Introduction
Until 2006, Eletricidade de Portugal, E.P. (“EDP”), a state-owned company, held all the electricity production, transmission, distribution and supply market and its main infrastructures. From 2006 onwards, activities linked to the electricity marked, such as the electricity production and supply, started to be more liberalized. This liberalized market opened the doors for several other private companies and investors.
Most recently, Decree-Law 15/2022, of 14 January (“Electricity Law“), implemented Directive (EU) 2018/2001 of the European Parliament and of the Council of 11 December 2018, on the promotion of the use of energy from renewable sources, and Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019, that establishes the common rules for the internal market for electricity.
The Electricity Law sets a framework to the National Electrical System (Sistema Elétrico Nacional - “SEN”). Some of its most distinctive features are the creation of three Technological Free Zones (regulatory sandboxes), the creation of the Electro-Intensive Customer Statute and the creation of an electricity aggregator, responsible for connecting the consumption flexibility and storage electricity, purchasing or selling through electricity markets and/or though bilateral agreements.
In this paper, we travel through all Market Participants and their respective functions and obligations as defined in the Electricity Law.
The Portuguese Electricity market Participants
Electricity Producers
Electricity Producers, ruled by articles 11, 39, 97 and Annex I of the Electricity Law, are responsible for generating and providing electricity to the Portuguese electricity grids. Electricity producers can:?
- Install the power station or the storage facility;?
- Sell energy in organized markets or through bilateral agreements; and
- Purchase energy until the limit of the injection capacity established in the production license.
To operate, producers shall obtain from the Portuguese Directorate of Energy (Direção Geral de Energia e Geologia – “DGEG”) a prior registration certificate or a production license (as pursuant to the installed capacity) in relation to each production unit.
The procedure to obtain an electricity production license is subject to the prior assignment of a public electricity grid (Rede Elétrica de Serviço Público – “RESP”) injection capacity reserve title (Electricity Law, article 18/1). This request must be submitted through the DGEG electronic platform.
Storage Companies
Electricity storage (regulated in article 2/60 of Directive (EU) 2019/944 and in articles 11 et seq., 79, 80 and 97 of the Electricity Law) is defined as the process by which previously produced energy is stored through its conversion into another form of energy to be used in a different time. In Portugal, hydroelectric pumping is the most common energy storage method. Other common energy storage technologies in use are lithium batteries and flywheels.
Autonomous storage activity is subject to a prior control procedure by DGEG in case installed capacity:
- is above 1 MW or subject to an environmental impact assessment, it requires a production and operation license.
- is above 30 KW but less than 1 MW a prior registration and an operating certificate issuance by DGEG will suffice.
Integrated storage activity with the production of electricity shall follow the prior control procedure applicable to production covering, in such case, all activities simultaneously.
SEN Global Manager
The Global Manager of the National Electrical System (Sistema Elétrico Nacional - “SEN”) is responsible for SEN management.
It is also responsible for ensuring SEN’s harmonized operation, security and electricity supply stability in the short, medium, and long term.
This includes ensuring that the system is operated safely and efficiently, as well as coordinating with other European countries a stable and secure electricity supply.
The Electricity Law establishes the Global Manager of the National Electrical System rules and the technical management of the National Electricity System in its articles 3 jj) and 103 to 106.
Article 104 of the Eletricity Law establishes that the technical management of the National Electricity System is assigned to Redes Energéticas Nacionais SGPS, S.A. (“REN”) in its capacity of TSO - National Electricity Transportation Grid (Rede Nacional de Transportes - “RNT”) operator.
Integrated DSO
The Distribution Grids Integrated Operator (“Integrated DSO”) holds the technical management of the electricity distribution grids in high, medium, and low voltage and is responsible for the technical management of the distribution grids in articulation with the Global Manager of the National Electrical System.
The Integrated DSO rules are set in articles 108, 109 and 166/2 of the Electricity Law.
This includes managing the electricity flows in the distribution grids and ensuring their interoperability with the grids to which they are connected. According to article 108 of the Electricity Law:
- The technical management of the high voltage and medium voltage distribution grids is committed to DSO - National Electricity Distribution Grid operator.
- The technical management of the low voltage distribution grids is entrusted to concessionaires.
E-REDES, S.A. is the only company in Portugal that operates in the distribution system at high, medium, and low voltage.
Transmission System Operator
The Transmission System Operator (“TSO”) is the entity in charge of the electricity transmission activity, and it is responsible for the construction, operation, and maintenance of the transportation grid, ensuring the grid capacity in the long term.
TSO main rules can be found in articles 2/35, 6, 40 to 42 and 47 to 56 of Directive (EU) 2019/944, in articles 3/zz), 105, 106, 227 and in Annex II of the Electricity Law.
Electricity transmission is carried out by REN, which is responsible for, among other things:
- The electricity transmission, ensuring the operation, planning, and development; and
- The electricity transmission from its production to the transmission grids or to consumer who receive electricity at very high voltage.
Annex II set the bases of RNT 50 years concession for mainland Portugal. REN holds the concession of RNT until 2057 and is subject to the control by DGEG and to the supervision of the energy services regulatory authority ERSE – Entidade Reguladora dos Serviços Energéticos.
Medium and High Distribution System Operator
The Distribution System Operator ("DSO") rules are found in articles 2/39 and 35 of Directive (EU) 2019/944 and in articles 3/xx), 8/1 and in Annex III of the Electricity Law that sets the bases for the medium and high-voltage electricity distribution grids concessions.
DSO activity is granted by a 30-year concession subject to a public tender procedure.
DSO of medium and high voltage is responsible for:
- The construction, operation, and maintenance of the distribution grids;
- The management, operation, and maintenance of the energy system;
- The expansion to new locations;
- The network maintenance ensuring the quality of the service provided; and
- Making the electricity connection to all consumers who request it.
E-REDES holds the DSO concession until 2044.
Low Distribution System Operators
The Low Voltage System Operators (“LDSO”) rules are set out in articles 2/39 and 35 of Directive (EU) 2019/944 and in articles 3/xx), 8/1, 115, 116, 268, 285 and in Annex IV of the Energy Law.
According to Annex IV, low voltage electricity distribution in Portugal is a municipality activity, which may be granted by a 20-year concession contract under a public tender procedure.
Article 118 establishes that the low voltage distribution concession is a remunerated activity. The remuneration is based on the size of each municipality and the number of customers. There is also a solidarity factor that benefits the municipalities with a lower population.
Besides its technical assignments - which include the relationship with DSO - LDSO also has commercial duties, such as: metering reading, making the reading metering reading data available to suppliers and the invoicing and collection of the grid access tariffs from suppliers.
There are currently 11 LDSO, with E-REDES accounting for around 99.5% of consumers. The existing municipal concessions have mismatched periods, with most expiring in 2022.
Closed Distribution System Operators
Closed Distribution System Operators are entities responsible for ensuring the capacity of the closed distribution system. A closed distribution system is a system that is part of areas or infrastructures excluded from the scope of electricity distribution concessions.
The Closed Distribution System Operator and the Closed Distribution System are regulated in articles 38 of Directive (EU) 2019/944 (EU) and in articles 3/yy) and 120 and onwards of the Electricity Law.
The Closed Distribution System Operator is responsible for:
- Interrupt the electricity supply within the closed distribution grids, provided it is duly justified and reported to ERSE or to DGEG;
- Know the consumption demand and the energy produced by Closed Distribution Systems; and
- Enter in to transparent and non-discriminatory agreements with the Closed Distribution System consumers/users.
Electricity Suppliers
Electricity Suppliers are responsible for providing freely commercial offers, purchasing electricity from electricity producers in the market and sell it to customers.
Electricity Suppliers are regulated by article 5 of Directive (EU) 2019/944 and in articles 134 et seq. of the Electricity Law.
Electricity Suppliers can trade electricity through organized markets or through bilateral agreements with other market agents (article 136 of the Electricity Law).
Electricity Supplier’s must start their activity within one year after their registration at DGEG and must (i) pay the tariffs to use the electricity grids systems and provide the contractual warranties legally established; (ii) keep an updated register of their customer’s complaints; (iii) provide transparent information on prices and tariffs and the standard conditions to use their services; (iv) provide its customers a diversified payment option and; (v) provide transparent access to the customers regarding their consumption data.
There are currently 38 electricity suppliers that operate in Portugal, each with their own tariffs and terms.
Last Resort Suppliers
Last resort suppliers are entities holding an electricity supply license for a maximum period of 20 years and are obliged to supply electricity subject to a regulated price defined by ERSE.
The Last Resort Supplier regime is defined in recital 27 and in article 27 of Directive (EU) 2019/944, and in articles 138 et seq. of the Electricity Law.
The Last Resort Supplier is responsible to supply electricity:
- In areas where there are no offers on the free market;
- To economically vulnerable consumers; and
- To customers whose free-market supplier has been prevented from exercising its activity.
The Last Resort Suppliers' activity is subject to a license to be awarded by DGEG. Article 139/1, establishes that the granting of a new Last Resort Supplier license is carried out through a public tender procedure.
There are currently 11 last resort suppliers operating in specific areas of mainland Portugal and 2 others operating, respectively, in the Azores and Madeira islands.
