MVCompliance | Labor Compliance and Corporate Social Responsibility

2022-07-06
Voir pdf

Labor compliance standards and principles

Corporate social responsibility (CSR) and labor compliance pursue going beyond legal compliance issues. The purpose of both is not simply to fulfil legal expectations, but making the environment and relations with stakeholders beyond mere compliance with the Law.

Although CSR is not a plain concept, CSR is whereby business entities voluntarily incorporate social, environmental and ethical standards into their operations.

CSR is built on three pillars: (i) PROFIT (economic), (ii) PEOPLE (social) and (iii) PLANET (environmental area) – the triple “P”. Labor compliance is included in the PEOPLE, social pillar of CSR.

Labor compliance’s purpose is keeping a safe and healthy work environment and giving all employees a fair treatment by labor control mechanisms:

  • For employees, by providing for additional control over the employer’s actions, fair compensation, equal opportunities for recruitment and protection against abuse of office and discrimination; and
  • For employers, by enabling them to hire qualified employees and to require employees to carry out their duties with due diligence.

Successful organizations have in common a commitment to conduct businesses according to high international standards and principles and to build a corporate culture in line with these standards.

Anglo-Saxon systems often distinguish hard law from soft law. ‘Hard law’ generally refers to legal obligations that are binding to the parties involved and which can be legally enforced before a court. The term ‘soft law’ is used to denote agreements, principles and declarations, which are quasi-legal instruments, but do not have any legally binding force, or whose binding force is somewhat weaker than the binding force of traditional law, also referred to as hard law. Labor compliance preferably results from the interaction between hard and soft law instruments.

In Portugal, mandatory obligations and instruments of labor compliance may vary according to the entity type. For instance, State-owned companies or stock exchange listed companies are subject to stricter requirements. This does not, however, mean that other entities may not follow the same compliance standards or even different standards voluntarily applied according to their ethical culture practices.

Some of the mandatory rules are:

  • Record-keeping of employees' working hours;
  • Record-keeping of overtime work;
  • Record-keeping of disciplinary sanctions; and
  • Preparation and display of employees' holiday schedule.

Detailed attention to labor compliance matters on non-discrimination, equal pay, anti-harassment, close the gap for women and minorities, fight against corruption and related offences, have been growing with major changes brought by local laws.

To follow these changes, employers are compelled to apply a set of policies, procedures, and actions, of which:

  • Code of Ethics and Conduct;
  • Anti-Harassment Policy;
  • Gender Equality Plan;
  • Gender Pay Gap Report;
  • Employees’ Training Plan; and
  • Corruption Risk Management Plan.

Some labor compliace tips that your company may follow are:

  • Create a code of ethics and conduct with plain and clear language;
  •  Implement strong policies and plans, e.g., on gender equality, non-harassement, pay gap;
  • Promote awareness amonsgt employees about the importance of complying with the standards;
  • Create internal reporting channels;
  • Regularly monitor compliance programs to review labor-related risks;
  • Remind your employees that the example comes from the top management; and
  • Make it clear that the company is not involved in ehtically doubtful practices.

If you want to read more, please click on the link to our PDF down below. 

NEW CP COMPANY AGREEMENT

2022-06-30
Voir pdf

Following the merger between CP, the Railway Owned State Company of Portugal, and EMEF, the Railway Maintenance Owned State Company, that took place in 2020, and after two years of intensive collective bargaining, it was published the new CP Single-Undertaking Agreement and Career Regulation.

The new Single Undertaking Agreement allows the integration of former EMEF employees at CP and provides new working conditions.

The new agreements were signed with 11 of the 14 trade unions representing CP and former EMEF employees: (i) SNAQ; (ii) ASCEF; (iii) SINFB; (iv) SINFA; (v) SINAFE; (vi) SINDEFER; (vii) FE; (viii) STMEFE; (ix) SIFA; (x) FENTCOP and (x) SIOFA.

