Responsibility for GDPR compliance of the acquired company

Table of Contents:

  1. General succession of rights and obligations
  2. Acquisition of a company that breached GDPR
  3. Is the acquiring company liable for breaches of the acquired company?
  4. Is a GDPR breach an administrative offense?
  5. Conduct a GDPR audit before acquiring a company

General succession of rights and obligations

When two companies merge to form a new company, or when one company acquires another, the Commercial Companies Code (hereinafter referred to as “CCC”) formulates the principle of general succession of rights and obligations. According to Article 494 § 1 of the CCC, the newly formed company or the acquiring company succeeds to the rights and obligations of the merging companies or the acquired company. This generally applies to permits, concessions, or exemptions.

Acquisition of a company that breached GDPR

It cannot be excluded that in business practice, we may encounter situations where the merging or acquired company did not properly fulfill its obligations under the regulations. If a merger with such an entity is considered through the formation of a new company or the acquisition of such an entity, will the acquirer (or the new company) be liable for this situation? Penalties for breaches of regulations, especially GDPR, are high, so the answer to this question may influence the decision to enter into the acquisition or merger process.

Is the acquiring company liable for breaches of the acquired company?

The answer to this question was the subject of the Supreme Court’s judgment of September 19, 2019, ref. I NSK 78/18. In this case, the acquiring company was fined for an offense committed by the acquired company prior to the acquisition. The penalized company disagreed with the decision and appealed.

During the case, it was argued that as a rule, an administrative authority cannot impose a fine on an entity that did not commit the administrative offense, and for a third party to be held responsible for an act committed by the perpetrator, there must be a clear legal basis. According to the appealing company and the first-instance court, Article 494 § 1 and 2 of the CCC do not provide such a basis because this provision deals with the succession of “rights and obligations,” not with the liability for committed offenses.

This view was not shared by the second-instance court, which pointed out that Article 494 of the CCC provides a general regulation concerning the succession of both rights and obligations, including administrative decisions and liability for administrative offenses.

Ultimately, the Supreme Court upheld the second-instance court’s position, stating that under Article 494 § 1 and 2 of the CCC, succession of administrative liability for an administrative offense committed by the acquired company is permissible. This provision addresses succession not only of rights and obligations but also of liability for administrative offenses.

Czy spółka przejmująca odpowiada za naruszenia spółki przejmowanej?

Is a GDPR breach an administrative offense?

An administrative offense is a violation of administrative law punishable by an administrative fine. GDPR provides for the imposition of an administrative fine on the administrator in the amount of 2% of the worldwide annual turnover of the company or €10 million. Therefore, a breach of GDPR constitutes an administrative offense. In the context of data protection regulations, the judgment of the Voivodeship Administrative Court of June 21, 2023, ref. II SA/Wa 150/23, is significant, as it ruled that the acquiring Administrator is liable for the acquired entity’s prior actions.

Conduct a GDPR audit before acquiring a company

In conclusion, the acquiring company or newly formed entity bears responsibility for breaches of GDPR committed by the acquired company or companies subject to merger. This necessitates including compliance with data processing laws in the due diligence audit conducted during the decision-making stage of a merger to avoid not only merging with a company but also its penalty for breaching regulations.