Legal Practice Notes

The impact of the EU GDPR on M& A transactions Overview of legislation and key M& A considerations The EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), took direct effect and became fully enforceable across all EU Member States on 25 May 2018. It delivered significant changes to EU data protection law and superseded Directive 95/46/ EC (the Data Protection Directive). The EU GDPR regulates the processing of personal data, confers rights on data subjects whose information is handled, and imposes obligations on controllers and processors alike. It is a complex, principle‑driven regime. Seven core data protection principles underpin the EU GDPR, set out in Article 5, and controllers dealing with personal data must adhere to them. See Practice Note: EU GDPR—data protection principles. Personal data and technology are now central to most organisations, as the majority handle information relating to...

ARCHIVED: This archived timeline outlines the principal legislative milestones within the data protection reform package. It is supplied for background purposes only and is not maintained. This timeline contains information relating to: the General Data Protection Regulation, Regulation ( EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC ( GDPR) the Data Protection Law Enforcement Directive, Directive ( EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free...

In brief Data protection laws across the EEA (the EU plus Iceland, Norway, and Liechtenstein) aim to ensure information about living individuals—within the scope of ‘personal data’—is handled fairly and responsibly. To achieve this, EEA data protection laws place numerous duties on those ‘processing’ personal data and on those controlling such activity. ‘ Processing’ is interpreted broadly and covers most actions involving data, including collecting, storing, deleting, disclosing, or using it. A key safeguard under these laws is the suite of obligations placed on ‘controllers’—generally those deciding the purposes and means of processing—and ‘processors’, who act on a controller’s instructions to process personal data on its behalf. Among other things, EEA data protection laws usually require controllers and processors to enter into contracts with certain minimum terms and to ensure any processor they engage is suitable. In a cloud computing set-up, the end...

FORTHCOMING CHANGE: This Practice Note sets out the law as it currently stands; nonetheless, be aware that parts will be affected by the Digital Omnibus proposals issued on 19 November 2025, aligned with the European Commission’s ‘simplification’ programme, in due course and beyond. For further details, see Practice Note: EU Digital Omnibus—tracker. This Practice Note outlines EU data protection rules as they relate to the use of artificial intelligence ( AI). It concentrates on guidance produced within the EU and does not cover the various strategies and policies in the UK. For more on UK policies, see Practice Note: Artificial intelligence—data protection. This Practice Note does not address Regulation ( EU) 2024/1689, the EU Artificial Intelligence Act ( EU AI Act) in detail. For more on that act, see Practice Notes: The EU AI Act, EU artificial...

This Practice Note serves to monitor the progress of adequacy decisions for cross-border/international transfers of personal data under the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 (the EU GDPR). It brings together pertinent opinions, reports and guidance from EU institutions on the standing of both new and established decisions. For an all-round primer on the EU GDPR, assembling essential practical guidance, see: UK data protection law collection. Background While the EU GDPR repeatedly refers to the ‘ Union’, page one confirms it is a text ‘with EEA relevance’, so its provisions are intended to apply to every EEA state, not solely EU members. As the EU GDPR has been folded into the EEA Agreement and now applies, references to EU Member States will typically be understood to cover EEA members as well. For details on that...

CASE HUB (appeals filed before the General Court in Cases T-404/12 ( Toshiba) and T-409/12 ( Mitsubishi)—see Cases T-404/12 Toshiba v Commission and T-409/12 Mitsubishi Electric v Commission) ARCHIVED —this case hub shows the status as at the 27 June 2012 decision and is no longer updated. Outline European Commission Article 101 TFEU inquiry into a price-fixing cartel concerning gas insulated switchgear ( COMP/39.966) Latest developments On 27 June 2012, the Commission issued a new decision. The penalties for Mitsubishi and Toshiba were reworked as follows: Mitsubishi, solely responsible—€74.871m; Toshiba, solely responsible—€56.793m; Both also jointly responsible for €4.65m for infringement by their JV ( TM T& D). Parties Mitsubishi and Toshiba......

ARCHIVED: This Practice Note is archived and is not being actively maintained any longer. Thin capitalisation and transfer pricing closely overlap yet are nonetheless distinct concepts in practice. Some regard thin capitalisation rules as a specific manifestation of wider transfer pricing rules in effect. EU law is relevant to thin capitalisation and transfer pricing as such because, while direct taxation falls wholly outside the EU’s competence, national measures must still observe the general principles of EU law and the treaty then in legal force (currently the Treaty of the Functioning of the European Union) (the Treaty). The principal Treaty provisions pertinent to thin capitalisation and transfer pricing are those addressing non-discrimination in relation to the fundamental freedoms. Potentially applicable freedoms are: freedom of establishment free movement of capital, and free movements of goods and services What are transfer pricing and thin...