In summary, the new Company Agreement enshrines the following changes:

(i)   Salary increase, retroactive to 1 January 2022, for all employees;

(ii)  Elimination of an index at the base for all categories except for Senior Technicians and Specialists;

(iii) Elimination of an additional index at the base of the Commercial Assistant, Revision Operator and Sales Operator categories;

(iv) Increase of one index at the top for all categories except for Senior Technicians and Specialists;

(v)  Creation of minimum tenure for index change, with a maximum of four years;

(vi) Elimination of overlapping indices between professional categories and their managers;

(vii) Uniformization of the meal allowance to €7.74;

(viii) Increase in the fixed percentage of the daily revision premium from EUR 0.6 to EUR 0.8;

(ix)  Increase in the allowance for absences at fixed sales points by EUR 6 in each step;

(x)   Integration of former EMEF employees with retroactive effect as of 1 January 2022;

(xi) Application of the rules on work organization, allowances, and variables, mostly enshrined in the former CP AE to the former EMEF employees; and

(xii) Reinstatement of the transportation allowance existing in the EMEF AE for those workers currently covered by the new AE who, at the time of the merger, were receiving it and are not covered by the transportation/availability allowance of the new AE.

The new EA contains a globally more favorable regime for all workers and some new productivity measures.

The new Company Agreement covers workers affiliated to the signatory unions, as well as workers not affiliated to a signatory union who adhere to it within three months.

The signing of the new Company Agreements falls under the principle of collective autonomy and the right to collective bargaining, enshrined among workers' rights, freedoms and guarantees in article 56, no. 3 of the Constitution of the Portuguese Republic.

© MACEDO VITORINO

State Budget Law 2022: Labour Measures

2022-06-29
Voir pdf

The Parliament approved the State Budget Law for 2022 ("LOE 2022"), which entered into force yesterday.The main changes regarding labour issues are the following:

SALARY AND BONUSES

  • Performance bonuses in the Public Administration may be awarded up to the legally established amount and the equivalent to up to one employee's basic monthly remuneration, without prejudice to the provisions of the collective labour regulation instruments (IRCT).
  • The granting of performance bonuses to employees from the Sate-Owned Sector shall comply with the IRCT and other legal or contractual instruments in force, or in their absence, with the provisions of the decree-law that develops the State Budget Law.
  • The payment of special management bonuses to managers of public companies is possible if they have an approved business plan and budget for 2022, and that there is an improvement in the ratio of external supplies and services to turnover in relation to the previous year.
  • Special management bonuses for managers of public companies are endorsed by order of the member of the Government responsible for the area of finance and have as a maximum limit an average monthly remuneration.
NEW HIRINGS
  • Companies in the public business sector may recruit workers for open-ended employment contracts or fixed-term contracts, under terms to be defined in the decree-law that develops the State Budget Law.
  • Any hiring carried out in breach of the applicable regulations shall be considered null and void.
SUPPLEMENTARY SOCIAL PROTECTION FOR WORKERS
  • The contracting of the personal accident and sickness insurance by public entities to whose employees the individual employment contract regime applies is possible, provided that it is intended for all employees in general. The same applies to other insurance policies that are compulsory by law or provided for in a collective bargaining agreement.
EXTRAORDINARY RETIREMENT PENSION UPDATE
  • Pensions will be updated by €10.00 per pensioner whose total amount of pension is equal to or less than 2.55 times the value of the IAS. The updates will take effect on 1 January 2022.

 

  

MVCompliance | Regulatory Compliance Programme

2022-06-17
Voir pdf

Introduction

The Portuguese Government approved a set of measures, including a general framework for preventing corruption. This happened under the National Anti-Corruption Strategy 2020-2024, approved by the Council of Ministers Resolution No. 37/2021, of 6 April 2021.  

Decree-Law No. 109-E/2021, of 9 December 2021, approved the Portuguese Framework for the Prevention of Corruption (the Portuguese Anti-Corruption Framework) and created an independent administrative entity, the National Anti-Corruption Mechanism (MENAC). MENAC replaced the Council for the Prevention of Corruption to promote transparency and integrity in public action and ensure the effectiveness of policies to prevent corruption and related offences. 

The Portuguese Anti-Corruption Framework requires public and private entities with 50 or more employees to adopt a regulatory compliance programme, which must include: (i) a risk prevention or management plan, (ii) a code of ethics and conduct, (iii) training programmes, (iv) reporting channels and (v) the designation of a compliance officer ("Responsável pelo Cumprimento Normativo").

This regulation also determines the implementation of internal control systems that ensure the effectiveness of the instruments of the regulatory compliance programme and the transparency and impartiality of procedures and decisions. It also provides sanctions, particularly administrative sanctions, for the non-adoption or deficient or incomplete adoption of regulatory compliance programmes.

