Introduction

Until 2006, Eletricidade de Portugal, E.P. (“EDP”), a state-owned company, held all the electricity production, transmission, distribution and supply market and its main infrastructures. From 2006 onwards, activities linked to the electricity marked, such as the electricity production and supply, started to be more liberalized. This liberalized market opened the doors for several other private companies and investors.

Most recently, Decree-Law 15/2022, of 14 January (“Electricity Law“), implemented Directive (EU) 2018/2001 of the European Parliament and of the Council of 11 December 2018, on the promotion of the use of energy from renewable sources, and Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019, that establishes the common rules for the internal market for electricity.

The Electricity Law sets a framework to the National Electrical System (Sistema Elétrico Nacional - “SEN”). Some of its most distinctive features are the creation of three Technological Free Zones (regulatory sandboxes), the creation of the Electro-Intensive Customer Statute and the creation of an electricity aggregator, responsible for connecting the consumption flexibility and storage electricity, purchasing or selling through electricity markets and/or though bilateral agreements.

In this paper, we travel through all Market Participants and their respective functions and obligations as defined in the Electricity Law.

 

The Portuguese Electricity market Participants 

Electricity Producers 

Electricity Producers, ruled by articles 11, 39, 97 and Annex I of the Electricity Law, are responsible for generating and providing electricity to the Portuguese electricity grids. Electricity producers can:?

To operate, producers shall obtain from the Portuguese Directorate of Energy (Direção Geral de Energia e Geologia – “DGEG”) a prior registration certificate or a production license (as pursuant to the installed capacity) in relation to each production unit.

The procedure to obtain an electricity production license is subject to the prior assignment of a public electricity grid (Rede Elétrica de Serviço Público – “RESP”) injection capacity reserve title (Electricity Law, article 18/1). This request must be submitted through the DGEG electronic platform.

 

Storage Companies 

Electricity storage (regulated in article 2/60 of Directive (EU) 2019/944 and in articles 11 et seq., 79, 80 and 97 of  the Electricity Law) is defined as the process by which previously produced energy is stored through its conversion into another form of energy to be used in a different time. In Portugal, hydroelectric pumping is the most common energy storage method. Other common energy storage technologies in use are lithium batteries and flywheels.

Autonomous storage activity is subject to a prior control procedure by DGEG in case installed capacity:

Integrated storage activity with the production of electricity shall follow the prior control procedure applicable to production covering, in such case, all activities simultaneously.

 

SEN Global Manager

The Global Manager of the National Electrical System (Sistema Elétrico Nacional - “SEN”) is responsible for SEN management. 

It is also responsible for ensuring SEN’s harmonized operation, security and electricity supply stability in the short, medium, and long term. 

This includes ensuring that the system is operated safely and efficiently, as well as coordinating with other European countries a stable and secure electricity supply.

The Electricity Law establishes the Global Manager of the National Electrical System rules and the technical management of the National Electricity System in its articles 3 jj) and 103 to 106.

Article 104 of the Eletricity Law establishes that the technical management of the National Electricity System is assigned to Redes Energéticas Nacionais SGPS, S.A. (“REN”) in its capacity of TSO - National Electricity Transportation Grid (Rede Nacional de Transportes - “RNT”) operator. 

 

Integrated DSO

The Distribution Grids Integrated Operator (“Integrated DSO”) holds the technical management of the electricity distribution grids in high, medium, and low voltage and is responsible for the technical management of the distribution grids in articulation with the Global Manager of the National Electrical System.

The Integrated DSO rules are set in articles 108, 109 and 166/2 of the Electricity Law.

This includes managing the electricity flows in the distribution grids and ensuring their interoperability with the grids to which they are connected. According to article 108 of the Electricity Law:

E-REDES, S.A. is the only company in Portugal that operates in the distribution system at high, medium, and low voltage.

 

Transmission System Operator 

The Transmission System Operator (“TSO”) is the entity in charge of the electricity transmission activity, and it is responsible for the construction, operation, and maintenance of the transportation grid, ensuring the grid capacity in the long term.

TSO main rules can be found in articles 2/35, 6, 40 to 42  and 47 to 56 of Directive (EU) 2019/944, in articles 3/zz), 105, 106, 227 and in Annex II of the Electricity Law.

Electricity transmission is carried out by REN, which is responsible for, among other things:

Annex II set the bases of RNT 50 years concession for mainland Portugal. REN holds the concession of RNT until 2057 and is subject to the control by DGEG and to the supervision of the energy services regulatory authority ERSE – Entidade Reguladora dos Serviços Energéticos. 

 

Medium and High Distribution System Operator 

The Distribution System Operator ("DSO") rules are found in articles 2/39 and 35 of Directive (EU) 2019/944 and in articles 3/xx), 8/1 and in Annex III of the Electricity Law that sets the bases for the medium and high-voltage electricity distribution grids concessions.

DSO activity is granted by a 30-year concession subject to a public tender procedure.

DSO of medium and high voltage is responsible for:

E-REDES holds the DSO concession until 2044. 

 

Low Distribution System Operators 

The Low Voltage System Operators (“LDSO”) rules are set out in articles 2/39 and 35 of Directive (EU) 2019/944 and in articles 3/xx), 8/1, 115, 116, 268, 285 and in Annex IV of the Energy Law.

