14.06.2019 | KPMG Law Insights

Compliance in Corporate Venture Capital Transactions

Compliance in Corporate Venture Capital Transactions

Investing in a startup offers many benefits for a corporate investor, but it can also lead to buying into compliance risks. Compliance due diligence can greatly mitigate this risk if a few key points are considered.

When an established company takes a stake in a start-up, worlds collide in many respects. Not only in terms of corporate culture, hierarchies and creativity – the two partners also tend to differ fundamentally when it comes to compliance. The risk appetite typical of start-ups and their rapid growth mean that resources are primarily invested in technical and commercial development. Internal control systems as well as legal and tax advice are usually only pushed as far as absolutely necessary. In addition, compliance is often more difficult to implement in startups than in other companies, because startups operate in a more decentralized manner than other companies. The buzzword is enterprise agility. From an entrepreneurial point of view, this is understandable, but for the corporate investor it carries a risk, because compliance violations can have a Group-wide impact and damage the image.

A corporate investor should therefore ask himself two questions before investing in a start-up or even acquiring it completely: Am I buying into compliance risks and/or violations with my investment? And how can I ensure compliance in the target company for the future? Here, technology-based start-ups will regularly be particularly concerned with the areas of data protection and intellectual property.

Compliance due diligence and contractual risk allocation

Compliance due diligence often covers topics such as anti-corruption, antitrust and money laundering. Depending on the target company’s business model, other areas may be added, such as foreign trade law, product safety, data protection and industrial property rights. In addition, so-called risk-increasing environmental factors should also be surveyed and taken into account, such as the geographical classification of the business activity in comparison with the corruption perception index, the degree of regulation of the business model, the share of public contracts in the total business volume or the existence of cash transactions.

The results of the due diligence must be incorporated into the contracts governing the investment or acquisition. In particular, guarantees from the founders or sellers that protect the investor from unidentified risks, as well as indemnifications that relieve the investor from already known risks, come into question. Conduct obligations ensure that no changes detrimental to the investor are initiated between the signing of the agreement and its execution. And finally, execution conditions obligate the parties to bring about a predefined state and in this way make the company capable of being taken over or invested in.

Compliance management in start-ups

The implementation of a compliance system in a start-up follows different rules than in traditional companies. Under the rules of enterprise agility, startups typically organize themselves through value chains. The compliance organization must also understand these characteristics if it is not to paralyze the company. The necessary compliance structure is best described as “compliance agility.” There are three main issues at stake here:

The company needs a compliance culture, because compliance is first and foremost an attitude, especially in decentralized structures where little central control is exercised and documented. In addition, there is a governance and organizational structure that follows the principle of subsidiarity and clearly and unambiguously regulates horizontal and vertical delegation. Finally, decentralized compliance should be supported by legal tech applications, such as IT-based contract management. Here, outsourcing certain compliance tasks can also relieve the burden and provide additional legal certainty, for example a whistleblower system or business partner audits as managed services.

For a start-up seeking investment by a corporate investor, this results in the need to align its compliance organization to withstand compliance due diligence. In addition, both investor and start-up should align their compliance in such a flexible way that a later integration does not endanger the agility and innovative strength of the start-up.


For many startups in the digital economy, handling personal data is part of the core area of their business model, so they have to take into account the GDPR that came into force in 2018. Art. 6 par. 1 GDPR establishes the principle of prohibition with reservation of permission – therefore, a corresponding legal basis must exist for any processing of personal data. In addition, there are further principles of data processing as well as documentation and accountability obligations. In digital business models, almost every step from the selection of business partners to market cultivation and customer contact must be thought through in advance in terms of data protection. In individual cases, a full data protection impact assessment may be required.

The requirements for organization and documentation run rather counter to the decentralized structure of a start-up. So if you don’t want to set up a central office that checks all data processing operations and decides whether to approve them, the answer can only be delegation of tasks – with compliance being performed and the responsibility borne by different people. The basis for this must be the transfer of know-how through training and documentation and the use of IT tools or external service providers.

Intellectual property rights

In many start-ups, intellectual property plays a key role, i.e. technical property rights, trademarks, designs, copyrights or trade secrets. They often make up the majority of business assets. From a compliance perspective, two issues can come into play here. On the one hand, the start-up may infringe the rights of third parties. This risk exists in particular for technology-based companies, which is why a higher standard of due diligence must be applied here. Here, too, internal training should raise the necessary awareness of the problem and, if possible, rule out rights infringements in advance. A review by external service providers can then provide further legal certainty.

On the other hand, start-ups and/or their investors would also have to keep in mind the protection of the company’s own rights. Frequently, such rights represent the actual motive for the planned takeover/investment, so that investors become alert when problems arise in this regard. If a corporate investor wants to use such rights, it must be ensured that the rights belong to the start-up and not, for example, to its founders/owners, employees, freelancers or other third parties. The prerequisites for the acquisition of rights by the start-up – such as the existence of an employment relationship, the development as part of the work task or the claiming of an invention in accordance with the provisions of the Employee Invention Act – must be fully documented.


Explore #more

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…


Dr. Bernd Federmann

Stuttgart Site Manager
Head of Compliance & Corporate Criminal Law

Theodor-Heuss-Straße 5
70174 Stuttgart

tel: 0711 781923418

Dr. Christian Hensel

Site Manager Nuremberg

Bahnhofstraße 30
90402 Nürnberg

tel: +49 911 800929944

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.