Having the adaptation of the entities covered by this framework in mind, it was established that it would come into force and gradually take effect as follows:

  • The Portuguese Anti-Corruption Framework comes into force on 7 June 2022; and
  • The sanctioning regime will take effect from 7 June 2023, except for companies with 50 to 249 employees, where it will take effect from 7 June 2024.

 

Corruption

No unequivocal definition of corruption exists. However, there is consensus that corruptive conduct involves the abuse of public power or service duties to benefit the third party against payment of a sum of money or any other benefit.

Articles 372 to 374-B of the Portuguese Criminal Code provide for crimes of undue receiving of advantage and corruption crimes.

Corruption crimes have essentially two outlines: active and passive corruption, depending on whether the perpetrator is, respectively, offering/promising or requesting/accepting an undue material or non-material advantage. Another critical difference is whether the action requested or performed is contrary to the service duties of the corrupted officer.

Corruption crimes in international trade and private practices (set out in Law No. 20/2008 of 21 April 2008, as well as those included in the Criminal Liability Regime for Anti-Sporting Behaviour, approved by Law No. 50/2007 of 31 August 2007) are also included in the concept of corruption, even when there is no abuse of public power or function.

It is essential to mention that in society, the concept of corruption has a broader meaning. It includes other crimes perpetrated in the performance of public duties, such as embezzlement, economic participation in business, extortion, abuse of power, prevarication, influence peddling or money laundering.

Corruption and related offences comprise the following criminal offences: corruption, receiving and offering an undue advantage, embezzlement, economic involvement in business, extortion, abuse of power, prevarication, influence peddling, laundering or fraud in obtaining or diverting a subsidy, grant or credit.

 

Regulatory Compliance Programme

The Portuguese Anti-Corruption Framework imposes the adoption of a regulatory compliance programme by:

  • Legal entities, including branches, headquartered in Portugal with 50 or more employees;
  • State, autonomous regions, local authorities and corporate public sector companies with 50 or more employees; and
  • Independent administrative entities with regulatory functions and the Bank of Portugal.

Entities, either public or private entities, that do not meet the above requirements are not exempted from implementing instruments for the prevention of risks of corruption and related infractions. These must be adjusted to their size and nature.

The regulatory compliance programme must include the following minimum mandatory instruments:

  • Risk prevention or management plans;
  • Code of Ethics and Conduct;
  • Training programmes and awareness actions;
  • Reporting channels; and
  • Appointment of a Compliance Officer (“Responsável pelo Cumprimento Normativo”), whose role is to ensure and monitor the implementation of the regulatory compliance programme.

This regime also determines the implementation of internal control systems and prior assessment procedures that ensure the effectiveness of the instruments of the regulatory compliance programme.

The board of directors is responsible for adopting and implementing the regulatory compliance programme.

Entities must implement the regulatory compliance programme until 7 June 2022.

 

Minimum Mandatory Instruments 

  • Code of Coduct: Document establishing a set of ethical and deontological principles, values, and rules that the organisation’s employees must comply with;
  • Risk Prevention Plan: Instrument of internal risk control and management, i.e., control and management of the possibility of occurrence of some events with a negative impact on the organisation's objectives;
  • Reporting Channel: An internal reporting channel for corruption must be managed with independence, impartiality and absence of conflicts of interest, and ensure secrecy, confidentiality and data protection;
  • Trainning Programme: To ensure all employees clearly understand and embrace policies and procedures that affect their duties and responsibilities; and
  • Compliance Officer: Responsible for ensuring and controlling the application of the regulatory compliance programme, namely by implementing, controlling and reviewing the risk prevention plan.

 

Prevention Plan for Corruption Risks and Related Offences

The Prevention Plan for Corruption Risks and Related Offences (Risks Prevention Plan) is an essential instrument of control and management of internal risk, i.e. of control and management of the possibility of occurrence of any event with a negative impact on the organisation’s goals.

A Risks Prevention Plan should cover the whole organisation and its activity, including administration, management, operational or support areas.

Corporate groups can adopt and enforce a single Risks Prevention Plan covering the entire organisation and activity of the group, including management, operational or support areas of the corporate group entities.

A Risks Prevention Plan must include:

  • Identification, analysis and ranking of risks and situations that may expose the entity to acts of corruption and related offences, including the ones associated with the performance of duties by the members of the management and administrative bodies, considering the reality of the sector and the geographical areas in which the entity operates;
  • Preventive and corrective measures to reduce the probability of occurrence and impact of the risks and situations identified.