According to Annex IV, low voltage electricity distribution in Portugal is a municipality activity, which may be granted by a 20-year concession contract under a public tender procedure.

Article 118 establishes that the low voltage distribution concession is a remunerated activity. The remuneration is based on the size of each municipality and the number of customers. There is also a solidarity factor that benefits the municipalities with a lower population.

Besides its technical assignments - which include the relationship with DSO - LDSO also has commercial duties, such as: metering reading, making the reading metering reading data available to suppliers and the invoicing and collection of the grid access tariffs from suppliers.

There are currently 11 LDSO, with E-REDES accounting for around 99.5% of consumers. The existing municipal concessions have mismatched periods, with most expiring in 2022.

 

Closed Distribution System Operators 

Closed Distribution System Operators are entities responsible for ensuring the capacity of the closed distribution system. A closed distribution system is a system that is part of areas or infrastructures excluded from the scope of electricity distribution concessions.

The Closed Distribution System Operator and the Closed Distribution System are regulated in articles 38 of Directive (EU) 2019/944 (EU) and in articles 3/yy) and 120 and onwards of the Electricity Law.

The Closed Distribution System Operator is responsible for:

 

Electricity Market Operator 

Electricity Market Operators are entities responsible for the market management and related activities. The main regulations in their regard are set out in articles 163 et seq. of the Electricity Law.

In the last stage of the electricity supply chain, the Electricity Market Operator (along with Electricity Suppliers) relates directly to consumers. Consumers can choose their supplier and change (free of charge) whenever they find better suited offers to their type of consumption.

The main duties of an Electricity Market Operator consist of:

Labor compliance standards and principles

Corporate social responsibility (CSR) and labor compliance pursue going beyond legal compliance issues. The purpose of both is not simply to fulfil legal expectations, but making the environment and relations with stakeholders beyond mere compliance with the Law.

Although CSR is not a plain concept, CSR is whereby business entities voluntarily incorporate social, environmental and ethical standards into their operations.

CSR is built on three pillars: (i) PROFIT (economic), (ii) PEOPLE (social) and (iii) PLANET (environmental area) – the triple “P”. Labor compliance is included in the PEOPLE, social pillar of CSR.

Labor compliance’s purpose is keeping a safe and healthy work environment and giving all employees a fair treatment by labor control mechanisms:

• For employees, by providing for additional control over the employer’s actions, fair compensation, equal opportunities for recruitment and protection against abuse of office and discrimination; and
• For employers, by enabling them to hire qualified employees and to require employees to carry out their duties with due diligence.

Successful organizations have in common a commitment to conduct businesses according to high international standards and principles and to build a corporate culture in line with these standards.

Anglo-Saxon systems often distinguish hard law from soft law. ‘Hard law’ generally refers to legal obligations that are binding to the parties involved and which can be legally enforced before a court. The term ‘soft law’ is used to denote agreements, principles and declarations, which are quasi-legal instruments, but do not have any legally binding force, or whose binding force is somewhat weaker than the binding force of traditional law, also referred to as hard law. Labor compliance preferably results from the interaction between hard and soft law instruments.

In Portugal, mandatory obligations and instruments of labor compliance may vary according to the entity type. For instance, State-owned companies or stock exchange listed companies are subject to stricter requirements. This does not, however, mean that other entities may not follow the same compliance standards or even different standards voluntarily applied according to their ethical culture practices.

Some of the mandatory rules are:

• Record-keeping of employees' working hours;
• Record-keeping of overtime work;
• Record-keeping of disciplinary sanctions; and
• Preparation and display of employees' holiday schedule.

Detailed attention to labor compliance matters on non-discrimination, equal pay, anti-harassment, close the gap for women and minorities, fight against corruption and related offences, have been growing with major changes brought by local laws.

To follow these changes, employers are compelled to apply a set of policies, procedures, and actions, of which:

• Code of Ethics and Conduct;
• Anti-Harassment Policy;
• Gender Equality Plan;
• Gender Pay Gap Report;
• Employees’ Training Plan; and
• Corruption Risk Management Plan.

Some labor compliace tips that your company may follow are:

• Create a code of ethics and conduct with plain and clear language;
•  Implement strong policies and plans, e.g., on gender equality, non-harassement, pay gap;
• Promote awareness amonsgt employees about the importance of complying with the standards;
• Create internal reporting channels;
• Regularly monitor compliance programs to review labor-related risks;
• Remind your employees that the example comes from the top management; and
• Make it clear that the company is not involved in ehtically doubtful practices.

If you want to read more, please click on the link to our PDF down below. 

