German Corporate Law Update: Important Changes In Acquisitions And Investments


For companies interested in investing in, purchasing or selling German companies, here are several recent developments related to Data Privacy and Cybersecurity, M&A, Employment and Tax law that are helpful to keep in mind.

Data Privacy and Cybersecurity

Less than 18 months from now, the new European Data Privacy Regulation ("GDPR") will take effect. These new data privacy and cybersecurity laws will govern companies in Germany and other European Union member states, including service providers outside the EU that service customers or target European residents, to boost their data privacy compliance programs and adjust their processing operations. The consequences for noncompliance will be significant. GDPR authorizes fines of the greater of 4% of global turnover or € 20,000,000. In addition, depending on the EU Member State, noncompliant companies face significant risk of class actions for injunctions and damages that will likely lead to increased data privacy-related litigation. Further, depending on the business sector and size of the business, companies may be subject to increased requirements on data IT security.

Action Items for Corporates:

Get an Overview and Start to Prepare While May 2018 seems like a long way off, companies should immediately start preparing for GDPR compliance. Because of the technologies and systems affected, it will likely require significant time to understand and manage the data processing and transfer activities, whether within a group of companies or between a company and its outside vendors. For example, new applications that process personal data must be designed to incorporate the requirements of Privacy by Design and Privacy by Default, which require that applications do not use more personal data than needed and deactivate by default any features that go beyond what is required for a specific data processing purpose. In addition, applications must ensure that personal data will be physically deleted once the purpose for which such data was collected no longer exists. Today, only a fraction of applications comply with these requirements. Consequences of noncompliance will begin starting May 2018, and include significant fines and serious impediments if a company wants to sell its applications or services to EU customers. Purchase of Data Assets Where companies are considering the purchase of customer data from a company in the EU, they will need to carefully review and assess how such data can be transferred and used in compliance with the data privacy laws. Supervisory authorities have become increasingly active in reviewing the sale of customer data and have issued significant fines in recent months where customer data was purchased without getting prior consent, or at least notifying the concerned customers in advance. In addition, noncompliance can lead to prohibition on the use of the data entirely, rendering the purchase of the data asset worthless. Review Data Privacy Compliance of Data Sensitive Target Companies GDPR will also apply to non-EU companies that process personal data received from EU customers or target EU residents with services or products (e.g., via online behavioral monitoring). Investors should carefully review whether the...

To continue reading