It must also contain:

  • The entity's areas of activity with risk of engaging in acts of corruption and related offences;
  • The likelihood of occurrence and foreseeable impact of each situation, in a way that would make it possible grading of risks;
  • Preventive and corrective measures to reduce the likelihood of occurrence and impact of the risks and situations identified. In cases of high or maximum risk, the most comprehensive prevention measures, being enforcement the priority; and
  • Appointment of a person responsible for the implementation, control and review of the Risks Prevention Plan, which may be the Compliance Officer.

 

Enforcement Control of the Risks Prevention Plan

To ensure that new or existing risks are adequately addressed, the execution of the Risks Prevention Plan should be subject to a review of internal controls, particularly:

  • Preparation, in October, of an interim evaluation report on situations of high or maximum risk identified;
  • Preparation, in April of the following year, of an annual evaluation report that quantifies the degree of execution of the preventive and corrective measures and the expectation of their full implementation.

Entities must ensure that the Risks Prevention Plan and relevant reports are disclosed to employees through the Intranet and official Internet website, if applicable, within ten days from implementation, review or amendments.

Public entities have an additional reporting obligation. They must report the Risks Prevention Plan and relevant reports to the Government members responsible for their management, supervision or control; the inspection services of the appropriate governmental area; and to MENAC within ten days from implementation, review or amendments.

the Risks Prevention Plan must be reviewed every three years or whenever changes occur, for instance, changes in the entity’s articles of association or corporate structure.

 

Code of Conduct

The Code of Conduct includes a set of ethical and deontological principles, values and rules that govern an organisation's activity and by which the members of its management bodies and employees should abide in their internal relationships as well as with customers, suppliers and stakeholders.

The Code of Conduct does not have an inside limitation. It may also be addressed to third parties, i.e., entities outside the organisation but which are contracted by or act on behalf of the organisation, in cases where the organisation may be responsible for their actions or omissions, under the "principal/ commissioner" liability regime.

The Portuguese Anti-Corruption Framework expressly requires the Code of Conduct to include the disciplinary sanctions for failure to comply with the Code’s rules under the law and have criminal sanctions for acts of corruption and related offences. On the other hand, it is necessary to adopt a specific procedure if a violation occurs. In other words, a report must be drawn up identifying the rules infringed, the sanction applied, and the measures implemented or to be implemented.

The Code of Conduct must be disclosed through the Intranet and official Internet website, if applicable, within ten days from its implementation, review or amendments.

Public entities have an additional reporting obligation. They must report the Code of Conduct to the Government members responsible for their management, supervision or control; the inspection services of the appropriate governmental area, if any; and to MENAC within ten days from implementation, review or amendments. The communications will be carried out through an electronic platform managed by MENAC.

The Code of Conduct must be updated every three years or whenever changes occur, for instance, changes in the entity’s articles of association or corporate structure.

 

Internal Reporting Channels

The Portuguese Anti-Corruption Framework itself states that the adoption of internal reporting channels for acts of corruption and related offences falls within the Whistleblowing Directive (EU) 2019/1937, which was transposed by Law No. 93/2021, of 20 December 2021, into Portuguese law.

This means that corruption and related offences are also included in the scope of the breaches set out in the Portuguese Whistleblowing Law, and the whistleblower may benefit from the relevant protection once specific (cumulative) conditions are met, namely:

  • The reporting person is acting in good faith;
  • The reporting person has a serious reason to believe that the information is accurate at the time of the report or public disclosure;
  • The information relates to a covered breach, i.e., a reportable breach; and
  • The complaint is made through appropriate report channels.

Each entity is free to choose how to implement the reporting channel. Regardless of the means chosen, the confidentiality of the reporting person or anonymity (if requested by the reporting person) must always be ensured. Complaints may be made anonymously.

The reporting channel must ensure the possibility of the complaint being made:

  • In writing: by post, via one or more physical complaint boxes, or an online platform, e.g., on the Intranet or Internet; or
  • Verbally: via a telephone line or other voice messaging system; or
  • Both.