Electricity Market Operator
Electricity Market Operators are entities responsible for the market management and related activities. The main regulations in their regard are set out in articles 163 et seq. of the Electricity Law.
In the last stage of the electricity supply chain, the Electricity Market Operator (along with Electricity Suppliers) relates directly to consumers. Consumers can choose their supplier and change (free of charge) whenever they find better suited offers to their type of consumption.
The main duties of an Electricity Market Operator consist of:
- Managing the electricity contracting markets;
- Disclosing information about the market in a transparent and non-discriminatory way, namely publishing information on prices and quantities traded; and
- Establishing the rules for the prices settled in electricity supply agreements.
Guarantees Manager
The Guarantees Manager work is to ensure the management of the guarantees to be provided by suppliers or market agents, in accordance with articles 170 et seq. of the Electricity Law.
Pursuant to Resolution 17/2009, of 23 March, OMIP S.A. is the managing entity that carry out the role of Guarantees Manager of SEN and that is responsible for minimising the risks arising from SEN market participants obligations.
The Guarantees Manager must comply with the following principles:
- Public interest, impartiality and independence;
- Economic efficiency, guaranteeing that only necessary costs are generated for SEN; and
- Transparency of decisions, through information and auditing mechanisms.
In addition, it shall also comply with report and regulatory control procedures laid down by ERSE or by the Securities Market Commission (Comissão do Mercado de Valores Mobiliários - “CMVM”).
Last Resort Aggregator
In case there is no offer from electricity aggregators in the market or when the aggregators are unable to exercise its activity, the last resort aggregator shall acquire electricity from:?
- Renewable electricity producers, excluding hydroelectric plants with a connection capacity higher than 10 MVA, remunerated at prices freely determined on organized markets; and?
- Self-consumers who inject surplus energy into RESP.?
The Last Resort Aggregator is also obliged to acquire energy generated by Producers who benefit from guaranteed remuneration schemes.
The Last Resort Aggregator role is set out in articles 148 et seq. of the Electricity Law. The award of the last resort aggregator license - subject to a maximum term of 20 years - is carried out through a public tender procedure.
The procedure for the award of the last resort aggregator license has not yet been opened by the Portuguese Government. Until then the last resort aggregator competencies are entrusted to the last resort supplier.
Electricity Aggregators
Electricity aggregators activity comprise the purchasing of electricity in the free market and selling it to customers who enter into a Supply Agreement, subject to the terms and conditions agreed upon therein.
Electricity Aggregators are regulated in articles 143 et seq. of the Electricity Law. According to article 146, Electricity Aggregators have the same rights and obligations than Electricity Suppliers. Electricity Aggregators can:
- Trade electricity through organized markets or bilateral agreements with other market agents;
- Have access to the energy systems to deliver electricity to their customers; and
- Enter into electricity purchase and sale agreements with customers.
ENDESA ENERGIA, S.A. is currently the only electricity aggregator operating in Portugal.
Self-Consumers
Self-Consumers’ activity is regulated in article 81 to 88 of the Electricity Law. Self-Consumers are those who generate their own electricity from renewable sources and consume it themselves, instead of selling it back to the grid. They can store or sell its electricity, although these activities cannot constitute their main commercial or professional activity.
Self-Consumers may perform this activity in individual self-consumption in one electrical installation (“IU”) or collective self-consumption in or two or more electrical installations.
According to article 88/1, Self-Consumers may: (i) Install one or more Electrical Unit for Self-Production (Unidade de Produção para Autoconsumo – “UPAC”); (ii) Consume the electricity produced or stored in their facilities; and (iii) Trade the surplus energy produced through electricity markets directly or through third parties.
According to article 88/2 self-consumers must: (i) Bear the cost for connection of the electrical installations to RESP; (ii) Provide to the supervising entity all the requested information and technical data, namely the electricity produced by UPAC data; (iii) Ensure that the installed production equipment is certified; and (iv) Enable inspection entities to access UPAC.
Just like production, self-consumption activity is subject to the award of a production license (in case the installed capacity is above 1 MW) or a prior registration certificate (above 30 KW but less than 1 MW).
The Electricity Law has introduced the Electro-Intensive Customer Statute, regulated by the Order 112/2022, bringing a set of benefits to consumer, including:
Can be eligible as electro-intensive customers: (i) customers with an annual electricity consumption equal to or greater than 20 GWh and an annual consumption equal to or greater than 40% of annual electricity consumption, in at least two of the last three years, and (ii) customers with an annual electro-intensity level equal to or greater than 1 kWh/EUR of gross added value, calculated as pursuant the criteria laid down in Order 112/2022. Customers must provide DGEG with information by June 15 of each year to maintain their eligibility.
Citizen Energy Communities
Directive (EU) 2019/944 establishes that Citizen Energy Communities may engage in production, including energy from renewable sources, distribution and supply activities to its members. They are regulated by articles 16 et seq. of Directive (EU) 2019/944 and in article 191 of the Electricity Law.
Citizen Energy Communities are legal entities established through an open and voluntary membership by its members, partners, or shareholders, who may be natural persons or legal entities, including small and medium-sized businesses or municipalities aiming to provide environmental, economic, or social benefits to its members or to the local areas in which they operate.
Article 191/2 states that Citizen Energy Communities may:
- Own, establish, purchase or lease closed distribution system and carry out their management; and
- Produce, distribute, commercialize, consume, aggregate, and store energy regardless of whether the primary source is renewable or non-renewable.
Renewable Energy Communities
The Renewable Energy Communities (“REC”) are regulated in articles 2 and 22 of Directive (EU) 2018/2001 and in articles 189 et seq. of the Electricity Law. REC are legal entities established through an open and voluntary membership by its members, partners, or shareholders, including small and medium-sized businesses or municipalities, and which, cumulatively:
- Have their members located near the renewable energy projects or developing activities related to the renewable energy projects of the respective energy community; and
- Such projects are owned and developed by the Renewable Energy Community or a third party.
REC’s goal is to provide environmental, economic, and social benefits to the members or localities where the community operates.
The main differences between Citizen Energy Communities and REC are that REC are near renewables electricity production centers and are and are subject to a limited membership scheme.
Guarantees of Origin Authority
The Guarantees of Origin Issuing Authority is regulated in article 294 of the Electricity Law.
The Guarantees of Origin Issuing Authority activity is subject to a license to be awarded under a public tender procedure. Currently, the activity is entrusted to REN for the electricity generated from renewable energy sources.
A Guarantee of Origin is an electronic document that proves to the final electricity purchaser that a given percentage of the electricity supplied comes from 'green' sources.
There are currently three versions of these documents, which certify the following types of energy:
- Electricity produced from renewable energy sources;
- Heating and cooling energy produced from renewable energy sources; and
- Electricity produced in cogeneration facilities.
Collective Self-Consumption Management
Collective Self-Consumption Management Entity (“EGAC”) is the entity responsible for the management and communication with the self-consumption and renewable energy community's platform (Electricity Law, article 3 paragraph gg).
EGAC are responsible for connecting the self-consumers to RESP. They are also in charge of the commercial relationship to be adopted for the surplus energy produced by self-consumers.
EGAC represent the collective self-consumption to operators and administrative entities, ensuring:
- The relationship with the grid operator for the purpose of paying the grid access tariffs for self-consumption through the public grid; and
- The relationship with the aggregator of the surplus production for sale on the market.
Logistics Operator for switching suppliers and aggregators
The activity of the Electricity Switching Logistics Operator is ruled by Decree-Law 38/2017, of 31 March and articles 152 and onwards of the Electricity Law.
According to article 152, the activity of the Logistics Operator for Switching Suppliers and Aggregators consists in the procedure to help consumers to change their electricity supplier and to electricity producers to change their aggregator.
The award of the Logistics Operator for Switching Suppliers and Aggregators license is carried out through a public tender procedure and is limited to a period of 10 years, according to article 153/1. Logistics Operator for Switching Suppliers and Aggregators can, among other things:
- Exercise the licensed activity; and
- Be remunerated for the service provided.
The Logistics Operator for Switching Suppliers and Aggregators roles are, among others:
- Operate the change of supplier and aggregator on the electricity markets; and
- Provide personalized information to consumers, electricity producers, and self-consumers.
In addition, it must promote transparency in the electricity market and provide to consumers easy access to any information to which they are entitled.
The Logistics Operator for Switching Suppliers and Aggregators activity covers the whole national territory and is exercised by an operator that is independent of the other parties involved in the National Electrical System.
Electricity Consumers
Electricity consumers are typically residential and commercial customers. The residential customer sector includes single-family homes, apartments, and mobile homes. The commercial sector includes small businesses, factories, and office buildings.
The legal framework of Energy Consumers are established in articles 10 to 14 of Directive (EU) 2019/944 and in articles 180 to 188 of the Electricity Law. Energy Consumers must:
- Perform the relevant monthly payments;
- Contribute to the development of environmental protection;
- Contribute to the development of energy efficiency;
- Keep their equipment in safe conditions, under the terms of the applicable legal and regulatory provisions; and
- Provide all information strictly necessary for the electricity supply.
Between the electricity supplier and its customers there is a relationship with specific characteristics ruled by the Commercial Relations Regulation (Regulamento de Relações Comerciais - "RRC"), approved by ERSE.
