Navigating GDPR challenges in M&A transactions: Practical insights from the Italian legal framework
Abstract
Mergers and acquisitions (M&A) involving business unit transfers present significant data protection challenges, requiring compliance with the General Data Protection Regulation (GDPR) and national laws. This paper examines the practical obligations of data controllers transferring business units in Italy, considering Italian Civil Code and GDPR requirements. The paper provides a structured approach to ensuring compliance in business transfers, covering key obligations such as data minimisation, privacy notice requirements, legal basis identification, legitimate interest assessments, data processing agreements (DPAs) and security measures for data transfers. The analysis integrates key decisions from the Italian Data Protection Authority along with practical business cases from the banking sector, offering insights into regulatory expectations and enforcement trends. By bridging legal principles with practical implementation, this paper serves as a strategic guide for businesses, legal professionals and policy makers navigating data protection in M&A transactions. The paper concludes with recommendations for best practices in handling personal data during corporate restructuring and acquisitions, ensuring compliance while mitigating legal and operational risks. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.
The full article is available to subscribers to the journal.
Author's Biography
Tommaso Zeccherini is a qualified Italian lawyer specialising in privacy, data protection, new technology law and contract law. He is a qualified AI Management System Lead Auditor (ISO/IEC 42001:2023) and Information Security Management System Lead Auditor (ISO/IEC 27001:2022). With over seven years’ experience in privacy and data protection, Tommaso provides strategic counsel to clients, leveraging his deep expertise in this field. Tommaso advises a diverse portfolio of clients across multiple sectors, including banking, logistics, wealth management, automation and energy management. He had strengthened his knowledge in data protection through diverse experiences, including working in the public sector, where he collaborated with a university research centre and supported an Italian municipality in adopting the General Data Protection Regulation (GDPR) requirements, and in the private sector with an Italian software development company. Previously, Tommaso spent a research period at the University of Pittsburgh School of Law, USA, for his Master’s thesis on ICT law and completed a year (Erasmus programme) at the University of Antwerp (Belgium), Faculty of Law, focusing on EU law.