Following the merger between CP, the Railway Owned State Company of Portugal, and EMEF, the Railway Maintenance Owned State Company, that took place in 2020, and after two years of intensive collective bargaining, it was published the new CP Single-Undertaking Agreement and Career Regulation. The new Single Undertaking Agreement allows the integration of former EMEF employees at CP and provides new working conditions. The new agreements were signed with 11 of the 14 trade unions representing CP and former EMEF employees: (i) SNAQ; (ii) ASCEF; (iii) SINFB; (iv) SINFA; (v) SINAFE; (vi) SINDEFER; (vii) FE; (viii) STMEFE; (ix) SIFA; (x) FENTCOP and (x) SIOFA. In summary, the new Company Agreement enshrines the following changes: (i)   Salary increase, retroactive to 1 January 2022, for all employees; (ii)  Elimination of an index at the base for all categories except for Senior Technicians and Specialists; (iii) Elimination of an additional index at the base of the Commercial Assistant, Revision Operator and Sales Operator categories; (iv) Increase of one index at the top for all categories except for Senior Technicians and Specialists; (v)  Creation of minimum tenure for index change, with a maximum of four years; (vi) Elimination of overlapping indices between professional categories and their managers; (vii) Uniformization of the meal allowance to €7.74; (viii) Increase in the fixed percentage of the daily revision premium from EUR 0.6 to EUR 0.8; (ix)  Increase in the allowance for absences at fixed sales points by EUR 6 in each step; (x)   Integration of former EMEF employees with retroactive effect as of 1 January 2022; (xi) Application of the rules on work organization, allowances, and variables, mostly enshrined in the former CP AE to the former EMEF employees; and (xii) Reinstatement of the transportation allowance existing in the EMEF AE for those workers currently covered by the new AE who, at the time of the merger, were receiving it and are not covered by the transportation/availability allowance of the new AE. The new EA contains a globally more favorable regime for all workers and some new productivity measures. The new Company Agreement covers workers affiliated to the signatory unions, as well as workers not affiliated to a signatory union who adhere to it within three months. The signing of the new Company Agreements falls under the principle of collective autonomy and the right to collective bargaining, enshrined among workers' rights, freedoms and guarantees in article 56, no. 3 of the Constitution of the Portuguese Republic. © MACEDO VITORINO

The Parliament approved the State Budget Law for 2022 ("LOE 2022"), which entered into force yesterday.The main changes regarding labour issues are the following: SALARY AND BONUSES Performance bonuses in the Public Administration may be awarded up to the legally established amount and the equivalent to up to one employee's basic monthly remuneration, without prejudice to the provisions of the collective labour regulation instruments (IRCT). The granting of performance bonuses to employees from the Sate-Owned Sector shall comply with the IRCT and other legal or contractual instruments in force, or in their absence, with the provisions of the decree-law that develops the State Budget Law. The payment of special management bonuses to managers of public companies is possible if they have an approved business plan and budget for 2022, and that there is an improvement in the ratio of external supplies and services to turnover in relation to the previous year. Special management bonuses for managers of public companies are endorsed by order of the member of the Government responsible for the area of finance and have as a maximum limit an average monthly remuneration. NEW HIRINGS Companies in the public business sector may recruit workers for open-ended employment contracts or fixed-term contracts, under terms to be defined in the decree-law that develops the State Budget Law. Any hiring carried out in breach of the applicable regulations shall be considered null and void. SUPPLEMENTARY SOCIAL PROTECTION FOR WORKERS The contracting of the personal accident and sickness insurance by public entities to whose employees the individual employment contract regime applies is possible, provided that it is intended for all employees in general. The same applies to other insurance policies that are compulsory by law or provided for in a collective bargaining agreement. EXTRAORDINARY RETIREMENT PENSION UPDATE Pensions will be updated by €10.00 per pensioner whose total amount of pension is equal to or less than 2.55 times the value of the IAS. The updates will take effect on 1 January 2022.

Introduction

The Portuguese Government approved a set of measures, including a general framework for preventing corruption. This happened under the National Anti-Corruption Strategy 2020-2024, approved by the Council of Ministers Resolution No. 37/2021, of 6 April 2021.  

Decree-Law No. 109-E/2021, of 9 December 2021, approved the Portuguese Framework for the Prevention of Corruption (the Portuguese Anti-Corruption Framework) and created an independent administrative entity, the National Anti-Corruption Mechanism (MENAC). MENAC replaced the Council for the Prevention of Corruption to promote transparency and integrity in public action and ensure the effectiveness of policies to prevent corruption and related offences. 

The Portuguese Anti-Corruption Framework requires public and private entities with 50 or more employees to adopt a regulatory compliance programme, which must include: (i) a risk prevention or management plan, (ii) a code of ethics and conduct, (iii) training programmes, (iv) reporting channels and (v) the designation of a compliance officer ("Responsável pelo Cumprimento Normativo").

This regulation also determines the implementation of internal control systems that ensure the effectiveness of the instruments of the regulatory compliance programme and the transparency and impartiality of procedures and decisions. It also provides sanctions, particularly administrative sanctions, for the non-adoption or deficient or incomplete adoption of regulatory compliance programmes.

Having the adaptation of the entities covered by this framework in mind, it was established that it would come into force and gradually take effect as follows:

Introduction

Law 19/2012, of May 8, 2012 (the “Competition Law”), which entered into in force on July 8, 2012 and repealed the former competition law, Law 18/2003, of June 11, 2003, establishes merger control rules applicable to concentrations having effects in Portugal.

The Competition Law brought relevant changes on merger control rules, particularly by (i) putting the merger substantive test in line with the Significant Impediment of Effective Competition (“SIEC”) test of the European merger rules; (ii) changing the turnover thresholds required for the notification to the Portuguese competition authority (Autoridade da Concorrência – the “Competition Authority”), including adding a new de minimis market share notification threshold, (iii) deleting the previous notification deadline, and (iv) amending some deadlines applicable to the merger procedure.

In order to prevent the risk of competition restrictions, the Competition Authority exercises control over planned concentrations with effects in the national market.