RRC has specific rules regarding (i) the possible contracting modalities; (ii) the choice and the change of supplier; (iii) invoicing and payment; and (iv) the resolution of conflicts arising from the commercial and contractual relationship.
The customers' right to effectiveness and quality of service dictates the possibility of complaining to suppliers whenever they feel their rights have not been duly safeguarded.
Electricity suppliers must provide updated information, namely on their websites, on several matters, such as (i) supply agreements; (ii) available services; (iii) options and prices, and (iv) billing frequency.
Suppliers are also obliged to ensure fast, effective, and complete service to their customers and thus the Quality-of-Service Regulation (Regulamento da Qualidade do Serviço) establishes that suppliers must maintain the following three different types of attendance: (i) face-to-face; (ii) telephone, and (iii) written.
Within the scope of customer service, suppliers are bound to provide information on supply agreements, tariff options, quality of service standards and dispute resolution.
If you wish to learn more, you may download our PDF down below.
Labor compliance standards and principles
Corporate social responsibility (CSR) and labor compliance pursue going beyond legal compliance issues. The purpose of both is not simply to fulfil legal expectations, but making the environment and relations with stakeholders beyond mere compliance with the Law.
Although CSR is not a plain concept, CSR is whereby business entities voluntarily incorporate social, environmental and ethical standards into their operations.
CSR is built on three pillars: (i) PROFIT (economic), (ii) PEOPLE (social) and (iii) PLANET (environmental area) – the triple “P”. Labor compliance is included in the PEOPLE, social pillar of CSR.
Labor compliance’s purpose is keeping a safe and healthy work environment and giving all employees a fair treatment by labor control mechanisms:
- For employees, by providing for additional control over the employer’s actions, fair compensation, equal opportunities for recruitment and protection against abuse of office and discrimination; and
- For employers, by enabling them to hire qualified employees and to require employees to carry out their duties with due diligence.
Successful organizations have in common a commitment to conduct businesses according to high international standards and principles and to build a corporate culture in line with these standards.
Anglo-Saxon systems often distinguish hard law from soft law. ‘Hard law’ generally refers to legal obligations that are binding to the parties involved and which can be legally enforced before a court. The term ‘soft law’ is used to denote agreements, principles and declarations, which are quasi-legal instruments, but do not have any legally binding force, or whose binding force is somewhat weaker than the binding force of traditional law, also referred to as hard law. Labor compliance preferably results from the interaction between hard and soft law instruments.
In Portugal, mandatory obligations and instruments of labor compliance may vary according to the entity type. For instance, State-owned companies or stock exchange listed companies are subject to stricter requirements. This does not, however, mean that other entities may not follow the same compliance standards or even different standards voluntarily applied according to their ethical culture practices.
Some of the mandatory rules are:
- Record-keeping of employees' working hours;
- Record-keeping of overtime work;
- Record-keeping of disciplinary sanctions; and
- Preparation and display of employees' holiday schedule.
Detailed attention to labor compliance matters on non-discrimination, equal pay, anti-harassment, close the gap for women and minorities, fight against corruption and related offences, have been growing with major changes brought by local laws.
To follow these changes, employers are compelled to apply a set of policies, procedures, and actions, of which:
- Code of Ethics and Conduct;
- Anti-Harassment Policy;
- Gender Equality Plan;
- Gender Pay Gap Report;
- Employees’ Training Plan; and
- Corruption Risk Management Plan.
Some labor compliace tips that your company may follow are:
- Create a code of ethics and conduct with plain and clear language;
- Implement strong policies and plans, e.g., on gender equality, non-harassement, pay gap;
- Promote awareness amonsgt employees about the importance of complying with the standards;
- Create internal reporting channels;
- Regularly monitor compliance programs to review labor-related risks;
- Remind your employees that the example comes from the top management; and
- Make it clear that the company is not involved in ehtically doubtful practices.
If you want to read more, please click on the link to our PDF down below.
Following the merger between CP, the Railway Owned State Company of Portugal, and EMEF, the Railway Maintenance Owned State Company, that took place in 2020, and after two years of intensive collective bargaining, it was published the new CP Single-Undertaking Agreement and Career Regulation. The new Single Undertaking Agreement allows the integration of former EMEF employees at CP and provides new working conditions. The new agreements were signed with 11 of the 14 trade unions representing CP and former EMEF employees: (i) SNAQ; (ii) ASCEF; (iii) SINFB; (iv) SINFA; (v) SINAFE; (vi) SINDEFER; (vii) FE; (viii) STMEFE; (ix) SIFA; (x) FENTCOP and (x) SIOFA. In summary, the new Company Agreement enshrines the following changes: (i) Salary increase, retroactive to 1 January 2022, for all employees; (ii) Elimination of an index at the base for all categories except for Senior Technicians and Specialists; (iii) Elimination of an additional index at the base of the Commercial Assistant, Revision Operator and Sales Operator categories; (iv) Increase of one index at the top for all categories except for Senior Technicians and Specialists; (v) Creation of minimum tenure for index change, with a maximum of four years; (vi) Elimination of overlapping indices between professional categories and their managers; (vii) Uniformization of the meal allowance to €7.74; (viii) Increase in the fixed percentage of the daily revision premium from EUR 0.6 to EUR 0.8; (ix) Increase in the allowance for absences at fixed sales points by EUR 6 in each step; (x) Integration of former EMEF employees with retroactive effect as of 1 January 2022; (xi) Application of the rules on work organization, allowances, and variables, mostly enshrined in the former CP AE to the former EMEF employees; and (xii) Reinstatement of the transportation allowance existing in the EMEF AE for those workers currently covered by the new AE who, at the time of the merger, were receiving it and are not covered by the transportation/availability allowance of the new AE. The new EA contains a globally more favorable regime for all workers and some new productivity measures. The new Company Agreement covers workers affiliated to the signatory unions, as well as workers not affiliated to a signatory union who adhere to it within three months. The signing of the new Company Agreements falls under the principle of collective autonomy and the right to collective bargaining, enshrined among workers' rights, freedoms and guarantees in article 56, no. 3 of the Constitution of the Portuguese Republic. © MACEDO VITORINO |
|
Introduction
The Portuguese Government approved a set of measures, including a general framework for preventing corruption. This happened under the National Anti-Corruption Strategy 2020-2024, approved by the Council of Ministers Resolution No. 37/2021, of 6 April 2021.
Decree-Law No. 109-E/2021, of 9 December 2021, approved the Portuguese Framework for the Prevention of Corruption (the Portuguese Anti-Corruption Framework) and created an independent administrative entity, the National Anti-Corruption Mechanism (MENAC). MENAC replaced the Council for the Prevention of Corruption to promote transparency and integrity in public action and ensure the effectiveness of policies to prevent corruption and related offences.
The Portuguese Anti-Corruption Framework requires public and private entities with 50 or more employees to adopt a regulatory compliance programme, which must include: (i) a risk prevention or management plan, (ii) a code of ethics and conduct, (iii) training programmes, (iv) reporting channels and (v) the designation of a compliance officer ("Responsável pelo Cumprimento Normativo").
This regulation also determines the implementation of internal control systems that ensure the effectiveness of the instruments of the regulatory compliance programme and the transparency and impartiality of procedures and decisions. It also provides sanctions, particularly administrative sanctions, for the non-adoption or deficient or incomplete adoption of regulatory compliance programmes.
Having the adaptation of the entities covered by this framework in mind, it was established that it would come into force and gradually take effect as follows:
- The Portuguese Anti-Corruption Framework comes into force on 7 June 2022; and
- The sanctioning regime will take effect from 7 June 2023, except for companies with 50 to 249 employees, where it will take effect from 7 June 2024.
Corruption
No unequivocal definition of corruption exists. However, there is consensus that corruptive conduct involves the abuse of public power or service duties to benefit the third party against payment of a sum of money or any other benefit.
Articles 372 to 374-B of the Portuguese Criminal Code provide for crimes of undue receiving of advantage and corruption crimes.
Corruption crimes have essentially two outlines: active and passive corruption, depending on whether the perpetrator is, respectively, offering/promising or requesting/accepting an undue material or non-material advantage. Another critical difference is whether the action requested or performed is contrary to the service duties of the corrupted officer.
Corruption crimes in international trade and private practices (set out in Law No. 20/2008 of 21 April 2008, as well as those included in the Criminal Liability Regime for Anti-Sporting Behaviour, approved by Law No. 50/2007 of 31 August 2007) are also included in the concept of corruption, even when there is no abuse of public power or function.
It is essential to mention that in society, the concept of corruption has a broader meaning. It includes other crimes perpetrated in the performance of public duties, such as embezzlement, economic participation in business, extortion, abuse of power, prevarication, influence peddling or money laundering.
Corruption and related offences comprise the following criminal offences: corruption, receiving and offering an undue advantage, embezzlement, economic involvement in business, extortion, abuse of power, prevarication, influence peddling, laundering or fraud in obtaining or diverting a subsidy, grant or credit.