ARCHIVED — this archived case hub records the position as at the decision date of 24 September 2024; it is no longer maintained CASE HUB See further, timeline. Case facts Outline European Commission FSR investigation into the planned acquisition by Emirates Telecommunications Group Company PJSC of PPF Telecom Group (excluding its Czech business) ( FS.100011). The deal features a horizontal overlap in the market for telecommunication services. Latest developments On 24 September 2024, the Commission granted conditional approval, subject to commitments. The Commission accepted a set of behavioural remedies: Removal of the United Arab Emirates’ unlimited state guarantee; Emirates Telecommunications Group Company PJSC is prohibited from providing any financing (debt or equity) to PPF Telecom Group BV where this in any way relates to PPF Telecom Group BV’s activities in the EU (with certain limited exceptions for non‑ EU activities and ‘emergency funding’), and transactions outside this perimeter must be on market...

This Practice Note considers when a host Member State may limit admission and residence rights of EU citizens and their family members. Non-exercise of treaty rights EU nationals and their relatives can be refused entry or expelled on grounds other than public policy or security; however, any such action is constrained by significant limits set out in the next sub‑section on measures based on public policy, security and health. Where a restriction on residence/entry is pursued for reasons unrelated to public policy, security or health, the Court of Justice has determined that Article 15 of Directive 2004/38/ EC (the Citizens’ Directive), headed ‘ Procedural guarantees’, provides in paragraph 1 that the procedures in Articles 30 and 31 of the Directive apply by analogy to all decisions curbing the free movement of EU citizens and their family members on grounds other than public policy, public security or public...

EU nationals who are in paid employment, carrying on self-employed work, and, in some cases, seeking work, are entitled under EU law to remain in the host Member State for longer than three months. This Practice Note explores EU citizens’ residence rights after the first three months when they rely on status as workers, self-employed individuals and jobseekers. Throughout this Practice Note, the expression ‘ EU citizens’ denotes nationals of EU Member States. Individuals from the European Economic Area ( Norway, Iceland and Lichtenstein and the other 27 EU Member States) equally derive rights from EU free movement law, under Directive 2004/38/ EC, the Citizens’ Directive. Therefore, references in this Practice Note to EU citizens should be understood to include EEA nationals. Workers What activities constitute employed work? Neither Article 45 of the Treaty on the Functioning of the European Union ( TFEU), the...

What are mobile payments? ‘ Mobile payments’ can signify different things to different people, depending on who is asked and the context. Put simply, it enables a customer to use a mobile device to pay an individual or a business. The European Commission ( Commission) describes a mobile payment in its Green Paper ‘ Towards an integrated European market for card, internet and mobile payments’ as payments where the payment data and the instruction are started, sent or confirmed using a mobile phone or device, and this may relate to online or offline purchases of services, or of digital or physical goods. For more on the Commission’s Green Paper, see UK regulation of mobile payments below for further detail. As a sector, mobile payments is growing swiftly following the arrival of Apple Pay, Google’s ‘ Android Pay’ and Samsung’s ‘ Samsung Pay’. The retail...

On 12 January 2023, Council Regulation ( EU) 2022/2560 of 14 December 2022 on foreign subsidies that distort the internal market (the FSR) came into effect. On 10 July 2023, the European Commission ( Commission) adopted Council Regulation ( EU) 2023/1441, the Implementing Regulation, which lays down detailed arrangements for how the Commission conducts proceedings under Regulation ( EU) 2022/2560 of the European Parliament and of the Council on foreign subsidies distorting the internal market, setting out procedural rules for putting the FSR into practice. The FSR establishes a new framework to tackle distortions of competition within the EU internal market arising from foreign subsidies. It introduces mandatory notification and clearance obligations for takeovers of significant EU businesses and for sizeable EU public procurement, and grants the Commission wide-ranging powers to open ex officio inquiries. The notification obligations have applied since 12 October...

On 12 January 2023, Council Regulation ( EU) 2022/2560 of 14 December 2022 on foreign subsidies distorting the internal market ( FSR) took effect. On 10 July 2023, the European Commission adopted Council Regulation ( EU) 2023/1441 of 10 July 2023 on detailed arrangements for the conduct of proceedings by the Commission pursuant to Regulation ( EU) 2022/2560 of the European Parliament and the Council on foreign subsidies distorting the internal market ( Implementing Regulation), which sets out the procedural rules for putting the FSR into practice. The FSR establishes a new system designed to address distortions to competition in the EU internal market stemming from foreign subsidies. It introduces compulsory notification and clearance duties for substantial EU public tenders and for takeovers of significant EU businesses, and grants the Commission broad powers to commence ex officio inquiries. The...

This Practice Note offers a concise primer on EU food law. It outlines core definitions, overarching principles, principal obligations and enforcement, with citations to the pertinent provisions of EU legislation. It succinctly summarises key requirements and enforcement arrangements in context. References are made throughout to the applicable provisions of EU legislation. The focus of this Practice Note is EU food law. It does not examine UK food law. The scope is intentionally confined to EU food law alone. Key EU food legislation After several food crises in the late 1990s, the Commission recognised the necessity for a legislative framework establishing general principles and requirements for food law. In 2000, responding to the growing complexity of the food supply chain, the Commission set out an integrated, end‑to‑end food safety approach in its White Paper on Food Safety. In 2002, stemming from that White Paper,...

