Certain statutory concepts make it prohibitively difficult for E.U. parent entities to completely avoid liability for their subsidiaries’ violations of the E.U. competition law, and now, for their violations of the GDPR. This liability can not only harm the value of a parent’s investments, but it can also expose it to tens of millions of Euros in fines from E.U. regulators and civil lawsuits. The prudent move, therefore, is for parent companies to endeavor to mitigate this potential liability throughout the investment process. This final article in a three-part series prescribes measures parent companies can take to reduce potential liability in the E.U. from data protection violations by their subsidiaries during and after the acquisition process. The first article
described how the statutory “undertaking” concept extends liability to parent entities, as well as the potential reputational risks, fines and civil damages they can face for violations. The second article
analyzed the rebuttable presumption by the E.U. Commission and courts that a parent exercises decisive influence over its subsidiary’s actions, difficulties in refuting it and four common misconceptions about how parents can avoid that risk. See “Essential M&A Cybersecurity Due Diligence Questions
” (Mar. 13, 2019).