 

Follow-up on internal complaints

The follow-up to an internal complaint is subject to mandatory deadlines, namely:

  • Seven days: the entity will notify the reporting person on the receipt of the complaint and inform in a clear and accessible manner the reporting person of the requirements, competent authorities and means and admissibility of an external complaint;
  • Three months from the reception of the complaint: the entity will inform the reporting person of the measures envisaged or adopted to follow up on the complaint and why. Following the complaint, the entity will take the appropriate internal actions to verify the allegations contained in the complaint and, where necessary, to bring to an end the breach reported, including by opening an in-house investigation or informing the competent authority to investigate the breach;
  • 15 days after the respective conclusion: the reporting person may request, at any time, for the entity to communicate the result of its analysis of the complaint.

Within the scope of the reporting channels, it is advisable to adopt a whistleblowing policy with specific procedures for information, response and handling of complaints.

Internal reporting channels can be operated:

  • Internally, for the purpose of receiving and following up complaints, by persons or services within the organisation; or
  • Externally, for the purpose of receiving complaints on behalf of the organisation, e.g. by external whistleblowing platform providers, external consultants, auditors.

Of these two options, the use of an external entity may prove to be the most appropriate option, as the Portuguese law requires that the independence, impartiality, confidentiality, data protection, secrecy and absence of conflicts of interest of whoever is in charge of managing the channel and following up on complaints is guaranteed.

If, however, the organisation chooses to manage and follow up on complaints itself, it is recommended that at least an assessment by an independent third party is made to verify that all safeguards, including response times and prompt follow-ups with the reporting person, are met, failing which fines may be imposed.

 

Training and Awareness Programme

Internal training shall ensure that administrative, management and other employees know and understand the policies and procedures to prevent corruption and related offences. In this case, the training hours count as statutory training time provided by the employer to the employee.

The Portuguese Anti-Corruption Framework does not foresee specific content for training or time sessions.

Each organisation is responsible for defining the content of its training programme and developing the necessary training actions for employees according to a risk-based approach.

Training must be transversal, although the content must be adapted to the respective recipients.

Training should take into account the different exposure of the board of directors, senior management and other employees to the risks of corruption and related infractions.

Along with internal training actions, the promotion of awareness-raising actions, both internally and externally, is another component necessary for implementing a PCN effectively.

Each organisation must inform its employees and the entities with which it relates – in its supply chain – of the policies and procedures in force that must be complied with and the consequences of non-compliance.

 

Compliance Officer (Responsável pelo Cumprimento Normativo)

The Portuguese Anti-Corruption Framework establishes that the Compliance Officer must be in a senior management position or equivalent. However, it does not determine what specific qualifications RCNs should have for performing their duties. However, we anticipate that they should be appointed based on their professional qualities and, in particular, their expertise in law and compliance practice.

The Compliance Officer is not a new “role". The Portuguese Anti-Money Laundering Law (Law 83/2017, of 18 August) expressly provides for the designation of a Compliance Officer in anti-money laundering and terrorist financing measures. Similarly, the Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR).

Although the Portuguese Framework does not establish the specific duties of the Compliance Officer, unlike what the Portuguese Anti-Money Laundering does, regarding money-laundering prevention, and GDPR for the Data Protection Officer (DPO), the Portuguese Anti-Corruption Framework imposes that the exercise of the Compliance Officer duties is performed independently, permanently and with decision-making autonomy. RCN must also have the internal information and human and technical resources necessary for the proper performance of their duties.

The question may arise whether the Compliance Officer for anti-money laundering or DPO can also act as the Compliance Officer for the Portuguese Framework. The answer to this question is not universal since it can depend, among other things, on the size and structure of the organisation itself and the procedures in place. If the entities covered are in a group relationship, the Portuguese Anti-Corruption Framework expressly states that a single person responsible for regulatory compliance can be appointed.

Although not legally specified, the Compliance Officer duties can be allocated to a team, but there should be a specific interlocutor with employees and competent authorities.

 

Internal Control and Prior Assessment Procedures

The entities covered, public and private, must implement an internal control system, which should include, among other things, the organisation plan, policies, methods, procedures and good control practices that consider the main corruption risks identified in the Risks Prevention Plan.

The internal control system must be proportionate to the nature, size and complexity of the entity and its business and be based on adequate risk management, information and communication models. The internal control system must also be supported by procedures manuals.

The implementation of the internal control system should also be subject to regular monitoring through random audits, with the results and conditioning factors being reported upstream, and the adoption of the necessary corrective or improvement measures.