Scope of this Practice Note This Practice Note offers guidance on the European Supervisory Authorities ( ESAs): European Securities and Markets Authority ( ESMA) European Banking Authority ( EBA) European Insurance and Occupational Pensions Authority ( EIOPA) Among other matters, it explains their roles and general powers to prepare draft technical standards, and to issue opinions, guidance and recommendations to national supervisors within the EU. Together with the European Systemic Risk Board ( ESRB) and the national competent authorities ( NCAs) of EU Member States, the ESAs form the European System of Financial Supervision ( ESFS). The ESAs collaborate with the ESRB to safeguard financial stability and to strengthen and enhance the EU supervisory framework, aiming to improve co-ordination among national supervisory bodies and to raise the quality of national supervision across the EU. The ESAs also issue guidance and...

Purpose of this Practice Note This Practice Note offers a primer on EU financial services law by way of: concise guidance links within the Practice Note to sources predominantly hosted on the EU’s website, and commentary and analysis delivered by the EU law module Most links point to introductory resources, though they can often be pursued for more advanced discussion, if required. Some readers may prefer to consult our An introduction to EU law before exploring EU financial services law... Introduction The EU consists of 27 European countries which, at least in principle, operate as a single market. That market has been widened to the European Economic Area ( EEA) with three additional European countries. The single market features a highly developed financial services industry, overseen by a regulatory framework that EU institutions consider a benchmark for the rest of the world. The EU’s...

This Practice Note summarises the principal European Union financial sanctions relevant to financial services providers. It covers EU sanctions—most notably asset-freeze measures—and the intersecting elements of the EU anti-money laundering and countering the financing of terrorism ( AML/ CTF) framework. For practical guidance on the EU AML/ CTF framework for financial services, see: Financial crime and sanctions ( EU Law)—overview. For UK-focused guidance, see: Sanctions compliance—overview and Anti-money laundering and counter-terrorist financing ( AML/ CTF)—overview. Key points EU financial services firms must comply with a broad and increasingly complex range of sanctions. Given their risk exposure, they are expected to maintain robust sanctions compliance controls and procedures, and to meet any compliance standards set by their national regulators. EU sanctions apply across the EU, but each Member State and its financial services regulators may issue their own guidance, compliance best...

Background Financial conglomerates are sizeable groups active across more than one financial arena (banking, investment and/or insurance). Typically, they have intricate structures, operate internationally and across borders, and the broader group may include entities that are unregulated from a financial legislation perspective, as well as firms outside financial services. Within the EU, bancassurance has long been a key operating approach for such groups. Bancassurers unite banking and insurance businesses, enabling a complete suite of financial offerings via a one‑stop shopping model—from conventional banking, through mutual funds, to insurance products. For insurers, bancassurance opens fresh distribution routes with a dependable client base; for banks, it broadens the product mix and lifts profitability by selling more through the same infrastructure already in place, thereby lowering fixed and overhead operating costs (economies of scale). One‑stop shopping in a bancassurance group gives customers access to a wide array of...

1. What is the applicable legislation? The applicable legislation is Regulation ( EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 (the Regulation), which establishes a framework for the screening of foreign direct investments ( FDI) into the Union. The Regulation was published on 21 March 2019 and entered into force on 10 April 2019, while its provisions became fully applicable from 11 October 2020, following an 18‑month transition period. As a preliminary note, the instrument does not create a fully‑fledged new EU‑level foreign investment control regime, nor does it replace national rules already in place. Instead, it sets up a framework to complement domestic systems for screening FDI into the EU, and encompasses: a mechanism for cooperation and the exchange of information between EU Member States, as well as between authorities and the European...

This Practice Note outlines, in brief, the European Venture Capital Funds Regulation ( EU) 345/2013 (the Eu VECA Regulation), as subsequently updated by Regulation ( EU) 2017/1991, Regulation ( EU) 2019/1156 and Regulation ( EU) 2023/2869. The Eu VECA Regulation constitutes a specialist alternative investment fund ( AIF) regime available to alternative investment fund managers ( AIFMs) under the Alternative Investment Fund Managers Directive (2011/61/ EU) ( AIFMD). AIFMs running qualifying venture capital funds may opt to apply the ‘ Eu VECA’ label to those funds, enabling marketing to professional and certain high net-worth investors right across the EU via the Eu VECA marketing passport itself. The Eu VECA regulatory framework The Eu VECA Regulation was brought alongside Regulation ( EU) 346/2013 on European social entrepreneurship funds (the Eu SEF Regulation). The Eu SEF Regulation, as amended, falls outside the scope of this Practice Note, but is...