In the M&A context, a target company's exposure to GDPR and the cost and status of its GDPR compliance project are relevant mainly for the following reasons: First, they matter in terms of current and foreseeable future (non-)compliance. Is there a GDPR compliance project? If not, has there been a thorough and reliable legal assessment that GDPR is not relevant for the target company? Does this fit with the target's business model as communicated by the seller? If there is a project, is the underlying analysis correct and its scope sufficient? Is it on track and implementation as advanced that compliance can be ensured by next May? If not, what are the likely consequences? Secondly, these issues matter for the valuation of the target business. What was budgeted for the GDPR compliance project, what has already been spent, and how does that compare to the project status? Is the current budget sufficient? How much are the recurrent cost for ongoing compliance and have they been built into the valuation model?
Key take-aways for buyers: If the Swiss target company does business with the EU, it is very likely that it has to comply with GDPR. Consequently, a buyer should make its own assessment in terms of the necessity as well as the possible one-time and recurring cost of GDPR compliance, and build those numbers into the valuation of the target company. Furthermore, a buyer should seek appropriate specific representations and warranties from the seller as to the appropriate design and current status of the GDPR compliance project. Last but not least, as under Swiss law representations and warranties can only cover the past and the present but not the future, a buyer will want to also seek an adequate guaranty/indemnity that the target company's current GDPR compliance project will ensure compliance once GDPR enters into force.