The internal control system must be fit for preventing or repairing situations of conflict of interest :

  • In public entities, members of the administrative bodies, managers and employees must sign a declaration of absence of conflict of interests (form to be defined) in procedures in which they intervene relating to: (i) public procurement; (ii) granting of subsidies, subventions or benefits; (iii) urban, environmental, commercial and industrial licensing; licenciamentos urbanísticos, ambientais, comerciais e industriais; (iv) sanctioning procedures. In a case of a potential or existing conflict of interest, they must also disclose the issue to their manager or, in their absence, to the Compliance Officer.
  • In private entities, prior risk assessment procedures should be established in relation to third parties acting on their behalf, as well as suppliers and customers. To identify situations of conflict of interest, these procedures must be suitable for the title of beneficial owners, image and reputation risks and commercial relations with third parties.

 

Penalties

Very Serious misdemeanour

FINES FROM € 2.000 TO € 44.891,81 (LEGAL PERSONS) OR UP TO € 3.740,98 (NATURAL PERSONS)

  • Failure to adopt of implement a Risk Prevention Plan or if the adopted/ implemented Plan lacks any of the required elements; 
  • Failure to adopt a Code of Conduct or to adopt a Code that does not take into account the criminal norms regarding corruption and related offences or the risks of the Entity's exposure to these crimes; and
  • Failure to implement an Internal Control System.
Serious misdemeanour
 

FINES FROM € 1.000 TO € 25.000 (LEGAL PERSONS) OR UP TO € 2.500 (NATURAL PERSONS)

  • Failure to draw up control reports over the Risk Prevention Plan;
  • Non-revision of the Risk Prevention Plan or the Code of Conduct;
  • Failure to publicise the Risk Prevention Plan or the Code of Conduct and monitoring reports to employees; 
  • Failure to communicat the Risk Prevention Plan or the Code of Conduct and/ or control reports;
  • Failure to report in case of breach of the Code of Conduct or incomplete reporting.
 

Liability 

Liability for the perpetration of administrative offences lies upon:

  • Legal persons, when the acts are carried out by the members of their bodies, agents, representatives or employees in the performance of their duties or in their name and on their behalf. When the agent acts against the explicit orders or instructions of the legal persons or similar entities, their responsibility is excluded;
  • Owners of managerial bodies or managers, the person responsible for regulatory compliance and those responsible for the management or supervision of the areas of activity in which the administrative offence is committed when they engage in the acts or when, knowing or having knowledge of the acts, they do not adopt measures to put an end to them.

Directors or managers of legal persons or equivalent entities are alternatively liable:

  • For the payment of fines imposed prior to the beginning of the term of office when they are accountable for the insufficiency of assets for payment; or
  • For payment of fines imposed prior to the beginning of the term of office but where the final decision is only notified during the term of office and non-payment is attributable to them.

When several persons are liable to pay the fines, they are jointly liable.

 

If you wish to learn more, please download the PDF below. 

Merger control in Portugal

2022-06-15
Voir pdf

Introduction

Law 19/2012, of May 8, 2012 (the “Competition Law”), which entered into in force on July 8, 2012 and repealed the former competition law, Law 18/2003, of June 11, 2003, establishes merger control rules applicable to concentrations having effects in Portugal.

The Competition Law brought relevant changes on merger control rules, particularly by (i) putting the merger substantive test in line with the Significant Impediment of Effective Competition (“SIEC”) test of the European merger rules; (ii) changing the turnover thresholds required for the notification to the Portuguese competition authority (Autoridade da Concorrência – the “Competition Authority”), including adding a new de minimis market share notification threshold, (iii) deleting the previous notification deadline, and (iv) amending some deadlines applicable to the merger procedure.

In order to prevent the risk of competition restrictions, the Competition Authority exercises control over planned concentrations with effects in the national market.

A concentration is the legal combination of two or more undertakings, by the merger between two or more undertakings or by the control acquisition, directly or indirectly, of the whole or parts of one or several other undertakings.
Following an assessment phase, the Competition Authority may approve the concentration, including upon the application of remedies to be carried out by the undertakings, or prohibit the transaction insofar as it creates significant impediments to effective competition in the national market, particularly in case of creation or reinforcement of a dominant position in the national market.

Undertakings that execute concentrations which have been suspended or prohibited by the Competition Authority may be subject to fines and the legal acts related to the transaction could be declared null and void. The maximum amount of the fine could be 10% of the aggregate annual turnover of the associated undertakings that have engaged in the prohibited behavior.

This paper reviews some of the most important legal aspects regarding merger control rules in Portugal.