Regulatory Compliance Programme
The Portuguese Anti-Corruption Framework imposes the adoption of a regulatory compliance programme by:
- Legal entities, including branches, headquartered in Portugal with 50 or more employees;
- State, autonomous regions, local authorities and corporate public sector companies with 50 or more employees; and
- Independent administrative entities with regulatory functions and the Bank of Portugal.
Entities, either public or private entities, that do not meet the above requirements are not exempted from implementing instruments for the prevention of risks of corruption and related infractions. These must be adjusted to their size and nature.
The regulatory compliance programme must include the following minimum mandatory instruments:
- Risk prevention or management plans;
- Code of Ethics and Conduct;
- Training programmes and awareness actions;
- Reporting channels; and
- Appointment of a Compliance Officer (“Responsável pelo Cumprimento Normativo”), whose role is to ensure and monitor the implementation of the regulatory compliance programme.
This regime also determines the implementation of internal control systems and prior assessment procedures that ensure the effectiveness of the instruments of the regulatory compliance programme.
The board of directors is responsible for adopting and implementing the regulatory compliance programme.
Entities must implement the regulatory compliance programme until 7 June 2022.
Minimum Mandatory Instruments
- Code of Coduct: Document establishing a set of ethical and deontological principles, values, and rules that the organisation’s employees must comply with;
- Risk Prevention Plan: Instrument of internal risk control and management, i.e., control and management of the possibility of occurrence of some events with a negative impact on the organisation's objectives;
- Reporting Channel: An internal reporting channel for corruption must be managed with independence, impartiality and absence of conflicts of interest, and ensure secrecy, confidentiality and data protection;
- Trainning Programme: To ensure all employees clearly understand and embrace policies and procedures that affect their duties and responsibilities; and
- Compliance Officer: Responsible for ensuring and controlling the application of the regulatory compliance programme, namely by implementing, controlling and reviewing the risk prevention plan.
Prevention Plan for Corruption Risks and Related Offences
The Prevention Plan for Corruption Risks and Related Offences (Risks Prevention Plan) is an essential instrument of control and management of internal risk, i.e. of control and management of the possibility of occurrence of any event with a negative impact on the organisation’s goals.
A Risks Prevention Plan should cover the whole organisation and its activity, including administration, management, operational or support areas.
Corporate groups can adopt and enforce a single Risks Prevention Plan covering the entire organisation and activity of the group, including management, operational or support areas of the corporate group entities.
A Risks Prevention Plan must include:
- Identification, analysis and ranking of risks and situations that may expose the entity to acts of corruption and related offences, including the ones associated with the performance of duties by the members of the management and administrative bodies, considering the reality of the sector and the geographical areas in which the entity operates;
- Preventive and corrective measures to reduce the probability of occurrence and impact of the risks and situations identified.
It must also contain:
- The entity's areas of activity with risk of engaging in acts of corruption and related offences;
- The likelihood of occurrence and foreseeable impact of each situation, in a way that would make it possible grading of risks;
- Preventive and corrective measures to reduce the likelihood of occurrence and impact of the risks and situations identified. In cases of high or maximum risk, the most comprehensive prevention measures, being enforcement the priority; and
- Appointment of a person responsible for the implementation, control and review of the Risks Prevention Plan, which may be the Compliance Officer.
Enforcement Control of the Risks Prevention Plan
To ensure that new or existing risks are adequately addressed, the execution of the Risks Prevention Plan should be subject to a review of internal controls, particularly:
- Preparation, in October, of an interim evaluation report on situations of high or maximum risk identified;
- Preparation, in April of the following year, of an annual evaluation report that quantifies the degree of execution of the preventive and corrective measures and the expectation of their full implementation.
Entities must ensure that the Risks Prevention Plan and relevant reports are disclosed to employees through the Intranet and official Internet website, if applicable, within ten days from implementation, review or amendments.
Public entities have an additional reporting obligation. They must report the Risks Prevention Plan and relevant reports to the Government members responsible for their management, supervision or control; the inspection services of the appropriate governmental area; and to MENAC within ten days from implementation, review or amendments.
the Risks Prevention Plan must be reviewed every three years or whenever changes occur, for instance, changes in the entity’s articles of association or corporate structure.
Code of Conduct
The Code of Conduct includes a set of ethical and deontological principles, values and rules that govern an organisation's activity and by which the members of its management bodies and employees should abide in their internal relationships as well as with customers, suppliers and stakeholders.
The Code of Conduct does not have an inside limitation. It may also be addressed to third parties, i.e., entities outside the organisation but which are contracted by or act on behalf of the organisation, in cases where the organisation may be responsible for their actions or omissions, under the "principal/ commissioner" liability regime.
The Portuguese Anti-Corruption Framework expressly requires the Code of Conduct to include the disciplinary sanctions for failure to comply with the Code’s rules under the law and have criminal sanctions for acts of corruption and related offences. On the other hand, it is necessary to adopt a specific procedure if a violation occurs. In other words, a report must be drawn up identifying the rules infringed, the sanction applied, and the measures implemented or to be implemented.
The Code of Conduct must be disclosed through the Intranet and official Internet website, if applicable, within ten days from its implementation, review or amendments.
Public entities have an additional reporting obligation. They must report the Code of Conduct to the Government members responsible for their management, supervision or control; the inspection services of the appropriate governmental area, if any; and to MENAC within ten days from implementation, review or amendments. The communications will be carried out through an electronic platform managed by MENAC.
The Code of Conduct must be updated every three years or whenever changes occur, for instance, changes in the entity’s articles of association or corporate structure.
Internal Reporting Channels
The Portuguese Anti-Corruption Framework itself states that the adoption of internal reporting channels for acts of corruption and related offences falls within the Whistleblowing Directive (EU) 2019/1937, which was transposed by Law No. 93/2021, of 20 December 2021, into Portuguese law.
This means that corruption and related offences are also included in the scope of the breaches set out in the Portuguese Whistleblowing Law, and the whistleblower may benefit from the relevant protection once specific (cumulative) conditions are met, namely:
- The reporting person is acting in good faith;
- The reporting person has a serious reason to believe that the information is accurate at the time of the report or public disclosure;
- The information relates to a covered breach, i.e., a reportable breach; and
- The complaint is made through appropriate report channels.
Each entity is free to choose how to implement the reporting channel. Regardless of the means chosen, the confidentiality of the reporting person or anonymity (if requested by the reporting person) must always be ensured. Complaints may be made anonymously.
The reporting channel must ensure the possibility of the complaint being made:
- In writing: by post, via one or more physical complaint boxes, or an online platform, e.g., on the Intranet or Internet; or
- Verbally: via a telephone line or other voice messaging system; or
- Both.
Follow-up on internal complaints
The follow-up to an internal complaint is subject to mandatory deadlines, namely:
- Seven days: the entity will notify the reporting person on the receipt of the complaint and inform in a clear and accessible manner the reporting person of the requirements, competent authorities and means and admissibility of an external complaint;
- Three months from the reception of the complaint: the entity will inform the reporting person of the measures envisaged or adopted to follow up on the complaint and why. Following the complaint, the entity will take the appropriate internal actions to verify the allegations contained in the complaint and, where necessary, to bring to an end the breach reported, including by opening an in-house investigation or informing the competent authority to investigate the breach;
- 15 days after the respective conclusion: the reporting person may request, at any time, for the entity to communicate the result of its analysis of the complaint.
Within the scope of the reporting channels, it is advisable to adopt a whistleblowing policy with specific procedures for information, response and handling of complaints.
Internal reporting channels can be operated:
- Internally, for the purpose of receiving and following up complaints, by persons or services within the organisation; or
- Externally, for the purpose of receiving complaints on behalf of the organisation, e.g. by external whistleblowing platform providers, external consultants, auditors.
Of these two options, the use of an external entity may prove to be the most appropriate option, as the Portuguese law requires that the independence, impartiality, confidentiality, data protection, secrecy and absence of conflicts of interest of whoever is in charge of managing the channel and following up on complaints is guaranteed.
If, however, the organisation chooses to manage and follow up on complaints itself, it is recommended that at least an assessment by an independent third party is made to verify that all safeguards, including response times and prompt follow-ups with the reporting person, are met, failing which fines may be imposed.
Training and Awareness Programme
Internal training shall ensure that administrative, management and other employees know and understand the policies and procedures to prevent corruption and related offences. In this case, the training hours count as statutory training time provided by the employer to the employee.
The Portuguese Anti-Corruption Framework does not foresee specific content for training or time sessions.
Each organisation is responsible for defining the content of its training programme and developing the necessary training actions for employees according to a risk-based approach.
Training must be transversal, although the content must be adapted to the respective recipients.
Training should take into account the different exposure of the board of directors, senior management and other employees to the risks of corruption and related infractions.
Along with internal training actions, the promotion of awareness-raising actions, both internally and externally, is another component necessary for implementing a PCN effectively.
Each organisation must inform its employees and the entities with which it relates – in its supply chain – of the policies and procedures in force that must be complied with and the consequences of non-compliance.
Compliance Officer (Responsável pelo Cumprimento Normativo)
The Portuguese Anti-Corruption Framework establishes that the Compliance Officer must be in a senior management position or equivalent. However, it does not determine what specific qualifications RCNs should have for performing their duties. However, we anticipate that they should be appointed based on their professional qualities and, in particular, their expertise in law and compliance practice.
