Skip to main content

Make an enquiry

    Contact Us

    Preston Office
    Tel: 01772 258321
    DX: DX 714573 Preston 14
    Fax: 01772 258227

    Garstang Office
    Tel: 01995 607950
    DX: DX 63970 Garstang
    Fax: 01995 600897

    Kendal Office
    Tel: 01539 628042
    DX: DX 714573 Preston 14

    Lancaster Office
    Tel: 01524 548967
    DX: 63502 Lancaster

    Clitheroe Office
    Tel: 01200 422264
    DX: DX 15154 Clitheroe


    The ICO v Marriott International: The importance of due diligence in mergers


    David Edwards, head of the Harrison Drury regulatory team discusses the key due diligence steps required under the GDPR framework, highlighted by the recent ICO investigation of Marriott International and their merger with Starwood.

    The Information Commissioner’s Office (ICO) has signalled its intention to fine Marriott International £99.2m for GDPR breaches following their merger with US hotel and leisure company, Starwood.

    The importance of GDPR

    GDPR is still a largely misunderstood area of regulation but, in the face of the ICO’s new powers, organisations are starting to realise the extent of their obligations and legal responsibility for the personal data they handle and use.

    In this case the personal data breach wasn’t strictly due to Marriott International’s handling of data, it actually related to the past data practices and policies of Starwood and their failure to carry out the necessary due diligence check-ups prior to the merger. 

    What happened?

    In 2018, Marriott International merged with the US hotel and leisure company, Starwood, and therefore took responsibility for the organisation’s personal data obligations and responsibilities as a data controller and data processor.

    From 2014-2018, Starwood suffered a data breach, resulting in the exposure of personal details of 339 million guests.

    Crucially, this included guest records for 30 million Europeans. This brought the investigation of Starwood / Marriott International’s personal data practices, and the enforcement of GDPR obligations, within the ICO’s remit.

    What has the ICO said about the breach?

    The ICO stated that a £99.2m fine could be imposed due to the Marriott’s failures, prior to its merger with Starwood, to properly review Starwood’s data practices and should have done more to secure its systems.

    Elizabeth Denham, Information Commissioner, stated organisations must be accountable for the personal data they hold: “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

    Therefore, despite this being a concern with the seller’s policies, the responsibility lies with the buyer, Marriott International, because they failed to carry out proper due diligence in relation to data practices.

    What due diligence is required when organisations merge?

    When merging with another company, solicitors on both sides often carry out various due diligence checks.

    For example, where businesses process a high volume of data or “special category data”, GDPR checks (similar to a data gap analysis), should be carried out. This can highlight potential issues with a merger and whether there has been, or is likely to be, any complaints or investigations into personal data practices.

    Additionally, the buyer and seller must be transparent with one another about their use of personal data and the lawful basis for processing the data. The privacy notice each organisation employs is a useful foundation, but further technical and organisational measures will need to be assessed and possibly, remediated in order to keep the data safe.

    What can organisations learn?

    In summary, reasonable steps must be taken by an organisation, and those at a senior management level, to avoid committing an offence.

    When merging, or acquiring another business, please bear in mind the fact that complaints and investigations will pass from seller to buyer.

    Harrison Drury can assist in GDPR considerations over business mergers and acquisitions. For more information, please contact David Edwards on 01772 258321.

    Questions & Answers

    Leave a Comment

    Leave a comment

    Your email address will not be published. Required fields are marked *


    Manage your privacy

    How we handle your personal data

    The General Data Protection Regulation (GDPR) gives you more control over how companies like ours use your personal information and makes it quicker and easier for you to check and update the information we hold about you.

    As part of our service to you, we will continue to collect, use, store and share your data safely and securely. This doesn’t require any action on your part.

    For more detailed information view our Privacy Hub