M&A Due Diligence at the People Level: What Legal Needs to Review

In M&A transactions, there is a quiet division of labor: Legal counsel reviews contract structures, the financial DD boutique works through quality-of-earnings reports, and commercial DD validates the business case. These three disciplines are mature in process terms, methodically documented, and covered from an insurance perspective. People-level DD, by contrast, remains a side note in many transactions: a LinkedIn check on the CEO, a Google search on the CFO, a polite phone call to the former investor. This gap is why buyers regularly discover after closing that they acquired risks that were documented in no data room: ongoing shareholder claims against the CTO from an earlier venture, adverse media coverage in the regional press about the key sales person, undisclosed ownership stakes of the target CEO in a direct competitor.

For M&A legal counsel and PE buy-side DD teams, the question is therefore clear: How can people-level DD be brought up to the same methodological standard as legal, financial, and commercial DD — cleanly from a legal perspective, role-based, timeline-compliant, and capable of escalation when it matters?

Why people-level DD is the weakest link in the standard process

Virtual data rooms structurally contain only what the seller uploads. Employment contracts for the C-level team, an organization chart, proof of D&O insurance, occasionally a brief CV. What the VDR typically does not contain is the risk area beyond employment: prior board mandates with an insolvency background, civil disputes, regulatory sanctions in other jurisdictions, UBO interests in vehicles that are not visible in the target holding structure, press coverage with reputational relevance.

Three structural reasons explain the gap. First: people-level DD is more legally sensitive — data protection, anti-discrimination rules, and labor law slow buyers down before the research has even begun. Second: there is no established industry standard comparable to a QoE report. Third: the cost of omitting it only becomes visible post-closing, when representation-and-warranty carriers ask questions or the retention plan for key sales collides with a non-compete lawsuit from a former employer.

What is reviewed in a proper people-DD process

A robust people-DD review is not an arbitrary dossier search, but a role-based matrix. Each critical role in the target has a different risk vector and therefore a different review scope. The following matrix has become the minimum standard in mid-sized to large private equity and corporate M&A transactions:

Three review areas regularly fail standard checklists in practice. First: shareholder litigation from earlier ventures. A target CEO against whom an old shareholder lawsuit is still pending from a prior exit not only carries personal liability risk, but also a reputational risk that becomes active when the closing is announced. Second: adverse media in local and regional press. International databases reliably index supra-regional coverage, but local business newspapers and niche media only patchily. Third: undisclosed beneficial ownership in competing or supplier-linked structures. A 12 percent interest of the CFO in a supplier to the target is not a criminal offense, but it clearly shifts the commercial DD assessment.

What applies in Switzerland, Austria, and across the EU?

People-level DD is highly regulated from a data protection perspective. The permissible depth of review varies by jurisdiction. The key point is that the buyer must document the legal basis cleanly before the research begins — not afterward.

EU-wide: Art. 6(1)(f) GDPR as the basis

The collection of personal data in an M&A context is usually based on Art. 6(1)(f) GDPR: the legitimate interest of the buyer in making a proper risk assessment of the transaction. The balancing test against the interests of the screened individual works when three conditions are met: a limited set of people (only roles that are significant for the transaction), a limited data scope (not “everything you can find”), and a limited retention period (deletion after completion of the transaction or after the end of the R&W period). Where special rules apply — in particular when collecting special categories under Art. 9 GDPR, such as health data or trade union membership — this basis does not apply.

Also to note: the German AGG sets limits on how the findings may be used. Even if a data point was lawfully collected, it may not be used for a subsequent discriminatory decision. DD protocols therefore need to document not only the legal basis, but also the evaluation logic, so they can withstand later labor-law disputes.

Switzerland: Revised FADP and legitimate interest

In Switzerland, the revised FADP has applied since September 2023. The legal basis for people-level DD rests on Art. 31(2) FADP (overriding interests of the controller). The threshold is generally more buyer-friendly than under the GDPR, because Swiss law traditionally attaches significant weight to the buyer’s legitimate interest in an acquisition. Particularly sensitive: data from criminal records are subject to additional restrictions under the Swiss Criminal Records Act (StReG). Blanket access by buyers is not possible; as a rule, only a criminal-record extract requested by the person concerned themselves may be submitted.

Austria: DSG 2018 and relevance under the GewO

In Austria, the GDPR and the national DSG 2018 apply in parallel. The case law of the Data Protection Authority tends to be stricter than in Germany. Particularly relevant: for targets with business licenses (GewO), the buyer must additionally check whether the managing director continues to meet the personal reliability requirement under Section 87 GewO after closing. Doubts about reliability can jeopardize the business license — a structural deal risk that standard financial DD reports do not capture.

