Because of the rigorous “piercing the corporate veil” standard in the U.S. and the E.U., private equity sponsors have been protected, absent extreme examples, from liability for actions by their portfolio companies. There is a lower bar, however, for parents to be fined for their subsidiaries’ breaches of E.U. competition law and the GDPR. While, the scope of this potential risk has been unknown, the European Court of Justice (ECJ) recently ruled on this issue and found that parent companies can also be subject to direct civil claims for damages caused by E.U. antitrust violations. This is a salient risk because the GDPR shares the same parental liability formulation. This article summarizes the background to the ECJ case and examines the court’s analysis. See our three-part series on GDPR essentials for the financial sector: “Benchmarking and Assessing the Risks” (Jul. 11, 2018); “Compliance Steps” (Jul. 18, 2018); and “Staying Compliant and Special Challenges” (Jul. 25, 2018).