The Compliance Officer is not a new “role". The Portuguese Anti-Money Laundering Law (Law 83/2017, of 18 August) expressly provides for the designation of a Compliance Officer in anti-money laundering and terrorist financing measures. Similarly, the Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR).
Although the Portuguese Framework does not establish the specific duties of the Compliance Officer, unlike what the Portuguese Anti-Money Laundering does, regarding money-laundering prevention, and GDPR for the Data Protection Officer (DPO), the Portuguese Anti-Corruption Framework imposes that the exercise of the Compliance Officer duties is performed independently, permanently and with decision-making autonomy. RCN must also have the internal information and human and technical resources necessary for the proper performance of their duties.
The question may arise whether the Compliance Officer for anti-money laundering or DPO can also act as the Compliance Officer for the Portuguese Framework. The answer to this question is not universal since it can depend, among other things, on the size and structure of the organisation itself and the procedures in place. If the entities covered are in a group relationship, the Portuguese Anti-Corruption Framework expressly states that a single person responsible for regulatory compliance can be appointed.
Although not legally specified, the Compliance Officer duties can be allocated to a team, but there should be a specific interlocutor with employees and competent authorities.
Internal Control and Prior Assessment Procedures
The entities covered, public and private, must implement an internal control system, which should include, among other things, the organisation plan, policies, methods, procedures and good control practices that consider the main corruption risks identified in the Risks Prevention Plan.
The internal control system must be proportionate to the nature, size and complexity of the entity and its business and be based on adequate risk management, information and communication models. The internal control system must also be supported by procedures manuals.
The implementation of the internal control system should also be subject to regular monitoring through random audits, with the results and conditioning factors being reported upstream, and the adoption of the necessary corrective or improvement measures.
The internal control system must be fit for preventing or repairing situations of conflict of interest :
- In public entities, members of the administrative bodies, managers and employees must sign a declaration of absence of conflict of interests (form to be defined) in procedures in which they intervene relating to: (i) public procurement; (ii) granting of subsidies, subventions or benefits; (iii) urban, environmental, commercial and industrial licensing; licenciamentos urbanísticos, ambientais, comerciais e industriais; (iv) sanctioning procedures. In a case of a potential or existing conflict of interest, they must also disclose the issue to their manager or, in their absence, to the Compliance Officer.
- In private entities, prior risk assessment procedures should be established in relation to third parties acting on their behalf, as well as suppliers and customers. To identify situations of conflict of interest, these procedures must be suitable for the title of beneficial owners, image and reputation risks and commercial relations with third parties.
Penalties
Very Serious misdemeanour
FINES FROM € 2.000 TO € 44.891,81 (LEGAL PERSONS) OR UP TO € 3.740,98 (NATURAL PERSONS)
- Failure to adopt of implement a Risk Prevention Plan or if the adopted/ implemented Plan lacks any of the required elements;
- Failure to adopt a Code of Conduct or to adopt a Code that does not take into account the criminal norms regarding corruption and related offences or the risks of the Entity's exposure to these crimes; and
- Failure to implement an Internal Control System.
FINES FROM € 1.000 TO € 25.000 (LEGAL PERSONS) OR UP TO € 2.500 (NATURAL PERSONS)
- Failure to draw up control reports over the Risk Prevention Plan;
- Non-revision of the Risk Prevention Plan or the Code of Conduct;
- Failure to publicise the Risk Prevention Plan or the Code of Conduct and monitoring reports to employees;
- Failure to communicat the Risk Prevention Plan or the Code of Conduct and/ or control reports;
- Failure to report in case of breach of the Code of Conduct or incomplete reporting.
Liability
Liability for the perpetration of administrative offences lies upon:
- Legal persons, when the acts are carried out by the members of their bodies, agents, representatives or employees in the performance of their duties or in their name and on their behalf. When the agent acts against the explicit orders or instructions of the legal persons or similar entities, their responsibility is excluded;
- Owners of managerial bodies or managers, the person responsible for regulatory compliance and those responsible for the management or supervision of the areas of activity in which the administrative offence is committed when they engage in the acts or when, knowing or having knowledge of the acts, they do not adopt measures to put an end to them.
Directors or managers of legal persons or equivalent entities are alternatively liable:
- For the payment of fines imposed prior to the beginning of the term of office when they are accountable for the insufficiency of assets for payment; or
- For payment of fines imposed prior to the beginning of the term of office but where the final decision is only notified during the term of office and non-payment is attributable to them.
When several persons are liable to pay the fines, they are jointly liable.
If you wish to learn more, please download the PDF below.
Introduction
Law 19/2012, of May 8, 2012 (the “Competition Law”), which entered into in force on July 8, 2012 and repealed the former competition law, Law 18/2003, of June 11, 2003, establishes merger control rules applicable to concentrations having effects in Portugal.
The Competition Law brought relevant changes on merger control rules, particularly by (i) putting the merger substantive test in line with the Significant Impediment of Effective Competition (“SIEC”) test of the European merger rules; (ii) changing the turnover thresholds required for the notification to the Portuguese competition authority (Autoridade da Concorrência – the “Competition Authority”), including adding a new de minimis market share notification threshold, (iii) deleting the previous notification deadline, and (iv) amending some deadlines applicable to the merger procedure.
In order to prevent the risk of competition restrictions, the Competition Authority exercises control over planned concentrations with effects in the national market.
A concentration is the legal combination of two or more undertakings, by the merger between two or more undertakings or by the control acquisition, directly or indirectly, of the whole or parts of one or several other undertakings.
Following an assessment phase, the Competition Authority may approve the concentration, including upon the application of remedies to be carried out by the undertakings, or prohibit the transaction insofar as it creates significant impediments to effective competition in the national market, particularly in case of creation or reinforcement of a dominant position in the national market.
Undertakings that execute concentrations which have been suspended or prohibited by the Competition Authority may be subject to fines and the legal acts related to the transaction could be declared null and void. The maximum amount of the fine could be 10% of the aggregate annual turnover of the associated undertakings that have engaged in the prohibited behavior.
This paper reviews some of the most important legal aspects regarding merger control rules in Portugal.
Powers of the Competition Authority
The Competition Authority is an independent authority with financial autonomy, which was created in 2003 by Decree-Law 10/2003, of January 18, 2003. The role of the Competition Authority is to conduct the enforcement of the competition rules in Portugal with a view to ensuring an efficient market performance and a fair division of the resources and to protect the interests of the consumers under the market economy and free competition principles.
In contrast to antitrust practices, for which the Competition Authority is empowered to apply the Competition Law in parallel with European competition rules whenever an impact on trade between Member States exists; in merger control, the Competition Authority may only take action against concentrations to the extent that the relevant merger thresholds, as set out in Council Regulation (EU) 139/2004, of January 20, 2004 (the EU Merger Regulation), are not met. There is however a referral mechanism that allows the Competition Authority and the European Commission to transfer the case between themselves, both at the request of the involved undertakings and of the Competition Authority, in order for the undertakings to benefit from a one-stop-shop review.
The powers of the Competition Authority include:
- The power to investigate any practices that may infringe the national and the European Union competition rules, to conduct the required procedures and to decide on the applicable sanctions, if any;
- The power to decide on the compatibility of undertakings’ agreements with the competition rules and to conduct the applicable administrative procedures;
- The power to review and decide on merger transactions and to conduct the applicable administrative procedures; and
- The power to approve regulations on competition issues as well as codes of conduct and manuals of corporate good practices.
Notification thresholds
The Competition Law does not establish a specific deadline for the filing of a notification. Transactions subject to notification may not be however completed before clearance from the Competition Authority.
The notification is required to the extent one of the following thresholds is fulfilled:
- Turnover threshold: the aggregate net turnover obtained in Portugal by the undertakings involved in the transaction (“Participating Undertakings”) exceeds €100 million in the preceding financial year (after deduction of taxes directly related to turnover), provided that the turnover individually obtained in Portugal by at least two of the Participating Undertakings exceeds €5 million; or
- Standard market share threshold: the transaction leads to the acquisition, creation or reinforcement of a market share of equal to or above 50% of the national relevant market, or in a substantial part thereof; or
- “De minimis” market share threshold: the transaction leads to the acquisition, creation or reinforcement of a market share equal to or above 30% and less than 50% of the national relevant market, or in a substantial part thereof, provided that the net turnover individually obtained in Portugal by at least two of the Participating Undertakings exceeds €5 million in the previous financial year.
Merger transactions may be subject to a preliminary assessment within at least fifteen working days prior to the notification of the transaction to the Competition Authority. This preliminary procedure aims to promote informal and confidential discussions on any proposed transaction with the Competition Authority. Typically, this preliminary procedure is made through one or more meetings with the Competition Authority and subsequent additional information requests. The preliminary procedure may, in practice, entail a reduction in time for the assessment of the transaction by the Competition Authority, as it may prevent that the notification form includes incomplete information and it may reduce any additional information requests by the Competition Authority. The preliminary procedure does not, however, imply the taking of a decision by the Competition Authority concerning the compliance of any transaction with the competition rules.
Merger control procedure
The merger control procedure is very similar to the review procedure set out in the EU Merger Regulation and relevant implementing regulation.