Cross-border: CH target, DE buyer, and vice versa

In cross-border setups, a double regulatory framework arises. A German buyer reviewing a Swiss target company must observe both GDPR (for processing in Germany) and the FADP (for collection in Switzerland). The usual solution: conclude a data processing agreement between the buyer and the DD service provider plus standard contractual clauses for data transfers. Switzerland has an adequacy decision from the European Commission, which makes transfers from Switzerland to the EU easier.

Post-closing implications: R&W insurance and escrow

The quality of people-level DD directly affects the structure of the Representation & Warranty Insurance. Insurance underwriters increasingly require explicit confirmation that key-person screenings were carried out. If they are missing, exclusions arise: losses from litigation against key persons that would have been discoverable in cleaner DD are excluded from coverage. As a result, either the R&W escrow amount increases — often to 0.5 to 1 percent of deal value — or the premium becomes noticeably more expensive. On an 80 million euro deal, moving escrow from 0.5 to 1 percent already ties up an additional 400,000 euro of equity capital.

At the same time, retention packages for key persons are typically structured with milestone vesting over 24 to 36 months. If people-level DD uncovers issues after closing that would justify immediate termination, the vesting structure offers better protection than a damages claim. Condition: the issue must not already have been known at the time of the signing decision.

DD workflow template: 30-day timeline by role

A robust people-DD setup can be mapped in three phases. The timeline is based on a typical mid-market process with six to eight weeks between signing and closing.

1. Day 1 to 3 — screening setup: define the role matrix, document the legal basis, conclude data processing agreements with the DD service provider, disclose the scope to the seller (unless strategically contraindicated).

2. Day 4 to 10 — automated initial screen: parallel review of all key roles for PEP, sanctions, adverse media, trade register, insolvency register, civil litigation register. Typical turnaround time with automated platforms: 72 hours.

3. Day 11 to 20 — manual deep dive for findings: every finding from the initial screen is verified by an experienced analyst. Documentation with sources, date, and significance assessment. Coordination with lead counsel for classification.

4. Day 21 to 25 — escalation and decision memo: structured decision matrix for the deal lead: Which findings are merely informative, which are price-relevant, and which are potentially deal-breaking? Obtain written statements from screened persons on material findings.

5. Day 26 to 30 — documentation for R&W carriers: complete DD documentation to support the R&W insurance, inclusion in the disclosure schedules, coordination with the SPA warranty catalogue.

Escalation patterns for findings

Not every finding is a deal-breaker, but every finding needs a documented escalation path. Three levels have proven effective:

• Level 1 — Informational: historical facts with no ongoing legal consequences, publicly known incidents with no relevance to integrity or compliance. Documentation in the DD report, no further action.

• Level 2 — Price-relevant: ongoing civil proceedings with limited liability exposure, historical regulatory measures with potential repeat risk, reputational risks with limited reach. Action: price adjustment or a specific warranty in the SPA, possibly an expanded retention escrow.

• Level 3 — Deal-breaker candidate: ongoing criminal proceedings, sanctions-list hits, systematic reputational damage, UBO conflicts with competitors or suppliers. Decision by lead counsel together with the deal lead and, if needed, the investment committee. Minimum documentation: written opinion on the overall risk.

What matters is the separation between finding and assessment. The DD service provider delivers the finding and the source; legal classification belongs to lead counsel, strategic assessment to the deal lead. These roles should not be mixed — neither for liability reasons nor for governance reasons.

Why platform solutions are changing the process

The decisive bottleneck of classic people-level DD has been runtime. An experienced analyst can typically spend two to four working days per role and jurisdiction before a reliable dossier is available. With six key roles in two jurisdictions, that adds up to three to four weeks — often longer than the exclusive DD phase itself. Background-check platforms such as Indicium change this arithmetic through parallelized screening: a simultaneous screen of all key roles against all relevant sources — UBO registers, PEP lists, sanctions lists, adverse media, insolvency and civil litigation registers — delivers the initial picture within 72 hours. Manual deep dives occur only where there are findings, not as a blanket exercise.

For M&A counsel, that means concretely: people-DD can be integrated into the same three-week timeline that also covers financial and commercial DD — without extending the process or blocking other workstreams. The documentation is structured in compliance with GDPR and FADP, the source references are audit-ready, and they meet the requirements of R&W carriers.

For any transaction in which key persons are a central value driver — and that is the case in practically every mid-market and lower-large-cap transaction — systematic people-DD therefore belongs at the same process level as legal, financial, and commercial DD. Not as an optional extra, but as an integrated mandatory step.

If you want to structurally secure the people-DD in your next transaction, talk to us. Book a demo and we will show you how the matrix can be implemented in your specific deal setup.

Further reading — related articles

• People Due Diligence for Investors

• Founder Vetting before Series A

• Portfolio Company Fit and Proper: VC Liability

• Sanctions List Screening for Companies

• EU UN OFAC Sanctions Lists