A concentration is the legal combination of two or more undertakings, by the merger between two or more undertakings or by the control acquisition, directly or indirectly, of the whole or parts of one or several other undertakings.
Following an assessment phase, the Competition Authority may approve the concentration, including upon the application of remedies to be carried out by the undertakings, or prohibit the transaction insofar as it creates significant impediments to effective competition in the national market, particularly in case of creation or reinforcement of a dominant position in the national market.

Undertakings that execute concentrations which have been suspended or prohibited by the Competition Authority may be subject to fines and the legal acts related to the transaction could be declared null and void. The maximum amount of the fine could be 10% of the aggregate annual turnover of the associated undertakings that have engaged in the prohibited behavior.

This paper reviews some of the most important legal aspects regarding merger control rules in Portugal.

 

Powers of the Competition Authority

The Competition Authority is an independent authority with financial autonomy, which was created in 2003 by Decree-Law 10/2003, of January 18, 2003. The role of the Competition Authority is to conduct the enforcement of the competition rules in Portugal with a view to ensuring an efficient market performance and a fair division of the resources and to protect the interests of the consumers under the market economy and free competition principles.

In contrast to antitrust practices, for which the Competition Authority is empowered to apply the Competition Law in parallel with European competition rules whenever an impact on trade between Member States exists; in merger control, the Competition Authority may only take action against concentrations to the extent that the relevant merger thresholds, as set out in Council Regulation (EU) 139/2004, of January 20, 2004 (the EU Merger Regulation), are not met. There is however a referral mechanism that allows the Competition Authority and the European Commission to transfer the case between themselves, both at the request of the involved undertakings and of the Competition Authority, in order for the undertakings to benefit from a one-stop-shop review.

The powers of the Competition Authority include:

• The power to investigate any practices that may infringe the national and the European Union competition rules, to conduct the required procedures and to decide on the applicable sanctions, if any;
• The power to decide on the compatibility of undertakings’ agreements with the competition rules and to conduct the applicable administrative procedures;
• The power to review and decide on merger transactions and to conduct the applicable administrative procedures; and
• The power to approve regulations on competition issues as well as codes of conduct and manuals of corporate good practices.

 

Notification thresholds

The Competition Law does not establish a specific deadline for the filing of a notification. Transactions subject to notification may not be however completed before clearance from the Competition Authority.

The notification is required to the extent one of the following thresholds is fulfilled:

• Turnover threshold: the aggregate net turnover obtained in Portugal by the undertakings involved in the transaction (“Participating Undertakings”) exceeds €100 million in the preceding financial year (after deduction of taxes directly related to turnover), provided that the turnover individually obtained in Portugal by at least two of the Participating Undertakings exceeds €5 million; or
• Standard market share threshold: the transaction leads to the acquisition, creation or reinforcement of a market share of equal to or above 50% of the national relevant market, or in a substantial part thereof; or
• “De minimis” market share threshold: the transaction leads to the acquisition, creation or reinforcement of a market share equal to or above 30% and less than 50% of the national relevant market, or in a substantial part thereof, provided that the net turnover individually obtained in Portugal by at least two of the Participating Undertakings exceeds €5 million in the previous financial year.

Merger transactions may be subject to a preliminary assessment within at least fifteen working days prior to the notification of the transaction to the Competition Authority. This preliminary procedure aims to promote informal and confidential discussions on any proposed transaction with the Competition Authority. Typically, this preliminary procedure is made through one or more meetings with the Competition Authority and subsequent additional information requests. The preliminary procedure may, in practice, entail a reduction in time for the assessment of the transaction by the Competition Authority, as it may prevent that the notification form includes incomplete information and it may reduce any additional information requests by the Competition Authority. The preliminary procedure does not, however, imply the taking of a decision by the Competition Authority concerning the compliance of any transaction with the competition rules.

 

Merger control procedure

The merger control procedure is very similar to the review procedure set out in the EU Merger Regulation and relevant implementing regulation.

After the filing of the notification, which becomes effective after the Competition Authority receives payment of the relevant fees and insofar as the notification is complete, the Competition Authority publishes a summary of the notification on its website and in two national newspapers within five days, so that any interested third parties may present their comments or objections to the proposed transaction.

Within thirty working days from the date the notification becomes effective, the Competition Authority must complete the evidence taking proceeding and decide (Phase 1):

• That the concentration is not subject to mandatory notification;
• Not to oppose to the transaction; or
• To initiate an in-depth investigation, if it considers that from the transaction, taking into account the evidence gathered, may result significant impediments to effective competition.

The in-depth investigation phase (Phase 2) may not exceed ninety working days from the notification date, which means that the deadline of Phase 2 already comprises the deadline of Phase 1 and, in practice, is of sixty working days.

In Phase 2, the Competition Authority must decide:

• To authorize the transaction unconditionally;
• To authorize the transaction subject to the fulfilment of certain commitments by the parties; or
• To prohibit the transaction, in case it creates significant impediments to effective competition in the national market or in a substantial part of it – the so-called “Significant Impediment to Effective Competition”, SIEC test.

In case the Competition Authority fails to adopt a decision within ninety days from the filing date of the notification, the transaction will be deemed as approved.

Both clearance or prohibition decisions may be subject to appeal to the Competition, Supervision and Regulation Court (Tribunal da Concorrência, Regulação e Supervisão) created in 2011. The Competition Authority’s decision that prohibits the transaction may be also subject to an extraordinary appeal to the Minister of Economy.