After the filing of the notification, which becomes effective after the Competition Authority receives payment of the relevant fees and insofar as the notification is complete, the Competition Authority publishes a summary of the notification on its website and in two national newspapers within five days, so that any interested third parties may present their comments or objections to the proposed transaction.
Within thirty working days from the date the notification becomes effective, the Competition Authority must complete the evidence taking proceeding and decide (Phase 1):
- That the concentration is not subject to mandatory notification;
- Not to oppose to the transaction; or
- To initiate an in-depth investigation, if it considers that from the transaction, taking into account the evidence gathered, may result significant impediments to effective competition.
The in-depth investigation phase (Phase 2) may not exceed ninety working days from the notification date, which means that the deadline of Phase 2 already comprises the deadline of Phase 1 and, in practice, is of sixty working days.
In Phase 2, the Competition Authority must decide:
- To authorize the transaction unconditionally;
- To authorize the transaction subject to the fulfilment of certain commitments by the parties; or
- To prohibit the transaction, in case it creates significant impediments to effective competition in the national market or in a substantial part of it – the so-called “Significant Impediment to Effective Competition”, SIEC test.
In case the Competition Authority fails to adopt a decision within ninety days from the filing date of the notification, the transaction will be deemed as approved.
Both clearance or prohibition decisions may be subject to appeal to the Competition, Supervision and Regulation Court (Tribunal da Concorrência, Regulação e Supervisão) created in 2011. The Competition Authority’s decision that prohibits the transaction may be also subject to an extraordinary appeal to the Minister of Economy.
Consequences for breach of merger control rules
The Competition Authority will prohibit any operations that create significant impediments to effective competition in the national market or in a substantial part of it – the SIEC test –, particularly whether the impediments result from the creation or the reinforcement of a dominant position in the internal market. The Competition Authority will be responsible for defining the criteria for the existence of a dominant position based on the precedents set by the European case law.
In general terms, an undertaking will be deemed to have a dominant position in the relevant market if it dominates the market and has no relevant competitors. Two or more undertakings operating jointly in the relevant market and having no relevant competitors will be also deemed to hold a dominant position in such market. Conversely, concentrations, which do not create a SIEC in the national market (or in a substantial part of it), are allowed and will be approved by the Competition Authority.
Failure to notify the Competition Authority (whenever the notification thresholds are met) or the completion of a transaction in breach of a decision issued by the Competition Authority refusing to approve the transaction or approving the transaction with remedies, may entail the parties to severe consequences, as follows:
- A fine up to 10% of the previous year’s turnover for each of the involved undertakings;
- Periodic penalty payments, in an amount not exceeding 5% of the average daily aggregate turnover of the undertakings in the preceding year to the Competition Authority’s decision for each day of failure; and
- All legal acts related to the transaction are null and void to the extent that they are in breach of the Competition Authority’s decision. If the transaction has already been completed, the Competition Authority may order to perform the measures required for the re-establishment of effective competition in the market including, but not limited to, the splitting of the merged undertakings or the transfer of control over the acquired undertaking or business units thereof.
If you wish to find out more, please download our PFD down below.
The General Data Protection Regulation is directly applicable in all EU Member States since May 25, 2018 and it has certainly been the most significant global development in data protection laws across all EU Member States since the "Data Protection Directive".
The GDPR has a global scope, as businesses based outside the EU that offer goods or services to individuals in the EU may be required to comply with the GDPR.
The risk of fines up to 4% of annual worldwide turnover or €20 million is surely a strong incentive for companies to comply with the GDPR.
For entities to better comply with the GDPR, we present and analize a seven step plan detailing the main aspects of the GDPR that companies need to take.
Some of these steps include: (i) maping all your data by organizing data audits within your company's departments in order to understand the personal data held by your company and how your company can manage and protect data; (ii) reviewing your privacy policies, individuals’ consents, contracts throught the procedures to confirm whether individuals make use of their privacy rights; (iii) appointing a single DPO or making individual appointments for each legal entity and/or jurisdiction; (iv) training your employees and staring by reviewing and updating your internal policies and technical measures with your company's IT team to fulfil the privacy “by design” and the privacy “by default”. And, of course, reviewing your security measures, as well as (v) reviewing your current international data transfers and understanding if they will be justified under the GDPR. Consider adopting a data transfer key-solution with your legal team.
These are just some of the measures we propose and carefully explain in this study to better help your company fulfill the GDPR's requirements.
E-commerce is the process of buying and selling goods or services by electronic means, such as mobile applications and the Internet. E-commerce refers to both online retail as well as electronic transactions.
Nowadays, e-commerce can be carried out via websites or apps or via e-commerce marketplaces available on external websites or apps. Examples of marketplaces are: eBay, Amazon, Etsy and Alibaba.
Over the last few years, the share of persons ordering goods or services online increased steadily. Based on the results of the 2018 survey on “ICT usage and e-commerce in enterprises”, in the EU-28, the percentage of businesses that had e-sales increased by 7% and the businesses’ turnover realized from e-sales increased by 5%, between 2008 and 2017.
In 2019, EU-28 businesses gathered 20% of their total turnover from e-sales, 7% of which were gathered from web sales via own websites or apps and only 13% from EDI-types messages.
E-commerce obviously reflects Internet penetration and usage. From 2010 to 2019, the percentage of enterprises that had e-sales increased from 15% to 21%.
In the near future, the most competitive e-businesses will be able to gauge consumers’ needs and understanding what they want even before consumers do. Anticipating consumers’ behavior is crucial for the e-business success.
In recent years, consumer behaviors have been modifying in the ever-changing landscape of the digital world.
More and more businesses are investing in e-commerce (and “mobile commerce” – “m-commerce” – caused by an increasing use of smartphones), along with big data analytics and artificial intelligence (AI), to boost their industries.
In a report from Accenture on the future of AI, Accenture foresees that AI could boost profitability rates by 38% in the wholesale and retail industries by 2035.
Several generations of e-consumers emerged over the last few years, and the following can be distinguished:
- The first generation of e-consumers – «consumers 1.0» – was practically eradicated by «consumers 2.0», who wanted more than simply being able to place online orders; they intended to view their preferences, orders history, invoices, etc.. Then they were replaced by «consumers 3.0», even more sophisticated and pointing toward greater online customization experiences. To satisfy those needs, e-commerce strategies had to change namely by using big data analytics and AI systems, to build personalized strategies, recommend new products as per consumers’ demands, make online payments easier and more secure.
- «Consumers 3.0» are currently facing the fourth successor – «consumers 4.0» –, who are the evolution of the previous version, with a fundamental change: technology. These consumers demand a more digitized communication and relationship, with the full consumer experiences: innovative advertising, storytelling, humanized customer service through various channels, retail and online integration. Finally, «consumers 5.0» want their five senses to be stimulated. They are the digital natives that are influenced by interactive digital TV and immersive reality, which enable the replication of the human senses in simulated spaces: the consumer is influenced by websites, social networks, and seeks out critics or reviews on the product.
For e-businesses to adopt the best approach and make sure that everything is in order to face «e-consumers 5.0», this paper provides some tips that you should be aware of about e-commerce.
Websites are the foudation of e-commerce. A website needs to follow the legislation of the country it is based in, regardless of sales made to other EU countries, save for consumer law, copyright, electronic money and unsolicited emails.
Before you setting-up an online store, you must confirm whether your website fulfils all the e-commerce requirements. In general, when users access the website:
- Information about your business must be available, including name, address, contact information, registration number, details of any trade association which you are party to, VAT number;
- The website terms and conditions (T&C’s), a disclaimer and the privacy policy must be visible and accessible to them;
- Users should clearly receive a message, by means of an interactive banner or a small pop-up, informing them about the use of cookies. A link on the use of cookies (the “cookies policy”) must be disclosed at the top or bottom of your website; and
- There must be, at least, one way by which users may contact you, as they may need any support, e.g., purchase terms, after-sales assistance.
For an online sale to be valid and effective, you must provide consumers with:
- A description of the goods, services or digital content;
- The total price, including all applicable fees, taxes (VAT) and surcharges. If this cannot be determined, you the way it will be calculated must be provided;
- Payment means and delivery schedules or, at least, an estimated delivery time for the goods;
- Legal guarantee of goods and warranties, if any. In Portugal, the legal guarantee is of two years. For second-hand goods, a one-year guarantee may be agreed by the parties; and
- The terms and conditions of the purchase and codes of conduct, if any, as well information on how such codes can be accessed electronically.
What are the specifics of data in e-commerce?
The GDPR has been directly applicable in the EU since 25 May 2018. E-businesses based outside offering goods or services to individuals in the EU are subject to the GDPR, and non-compliance can lead to fines of up to €20 million or 4%turnover.
One of the best ways to protect yourself is to have a well-designed privacy policy available at your website. The privacy policy, among others, must include: what data is collected; why it is collected; how data is stored and kept safe; if the data will be shared; how you can be contacted.
You must also take care about the use of cookies, as they may leave traces which, when combined with unique identifiers and other information, may be used for profiling and identifying your website’s users From an end-user privacy point of view, cookies may be:
- Non-intrusive cookies, e.g. session cookies, users’ preferences cookies, or load-balancing cookies do not require prior consent; or
- Privacy-intrusive cookies, e.g. cookies for tracking activity on social networks or third-party cookies (e.g. Google Analytics) when used for behavioral advertising, market research or analysis, require prior consent.
