regime was applicable under UK law until the end of the implementation period (11 pm UK time on 31 December 2020) and remains applicable in the EEA.

The Retained General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) regime is applicable under UK law from the end of the implementation period. The UK GDPR is heavily derived from the EU GDPR and generally the terms and core concepts used in the UK GDPR have the same meaning as they do in the EU GDPR, although there are a number of key detailed differences between the two regimes. In summary, in a similar manner to the EU GDPR, the UK GDPR applies to the processing of personal data and provides rights to those data subjects whose data is processed, and imposes obligations on both controllers and processors of the personal data. Where there

Popular documents