 

Consequences for breach of merger control rules

The Competition Authority will prohibit any operations that create significant impediments to effective competition in the national market or in a substantial part of it – the SIEC test –, particularly whether the impediments result from the creation or the reinforcement of a dominant position in the internal market. The Competition Authority will be responsible for defining the criteria for the existence of a dominant position based on the precedents set by the European case law.

In general terms, an undertaking will be deemed to have a dominant position in the relevant market if it dominates the market and has no relevant competitors. Two or more undertakings operating jointly in the relevant market and having no relevant competitors will be also deemed to hold a dominant position in such market. Conversely, concentrations, which do not create a SIEC in the national market (or in a substantial part of it), are allowed and will be approved by the Competition Authority.

Failure to notify the Competition Authority (whenever the notification thresholds are met) or the completion of a transaction in breach of a decision issued by the Competition Authority refusing to approve the transaction or approving the transaction with remedies, may entail the parties to severe consequences, as follows:

• A fine up to 10% of the previous year’s turnover for each of the involved undertakings;
• Periodic penalty payments, in an amount not exceeding 5% of the average daily aggregate turnover of the undertakings in the preceding year to the Competition Authority’s decision for each day of failure; and
• All legal acts related to the transaction are null and void to the extent that they are in breach of the Competition Authority’s decision. If the transaction has already been completed, the Competition Authority may order to perform the measures required for the re-establishment of effective competition in the market including, but not limited to, the splitting of the merged undertakings or the transfer of control over the acquired undertaking or business units thereof.

If you wish to find out more, please download our PFD down below. 

The General Data Protection Regulation is directly applicable in all EU Member States since May 25, 2018 and it has certainly been the most significant global development in data protection laws across all EU Member States since the "Data Protection Directive".

The GDPR has a global scope, as businesses based outside the EU that offer goods or services to individuals in the EU may be required to comply with the GDPR.

The risk of fines up to 4% of annual worldwide turnover or €20 million is surely a strong incentive for companies to comply with the GDPR.

For entities to better comply with the GDPR, we present and analize a seven step plan detailing the main aspects of the GDPR that companies need to take.

Some of these steps include: (i) maping all your data by organizing data audits within your company's departments in order to understand the personal data held by your company and how your company can manage and protect data; (ii) reviewing your privacy policies, individuals’ consents, contracts throught the procedures to confirm whether individuals make use of their privacy rights; (iii) appointing a single DPO or making individual appointments for each legal entity and/or jurisdiction; (iv) training your employees and staring by reviewing and updating your internal policies and technical measures with your company's IT team to fulfil the privacy “by design” and the privacy “by default”. And, of course, reviewing your security measures, as well as (v) reviewing your current international data transfers and understanding if they will be justified under the GDPR. Consider adopting a data transfer key-solution with your legal team.

These are just some of the measures we propose and carefully explain in this study to better help your company fulfill the GDPR's requirements. 

E-commerce is the process of buying and selling goods or services by electronic means, such as mobile applications and the Internet. E-commerce refers to both online retail as well as electronic transactions.

Nowadays, e-commerce can be carried out via websites or apps or via e-commerce marketplaces available on external websites or apps. Examples of marketplaces are: eBay, Amazon, Etsy and Alibaba.
Over the last few years, the share of persons ordering goods or services online increased steadily. Based on the results of the 2018 survey on “ICT usage and e-commerce in enterprises”, in the EU-28, the percentage of businesses that had e-sales increased by 7% and the businesses’ turnover realized from e-sales increased by 5%, between 2008 and 2017.
In 2019, EU-28 businesses gathered 20% of their total turnover from e-sales, 7% of which were gathered from web sales via own websites or apps and only 13% from EDI-types messages.
E-commerce obviously reflects Internet penetration and usage. From 2010 to 2019, the percentage of enterprises that had e-sales increased from 15% to 21%.

In the near future, the most competitive e-businesses will be able to gauge consumers’ needs and understanding what they want even before consumers do. Anticipating consumers’ behavior is crucial for the e-business success.
In recent years, consumer behaviors have been modifying in the ever-changing landscape of the digital world.
More and more businesses are investing in e-commerce (and “mobile commerce” – “m-commerce” – caused by an increasing use of smartphones), along with big data analytics and artificial intelligence (AI), to boost their industries.
In a report from Accenture on the future of AI, Accenture foresees that AI could boost profitability rates by 38% in the wholesale and retail industries by 2035.

Several generations of e-consumers emerged over the last few years, and the following can be distinguished:

• The first generation of e-consumers – «consumers 1.0» – was practically eradicated by «consumers 2.0», who wanted more than simply being able to place online orders; they intended to view their preferences, orders history, invoices, etc.. Then they were replaced by «consumers 3.0», even more sophisticated and pointing toward greater online customization experiences. To satisfy those needs, e-commerce strategies had to change namely by using big data analytics and AI systems, to build personalized strategies, recommend new products as per consumers’ demands, make online payments easier and more secure.
• «Consumers 3.0» are currently facing the fourth successor – «consumers 4.0» –, who are the evolution of the previous version, with a fundamental change: technology. These consumers demand a more digitized communication and relationship, with the full consumer experiences: innovative advertising, storytelling, humanized customer service through various channels, retail and online integration. Finally, «consumers 5.0» want their five senses to be stimulated. They are the digital natives that are influenced by interactive digital TV and immersive reality, which enable the replication of the human senses in simulated spaces: the consumer is influenced by websites, social networks, and seeks out critics or reviews on the product.