Privacy-intrusive cookies require a «cookie consent rule», as set out in the GDPR. The consent must be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individuals’ agreement; silence, pre-ticked boxes or inactivity do not serve as consent.
You must provide customers all the list of privacy-intrusive cookies your website uses and require consent for each type of intrusive cookies.
Advertising law prohibits the use of unfair or deceptive acts or practices in sales means, advertising claims, and marketing and promotional activities, including on websites. Keep in mind that:
- Your ads must be clearly identifiable as such;
- The details, on whose behalf ads are made, must be clearly identified;
- Promotional offers, competitions or games must be clearly identifiable and the conditions which are to be met to qualify for them or to participate must be presented clearly and unambiguously.
In a digital context, hyperlinks and metatags are commonly used for online advertising, as follows:
- Hyperlink, or link, is a reference to data that a user can directly follow either by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document;
- Metatags are basically keywords (“tags”) that a web designer uses to label groups of information. When a user types a particular keyword on a search engine, this matches the keyword with the metatags of several web-pages and displays the most relevant results.
In order to boost their industries, e-businesses are employing big data analytics and machine learning (ML) to understand their customers’ preferences and gradually align their market offers with customers’ needs.
In the past few years, AI has developed algorithms and feed machine learning (ML); this latter one, a subset of AI built from a mathematical model of sample data (“training data”), used to make estimates without being explicitly programmed to perform a task.
What does the future hold for e-commerce?
New EU rules are on the horizon to boost online businesses under conditions of fair competition, removing geo-blocking and addressing consumer, data protection and copyright issues.
These new rules focus on consumers’ collective actions, unfair terms in consumer contracts, indication of the prices of goods, unfair “B2C” commercial practices and consumer rights.
In the coming years, the future of the e-commerce seems very much linked to big data analytics and AI, along with new consumer, data protection and copyright issues. To face these next challenges, e-businesses should be well-prepared. You will need to set up new alliances with tech partners for the use big data and AI tools, which will be crucial for you to know your customers’ day to day activity and allow you to satisfy the needs of a new generation of customers that will expect to buy what they want, anywhere, and anytime.
To learn more, please download our PDF down below.
Introduction
Sustainable financing, with an emphasis on "green" financing, reveals the growing concern with new environmental, social and governance (ESG) challenges.
Sustainability has a tangible financial dimension that has been growing at an exponential rate. According to Refinitiv, in 2021 sustainable bonds reached a global value of $1 trillion, which represents 10% of the global debt market.
Because we believe that sustainability is an essential aspect of company’s business purpose and will become a pre-condition for accessing financial markets in the future, MACEDO VITORINO has created a Green Finance Team dedicated to the development and financing of green projects.
Our Green Finance Team has deep knowledge of the energy sector and the key regulatory and financial issues in preparing and structuring up green finance transactions.
The pace of development of the green debt and equity markets means that green finance will become dominant in the medium term. In the long term, companies that do not meet sustainability requirements will face increasing difficulties in accessing the financial markets.
Background
According to McKinsey, to prevent a rise of more than 1.5°C, no more than 400 gigatons can be emitted, which means cutting present emissions levels by two-thirds over the course of the decade.
In 2019, the European Union (EU) approved the "European Green Deal" with the aim of transforming Europe’s economy and set the following objectives:
- Neutral greenhouse gas emissions by 2050; and
- Reduction of greenhouse gas emissions by at least 55% (compared to 1990) by 2030.
The Portuguese National Plan for Energy and Climate (PNEC) establishes the following goals for 2030:
- Reduce greenhouse gas emissions by 45-55% compared to 2005;
- Increase to 47% the share of energy from renewable sources in gross final energy consumption; and
- Reduce primary energy consumption by 35% compared to 2005.
Green Finance: The New Framework
McKinsey estimates that to reach a net-zero transition between 2021 and 2050, requires a capital spending on physical assets for energy and land-use systems of about $275 trillion, an average of $9.2 trillion per year.
Investors are increasingly interested in green finance. According to Refinitiv, in 2021 "sustainable" bond issuance will exceed the $1 trillion mark for the first time, representing a 45% increase in debt when compared to 2020.
Sustainable bonds accounted for 10% of overall global debt market activity, which exceeds the 6.6% of 2020 by large.
The global value of green bonds reached $488.8 billion, almost doubling the 2020 levels. In number of issues, green bonds have increased by 54% compared to 2020.
Europe accounted for 54% of the sustainable bond market, compared to 22% for America and 18% for the Asia Pacific region.
The ICMA Principles
- Use of proceeds. Bond proceeds should be utilised in eligible green projects (i.e. projects with clear environmental benefits that should be assessed and, if possible, quantified by the issuer).
- Project evaluation and selection. The issuer should communicate to investors the environmental sustainability objectives, the process for determining the eligibility of projects and the complementary procedures by which it identifies and manages the environmental and social risks associated with the project.
- Management of proceeds. Bond proceeds should be credited to sub-accounts or accounts controlled by a formal internal process to ensure that the proceeds are utilised in eligible green projects and can be audited by the issuer and external auditors.
- Reporting. Issuers should disclose, and keep available information about, the use of proceeds, projects and their impact, on an annual basis or whenever there is a material change, including qualitative and, where possible, quantitative performance indicators.
Eligible Investments
The main types of 'green' investments identified by ICMA are, among others:
- Renewable energy, including production, transmission, appliances and products;
- Energy efficiency, such as in new and refurbished buildings, energy storage, district heating, smart grids, appliances and products;
- Pollution prevention and control;
- Clean transportation, such as electric, hybrid, public, rail, infrastructure for clean energy vehicles and reduction of harmful emissions;
- Sustainable water and wastewater management;
- Climate change adaptation, including information support systems such as climate observation and early warning systems; and
- Green buildings.
The EU taxonomy regulation
Regulation (EU) 2020/852 on the establishment of a regime for the promotion of sustainable investment (referred to as the "Taxonomy Regulation") qualifies an economic activity as environmentally sustainable if that economic activity:
- Contribute substantially to one or more environmental objectives, i.e. (i) climate change mitigation, (ii) adaptation to climate change, (iii) sustainable use, (iv) protection of water and marine resources, (v) transition to a circular economy, (vi) prevention and control of pollution and (v) protection and restoration of biodiversity and ecosystems;
- Not significantly impair any of the environmental objectives listed in Article 17 of the Taxonomy Regulation;
- It is developed in accordance with certain minimum safeguards; and
- Satisfy the technical assessment criteria set by the Commission in Delegated Regulation (EU) 2021/2139.
Requirements of the taxonomy regulation
The Taxonomy Regulation requires projects to comply with the following requirements:
- Identify the most relevant potential contributions to the environmental objective and the minimum requirements that must be met to avoid significant harm to any relevant environmental objectives;
- Be quantifiable or, when this is not possible, use sustainability indicators;
- Be based on conclusive scientific evidence and the precautionary principle;
- Take life-cycle considerations into account by considering the environmental impact of the economic activity and the environmental impact of products and services resulting from that activity, the nature and scale of the economic activity, and the potential market impact of the transition to a more sustainable economy; and
- Covering all relevant economic activities in a specific sector and ensuring that these activities are treated equally.
The future Green Bond regulation
The European Commission's proposed Green Bond Regulation sets out the following requirements for bonds to receive the designation "European Green Bond“ or “EuGB”:
- The proceeds of the bonds should be allocated to activities that comply with the Taxonomy Regulation (Regulation (EU) 2020/852)
- Before issuing EuGB, issuers must complete a factsheet in accordance with the model attached to the Regulation, obtain external certification and publish both documents;
- Issuers must prepare an annual report on the allocation of the proceeds until they are fully used and a report on the environmental impact of the use of the proceeds at least once during the lifetime of the bonds; and
- Issuers should obtain a post-issuance verification of the report regarding the allocation of revenues by an external entity.
What we can do
We can help funders and promoters with all legal aspects of funding, including:
- Identify eligible projects against the European Taxonomy and the ICMA Principles;
- Strategic advice on the definition of project eligibility criteria;
- Define "green" commitments regarding the application of funds and the project;
- Preparation of the technical file and financial documentation required for financing;
- Collaborate with technical advisors in the certification and auditing of the project; and
- Monitor and verify compliance with "green" commitments throughout the life of the contract.
If you wish to learn more, please download our PDF down below.
Data is everywhere. Information assets are highly valued by companies. Nowadays, businesses depend more frequently on information technologies and data than a few years ago, mainly before the entry into force and application of the European General Data Protection Regulation (GDPR).
In M&A transactions, data is the key for the evaluation of the target company and the risks associated with the deal. Transactions rely on cybersecurity to protect sensitive and confidential information. However, as insurance coverage over information assets is still not widely sought for, risks are greater for companies that may be more vulnerable during M&A transactions.
But if not the risk of an information breach, or the risk of mispricing the transaction, then the risk of being held legally liable for such breach, including personal data violation, must be of alarming to businesses during M&A transactions.
Within the context of a transaction, there are two key points regarding data protection compliance to be considered: whether personal data can be transferred from the target to the acquiror; and whether the parties comply with privacy laws.
In general, asset deals may be more exposed to data protection compliance risks than share deals or corporate reorganizations, since, in these latest two cases, there is no change in the position of the parties to contracts with employees, customers, and suppliers; that is, there is no transfer of the data controller position, which, even though a shareholders’ change, will remain the same entity. However, there are still significant compliance risks associated with share deals. The differences stages of a M&A transaction require different measures to ensure proper data protection compliance.
With this paper, we intend to provide you with the main points of interest that should concern the parties to a transaction, and to outline potential solutions to minimize or eliminate compliance risks.
Pre-signing
The typical M&A transaction kicks off with a due diligence on the acquiror, the target, or both. The due diligence is essentially an analytical review of data disclosed by the relevant party to a transaction. And the disclosure of data poses a significant compliance risk for those attributed the duty off keeping it safe.
Usually, access to data in a due diligence is assured via a data room, from which the reviewing party will obtain the contents that are object of the due diligence, including personal data, e.g., information on employees, customers. For this purpose, it may be advisable that data rooms disable save and print options, which is already common practice in many transactions.
Even before the transaction agreement is done, the parties are already obliged to comply with applicable data protection rules, as the pieces of information reviewed during a due diligence will most likely include personal data. And because data rooms usually host personal data, the parties to a transaction must execute data processing agreements with data room providers.
Personal data includes any information relating to an identified or identifiable natural person, as defined by the GDPR.
Deal structure and industry-specific due diligence is of great relevance, too. On one hand, personal data cannot always be transferred in asset deals, and, on the other, for businesses which are data-intensive, handling great amounts of personal data, it is advisable to conduct further compliance due diligence focusing on data protection.
When extra care is advisable, because e.g., the target company handles sensitive data, there are at least three main areas of play:
- The transferability of data and, when applicable, the consent of data subjects on data transfer;
- Whether the original purposes of the data processing (and for which, for example, data subjects gave their consent) are compatible with the acquiror’s business and data processing purposes in connection with the M&A transaction; and
- The security standards in place at both target and acquiror to keep data safe.
Either for valuation or risk assessment, the acquiror should hence understand what the target’s liabilities on privacy matters are, as the acquiror may take on the target’s liabilities at completion.
What you should watch for:
- Access to the data room should be restricted and information disclosed in the data room should be the necessary (data minimization principle). The employees or customers should not be identified or identifiable. For this purpose, and so that the information keeps meaningful value to the due diligence, the disclosing party can anonymize/pseudonymize information;
- Alternatively, employees or customers should be informed that their information will be processed for the purpose of a due diligence and the disclosing party should obtain their consent. Not only this is impractical in large transactions, but also the parties should consider the fact that consent is only an appropriate lawful basis for data processing if it is genuine, which is not likely in an employment context, and thus the parties should rely on a different lawful basis for transferring data of employees;
- The information disclosed should be limited to that that is strictly necessary to perform the due diligence. For this purpose, e.g., employment agreements can be sampled, or the information can be aggregated, or only key information can be disclosed, or the disclosure of sensitive data should be avoided;
- The valuation of the target company should take into consideration that there may be restrictions to the use of personal data by the acquiror post-closing;
- Whenever the target is processing data on behalf of a third party, data sharing agreements will likely include change of control or change of ownership clauses, which should be accounted for by the acquiror;
- Both deal structure and the industry of the target are relevant for the purpose of assessing price, exposure to risk and steps required for a compliant M&A transaction.
Signing
If it were not for the comprehensive set of privacy rules, the assumption would be that the target company owned (and could freely exploit) the personal data it acquired over the years. But that is not the case.
Once the due diligence is complete, the transaction documents should safeguard the party’s position in view of any potential data breaches or infringement of data protection rules.
There are plentiful ways to ensure one’s position during negotiations and at signing: contract negotiations should entail an adequate level of protection against the findings resulting from the due diligence, whether this is reflected on the price or in contractual provisions; the share and purchase agreement should include representations and warranties that are tailored for data protection compliance and/or transferring the risk of violation; the counterparty should be able to warrant that it is compliant with privacy laws and has put in place adequate security standards, etc.
The target should warrant the acquiror, e.g., that there are not any pending proceedings related with data security breaches, that it has adequate security standards in place, or that it is compliant with the applicable privacy laws. Indemnification clauses and limitations of liability are also relevant in view of any potential breaches and/or liability resulting from the target’s business up until the completion date.
Insomuch as some transactions may be of greater complexity as regards data, data sharing and data integration, it may be cost-effective and legally advisable to include ancillary services agreements for the specific purpose of ensuring data protection compliance in the transaction documents.
There should be extra care in international M&A transactions due to potential international data transfers.
If data is transferred to a country outside of the EU-EEA, an assessment of the level of adequacy of the jurisdiction, to which the data will be transferred, has to be carried out. Alternatively, mechanisms such as standard contractual clauses, binding corporate rules, approved codes of conduct, approved certifications or a combination thereof have to be included in the transaction documents.
At signing, if the target processes or controls data, the acquiror should have obtained a comprehensive catalogue of data and respective consents, Records of Processing Activities (RoPAs), Data Protection Impact Assessments (DPIAs), if applicable, and Legitimate Interests Assessments (LIAs).
What you should watch for:
- Data breaches and infringements of privacy laws are costly. Whenever appropriate, privacy-related risks should be accounted for with remediation and indemnification clauses;
- If deemed adequate, it may be advisable that the parties agree to conditions precedent and covenants in respect to data processing;
- Non-disclosure agreements (NDAs) should include data protection clauses and contractual penalties in case of failure to keep information confidential. We should note that NDAs executed by the parties for the purpose of ensuring confidentiality during the transaction process will most likely expire at signing of the asset purchase agreement (APA) or share purchase agreement (SPA), so it may be relevant to execute a new NDA at signing or include a non-disclosure provision in the purchase agreement;
- If the target does not warrant that it is legally authorised to share the data with the acquiror, the acquiror risks exposure to liability for unauthorised processing of data;
- Insurance on cyber risks is valuable and may even be a solution to a deadlock where the target is reluctant to be exposed to such a relevant liability.
Pre and post-closing
The day the share and purchase agreement are executed by the parties does not always match the closing of the transaction. The period between signing and the closing date could, in fact, take months. During this period, the transaction parties may also exchange information.
The parties should take into consideration that while the transaction is not closed, the acquiror is a third party and sharing information can result in responsibility before the competition authorities.
Some deals require a level of confidentiality that is sometimes conflicting with the interests of privacy laws. The timing for transfer of liability is key, then. When possible, and to avoid unnecessary exposure to compliance risks, the acquiror can be provided with statistical information instead of actual data, even if it is pseudonymized.
After the deal is closed, it is likely that the acquiror might have to face limitations on the use of data.
The acquiror should mind that the consent provided to the target by data subjects sometime in the past may both enable and limit the data processing by the acquiror. And even in a share deal, where the controller of data does not change, privacy policies will need to be updated, should the purpose or use of personal data change after completion.
What you should watch for:
- Data sharing before the closing date should be limited to that strictly necessary for data integration purposes, and those handling data should be limited to the minimum;
- Should the transaction not occur, the parties must be able to adequately eliminate and dispose of any data obtained during negotiations and before closing date;
- Consent is not transferable in the context of an M&A transaction unless the data subject was informed of such a possibility when providing his consent, so this should be considered by the acquiror;
- Data sharing before the closing date should be limited to that strictly necessary for data integration purposes, and those handling data should be limited to the minimum;
- Where the purpose or use of data does change after completion, the acquiror will need to obtain the consent of the data subjects for their data to be processed under the revised privacy policies.
How does the GDPR impact M&A?
In the context of an M&A transaction, personal data of many sorts is handled and/or transferred from target to acquiror. This will include employees’ information, applicants’ CVs, IP addresses, suppliers’ information, etc..
The right to data privacy is not an absolute right. It is relative to its function in society. Throughout the transaction process, it is crucial that the parties weigh their legitimate interests against the fundamental rights and freedoms of data subjects.
The assessment of an adequate balance between the right to protection of individual data and freedom of enterprise adds a layer of complexity to M&A that is novel to the market.
During negotiations, the acquiror is a third party as it is neither the data subject, nor the controller, processor, or an entity who, under the direct authority of the controller or processor, are authorized to process personal data. This puts the parties in a very delicate position as to what information can be shared at a stage where trust and disclosure is key to the success of the transaction:
- On one side, the logistics are seriously impacted as parties must go on tiptoe through each stage of negotiations and even after executing the agreement, bearing in mind that sharing information means exposure to a compliance risk.
- On the other, data privacy influences both valuation and deal structure. As we explored, the price may be adjusted by exposure to compliance risks, and the structure of the deal must be compatible with the transfer of data from the target to the acquiror.
- On the third, where transactions are negotiated behind closed doors, the current data protection framework, compliance obligations, and recent history of sanctions motivated by infringements during negotiations, suggest that even though the door is closed, it is not locked, and personal data protection concerns may not be neglected.
If you wish to find out more, please download our PDF down below.