For e-businesses to adopt the best approach and make sure that everything is in order to face «e-consumers 5.0», this paper provides some tips that you should be aware of about e-commerce.

Websites are the foudation of e-commerce. A website needs to follow the legislation of the country it is based in, regardless of sales made to other EU countries, save for consumer law, copyright, electronic money and unsolicited emails.
Before you setting-up an online store, you must confirm whether your website fulfils all the e-commerce requirements. In general, when users access the website:

• Information about your business must be available, including name, address, contact information, registration number, details of any trade association which you are party to, VAT number;
• The website terms and conditions (T&C’s), a disclaimer and the privacy policy must be visible and accessible to them;
• Users should clearly receive a message, by means of an interactive banner or a small pop-up, informing them about the use of cookies. A link on the use of cookies (the “cookies policy”) must be disclosed at the top or bottom of your website; and
• There must be, at least, one way by which users may contact you, as they may need any support, e.g., purchase terms, after-sales assistance.

For an online sale to be valid and effective, you must provide consumers with:

• A description of the goods, services or digital content;
• The total price, including all applicable fees, taxes (VAT) and surcharges. If this cannot be determined, you the way it will be calculated must be provided;
• Payment means and delivery schedules or, at least, an estimated delivery time for the goods;
• Legal guarantee of goods and warranties, if any. In Portugal, the legal guarantee is of two years. For second-hand goods, a one-year guarantee may be agreed by the parties; and
• The terms and conditions of the purchase and codes of conduct, if any, as well information on how such codes can be accessed electronically.

What are the specifics of data in e-commerce?

The GDPR has been directly applicable in the EU since 25 May 2018. E-businesses based outside offering goods or services to individuals in the EU are subject to the GDPR, and non-compliance can lead to fines of up to €20 million or 4%turnover.
One of the best ways to protect yourself is to have a well-designed privacy policy available at your website. The privacy policy, among others, must include: what data is collected; why it is collected; how data is stored and kept safe; if the data will be shared; how you can be contacted.
You must also take care about the use of cookies, as they may leave traces which, when combined with unique identifiers and other information, may be used for profiling and identifying your website’s users From an end-user privacy point of view, cookies may be:

• Non-intrusive cookies, e.g. session cookies, users’ preferences cookies, or load-balancing cookies do not require prior consent; or
• Privacy-intrusive cookies, e.g. cookies for tracking activity on social networks or third-party cookies (e.g. Google Analytics) when used for behavioral advertising, market research or analysis, require prior consent. 

Privacy-intrusive cookies require a «cookie consent rule», as set out in the GDPR. The consent must be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individuals’ agreement; silence, pre-ticked boxes or inactivity do not serve as consent.
You must provide customers all the list of privacy-intrusive cookies your website uses and require consent for each type of intrusive cookies.

Advertising law prohibits the use of unfair or deceptive acts or practices in sales means, advertising claims, and marketing and promotional activities, including on websites. Keep in mind that:

• Your ads must be clearly identifiable as such;
• The details, on whose behalf ads are made, must be clearly identified;
• Promotional offers, competitions or games must be clearly identifiable and the conditions which are to be met to qualify for them or to participate must be presented clearly and unambiguously.

In a digital context, hyperlinks and metatags are commonly used for online advertising, as follows:

• Hyperlink, or link, is a reference to data that a user can directly follow either by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document;
• Metatags are basically keywords (“tags”) that a web designer uses to label groups of information. When a user types a particular keyword on a search engine, this matches the keyword with the metatags of several web-pages and displays the most relevant results.

In order to boost their industries, e-businesses are employing big data analytics and machine learning (ML) to understand their customers’ preferences and gradually align their market offers with customers’ needs.
In the past few years, AI has developed algorithms and feed machine learning (ML); this latter one, a subset of AI built from a mathematical model of sample data (“training data”), used to make estimates without being explicitly programmed to perform a task.

What does the future hold for e-commerce? 

New EU rules are on the horizon to boost online businesses under conditions of fair competition, removing geo-blocking and addressing consumer, data protection and copyright issues.
These new rules focus on consumers’ collective actions, unfair terms in consumer contracts, indication of the prices of goods, unfair “B2C” commercial practices and consumer rights.
In the coming years, the future of the e-commerce seems very much linked to big data analytics and AI, along with new consumer, data protection and copyright issues. To face these next challenges, e-businesses should be well-prepared. You will need to set up new alliances with tech partners for the use big data and AI tools, which will be crucial for you to know your customers’ day to day activity and allow you to satisfy the needs of a new generation of customers that will expect to buy what they want, anywhere, and anytime.

To learn more, please download our PDF down below.

Introduction

Sustainable financing, with an emphasis on "green" financing, reveals the growing concern with new environmental, social and governance (ESG) challenges.

Sustainability has a tangible financial dimension that has been growing at an exponential rate. According to Refinitiv, in 2021 sustainable bonds reached a global value of $1 trillion, which represents 10% of the global debt market.

Because we believe that sustainability is an essential aspect of company’s business purpose and will become a pre-condition for accessing financial markets in the future, MACEDO VITORINO has created a Green Finance Team dedicated to the development and financing of green projects.

Our Green Finance Team has deep knowledge of the energy sector and the key regulatory and financial issues in preparing and structuring up green finance transactions.

The pace of development of the green debt and equity markets means that green finance will become dominant in the medium term. In the long term, companies that do not meet sustainability requirements will face increasing difficulties in accessing the financial markets.

 

Background

According to McKinsey, to prevent a rise of more than 1.5°C, no more than 400 gigatons can be emitted, which means cutting present emissions levels by two-thirds over the course of the decade.

In 2019, the European Union (EU) approved the "European Green Deal" with the aim of transforming Europe’s economy and set the following objectives:

The Portuguese National Plan for Energy and Climate (PNEC) establishes the following goals for 2030:

Data is everywhere. Information assets are highly valued by companies. Nowadays, businesses depend more frequently on information technologies and data than a few years ago, mainly before the entry into force and application of the European General Data Protection Regulation (GDPR).

In M&A transactions, data is the key for the evaluation of the target company and the risks associated with the deal. Transactions rely on cybersecurity to protect sensitive and confidential information. However, as insurance coverage over information assets is still not widely sought for, risks are greater for companies that may be more vulnerable during M&A transactions.

But if not the risk of an information breach, or the risk of mispricing the transaction, then the risk of being held legally liable for such breach, including personal data violation, must be of alarming to businesses during M&A transactions.

Within the context of a transaction, there are two key points regarding data protection compliance to be considered: whether personal data can be transferred from the target to the acquiror; and whether the parties comply with privacy laws.
In general, asset deals may be more exposed to data protection compliance risks than share deals or corporate reorganizations, since, in these latest two cases, there is no change in the position of the parties to contracts with employees, customers, and suppliers; that is, there is no transfer of the data controller position, which, even though a shareholders’ change, will remain the same entity. However, there are still significant compliance risks associated with share deals. The differences stages of a M&A transaction require different measures to ensure proper data protection compliance.

With this paper, we intend to provide you with the main points of interest that should concern the parties to a transaction, and to outline potential solutions to minimize or eliminate compliance risks.

 

Pre-signing

The typical M&A transaction kicks off with a due diligence on the acquiror, the target, or both. The due diligence is essentially an analytical review of data disclosed by the relevant party to a transaction. And the disclosure of data poses a significant compliance risk for those attributed the duty off keeping it safe.
Usually, access to data in a due diligence is assured via a data room, from which the reviewing party will obtain the contents that are object of the due diligence, including personal data, e.g., information on employees, customers. For this purpose, it may be advisable that data rooms disable save and print options, which is already common practice in many transactions.

Even before the transaction agreement is done, the parties are already obliged to comply with applicable data protection rules, as the pieces of information reviewed during a due diligence will most likely include personal data. And because data rooms usually host personal data, the parties to a transaction must execute data processing agreements with data room providers.
Personal data includes any information relating to an identified or identifiable natural person, as defined by the GDPR.
Deal structure and industry-specific due diligence is of great relevance, too. On one hand, personal data cannot always be transferred in asset deals, and, on the other, for businesses which are data-intensive, handling great amounts of personal data, it is advisable to conduct further compliance due diligence focusing on data protection.

When extra care is advisable, because e.g., the target company handles sensitive data, there are at least three main areas of play:

• The transferability of data and, when applicable, the consent of data subjects on data transfer;
• Whether the original purposes of the data processing (and for which, for example, data subjects gave their consent) are compatible with the acquiror’s business and data processing purposes in connection with the M&A transaction; and
• The security standards in place at both target and acquiror to keep data safe.

Either for valuation or risk assessment, the acquiror should hence understand what the target’s liabilities on privacy matters are, as the acquiror may take on the target’s liabilities at completion.

What you should watch for:

• Access to the data room should be restricted and information disclosed in the data room should be the necessary (data minimization principle). The employees or customers should not be identified or identifiable. For this purpose, and so that the information keeps meaningful value to the due diligence, the disclosing party can anonymize/pseudonymize information;
• Alternatively, employees or customers should be informed that their information will be processed for the purpose of a due diligence and the disclosing party should obtain their consent. Not only this is impractical in large transactions, but also the parties should consider the fact that consent is only an appropriate lawful basis for data processing if it is genuine, which is not likely in an employment context, and thus the parties should rely on a different lawful basis for transferring data of employees;
• The information disclosed should be limited to that that is strictly necessary to perform the due diligence. For this purpose, e.g., employment agreements can be sampled, or the information can be aggregated, or only key information can be disclosed, or the disclosure of sensitive data should be avoided;
• The valuation of the target company should take into consideration that there may be restrictions to the use of personal data by the acquiror post-closing;
• Whenever the target is processing data on behalf of a third party, data sharing agreements will likely include change of control or change of ownership clauses, which should be accounted for by the acquiror;
• Both deal structure and the industry of the target are relevant for the purpose of assessing price, exposure to risk and steps required for a compliant M&A transaction.

 

Signing

If it were not for the comprehensive set of privacy rules, the assumption would be that the target company owned (and could freely exploit) the personal data it acquired over the years. But that is not the case.
Once the due diligence is complete, the transaction documents should safeguard the party’s position in view of any potential data breaches or infringement of data protection rules.

There are plentiful ways to ensure one’s position during negotiations and at signing: contract negotiations should entail an adequate level of protection against the findings resulting from the due diligence, whether this is reflected on the price or in contractual provisions; the share and purchase agreement should include representations and warranties that are tailored for data protection compliance and/or transferring the risk of violation; the counterparty should be able to warrant that it is compliant with privacy laws and has put in place adequate security standards, etc.
The target should warrant the acquiror, e.g., that there are not any pending proceedings related with data security breaches, that it has adequate security standards in place, or that it is compliant with the applicable privacy laws. Indemnification clauses and limitations of liability are also relevant in view of any potential breaches and/or liability resulting from the target’s business up until the completion date.
Insomuch as some transactions may be of greater complexity as regards data, data sharing and data integration, it may be cost-effective and legally advisable to include ancillary services agreements for the specific purpose of ensuring data protection compliance in the transaction documents.
There should be extra care in international M&A transactions due to potential international data transfers.
If data is transferred to a country outside of the EU-EEA, an assessment of the level of adequacy of the jurisdiction, to which the data will be transferred, has to be carried out. Alternatively, mechanisms such as standard contractual clauses, binding corporate rules, approved codes of conduct, approved certifications or a combination thereof have to be included in the transaction documents.
At signing, if the target processes or controls data, the acquiror should have obtained a comprehensive catalogue of data and respective consents, Records of Processing Activities (RoPAs), Data Protection Impact Assessments (DPIAs), if applicable, and Legitimate Interests Assessments (LIAs).

What you should watch for:

• Data breaches and infringements of privacy laws are costly. Whenever appropriate, privacy-related risks should be accounted for with remediation and indemnification clauses;
• If deemed adequate, it may be advisable that the parties agree to conditions precedent and covenants in respect to data processing;
• Non-disclosure agreements (NDAs) should include data protection clauses and contractual penalties in case of failure to keep information confidential. We should note that NDAs executed by the parties for the purpose of ensuring confidentiality during the transaction process will most likely expire at signing of the asset purchase agreement (APA) or share purchase agreement (SPA), so it may be relevant to execute a new NDA at signing or include a non-disclosure provision in the purchase agreement;
• If the target does not warrant that it is legally authorised to share the data with the acquiror, the acquiror risks exposure to liability for unauthorised processing of data;
• Insurance on cyber risks is valuable and may even be a solution to a deadlock where the target is reluctant to be exposed to such a relevant liability.

 

Pre and post-closing

The day the share and purchase agreement are executed by the parties does not always match the closing of the transaction. The period between signing and the closing date could, in fact, take months. During this period, the transaction parties may also exchange information.
The parties should take into consideration that while the transaction is not closed, the acquiror is a third party and sharing information can result in responsibility before the competition authorities.

Some deals require a level of confidentiality that is sometimes conflicting with the interests of privacy laws. The timing for transfer of liability is key, then. When possible, and to avoid unnecessary exposure to compliance risks, the acquiror can be provided with statistical information instead of actual data, even if it is pseudonymized.

After the deal is closed, it is likely that the acquiror might have to face limitations on the use of data.

The acquiror should mind that the consent provided to the target by data subjects sometime in the past may both enable and limit the data processing by the acquiror. And even in a share deal, where the controller of data does not change, privacy policies will need to be updated, should the purpose or use of personal data change after completion.

What you should watch for:

• Data sharing before the closing date should be limited to that strictly necessary for data integration purposes, and those handling data should be limited to the minimum;
• Should the transaction not occur, the parties must be able to adequately eliminate and dispose of any data obtained during negotiations and before closing date;
• Consent is not transferable in the context of an M&A transaction unless the data subject was informed of such a possibility when providing his consent, so this should be considered by the acquiror;
• Data sharing before the closing date should be limited to that strictly necessary for data integration purposes, and those handling data should be limited to the minimum;
• Where the purpose or use of data does change after completion, the acquiror will need to obtain the consent of the data subjects for their data to be processed under the revised privacy policies.

 

How does the GDPR impact M&A?

In the context of an M&A transaction, personal data of many sorts is handled and/or transferred from target to acquiror. This will include employees’ information, applicants’ CVs, IP addresses, suppliers’ information, etc..
The right to data privacy is not an absolute right. It is relative to its function in society. Throughout the transaction process, it is crucial that the parties weigh their legitimate interests against the fundamental rights and freedoms of data subjects.
The assessment of an adequate balance between the right to protection of individual data and freedom of enterprise adds a layer of complexity to M&A that is novel to the market.

During negotiations, the acquiror is a third party as it is neither the data subject, nor the controller, processor, or an entity who, under the direct authority of the controller or processor, are authorized to process personal data. This puts the parties in a very delicate position as to what information can be shared at a stage where trust and disclosure is key to the success of the transaction:

• On one side, the logistics are seriously impacted as parties must go on tiptoe through each stage of negotiations and even after executing the agreement, bearing in mind that sharing information means exposure to a compliance risk.
• On the other, data privacy influences both valuation and deal structure. As we explored, the price may be adjusted by exposure to compliance risks, and the structure of the deal must be compatible with the transfer of data from the target to the acquiror.
• On the third, where transactions are negotiated behind closed doors, the current data protection framework, compliance obligations, and recent history of sanctions motivated by infringements during negotiations, suggest that even though the door is closed, it is not locked, and personal data protection concerns may not be neglected.

If you wish to find out more, please download our PDF down below.