 

Powers of the Competition Authority

The Competition Authority is an independent authority with financial autonomy, which was created in 2003 by Decree-Law 10/2003, of January 18, 2003. The role of the Competition Authority is to conduct the enforcement of the competition rules in Portugal with a view to ensuring an efficient market performance and a fair division of the resources and to protect the interests of the consumers under the market economy and free competition principles.

In contrast to antitrust practices, for which the Competition Authority is empowered to apply the Competition Law in parallel with European competition rules whenever an impact on trade between Member States exists; in merger control, the Competition Authority may only take action against concentrations to the extent that the relevant merger thresholds, as set out in Council Regulation (EU) 139/2004, of January 20, 2004 (the EU Merger Regulation), are not met. There is however a referral mechanism that allows the Competition Authority and the European Commission to transfer the case between themselves, both at the request of the involved undertakings and of the Competition Authority, in order for the undertakings to benefit from a one-stop-shop review.

The powers of the Competition Authority include:

  • The power to investigate any practices that may infringe the national and the European Union competition rules, to conduct the required procedures and to decide on the applicable sanctions, if any;
  • The power to decide on the compatibility of undertakings’ agreements with the competition rules and to conduct the applicable administrative procedures;
  • The power to review and decide on merger transactions and to conduct the applicable administrative procedures; and
  • The power to approve regulations on competition issues as well as codes of conduct and manuals of corporate good practices.

 

Notification thresholds

The Competition Law does not establish a specific deadline for the filing of a notification. Transactions subject to notification may not be however completed before clearance from the Competition Authority.

The notification is required to the extent one of the following thresholds is fulfilled:

  • Turnover threshold: the aggregate net turnover obtained in Portugal by the undertakings involved in the transaction (“Participating Undertakings”) exceeds €100 million in the preceding financial year (after deduction of taxes directly related to turnover), provided that the turnover individually obtained in Portugal by at least two of the Participating Undertakings exceeds €5 million; or
  • Standard market share threshold: the transaction leads to the acquisition, creation or reinforcement of a market share of equal to or above 50% of the national relevant market, or in a substantial part thereof; or
  • “De minimis” market share threshold: the transaction leads to the acquisition, creation or reinforcement of a market share equal to or above 30% and less than 50% of the national relevant market, or in a substantial part thereof, provided that the net turnover individually obtained in Portugal by at least two of the Participating Undertakings exceeds €5 million in the previous financial year.

Merger transactions may be subject to a preliminary assessment within at least fifteen working days prior to the notification of the transaction to the Competition Authority. This preliminary procedure aims to promote informal and confidential discussions on any proposed transaction with the Competition Authority. Typically, this preliminary procedure is made through one or more meetings with the Competition Authority and subsequent additional information requests. The preliminary procedure may, in practice, entail a reduction in time for the assessment of the transaction by the Competition Authority, as it may prevent that the notification form includes incomplete information and it may reduce any additional information requests by the Competition Authority. The preliminary procedure does not, however, imply the taking of a decision by the Competition Authority concerning the compliance of any transaction with the competition rules.

 

Merger control procedure

The merger control procedure is very similar to the review procedure set out in the EU Merger Regulation and relevant implementing regulation.

After the filing of the notification, which becomes effective after the Competition Authority receives payment of the relevant fees and insofar as the notification is complete, the Competition Authority publishes a summary of the notification on its website and in two national newspapers within five days, so that any interested third parties may present their comments or objections to the proposed transaction.

Within thirty working days from the date the notification becomes effective, the Competition Authority must complete the evidence taking proceeding and decide (Phase 1):

  • That the concentration is not subject to mandatory notification;
  • Not to oppose to the transaction; or
  • To initiate an in-depth investigation, if it considers that from the transaction, taking into account the evidence gathered, may result significant impediments to effective competition.

The in-depth investigation phase (Phase 2) may not exceed ninety working days from the notification date, which means that the deadline of Phase 2 already comprises the deadline of Phase 1 and, in practice, is of sixty working days.

In Phase 2, the Competition Authority must decide:

  • To authorize the transaction unconditionally;
  • To authorize the transaction subject to the fulfilment of certain commitments by the parties; or
  • To prohibit the transaction, in case it creates significant impediments to effective competition in the national market or in a substantial part of it – the so-called “Significant Impediment to Effective Competition”, SIEC test.

In case the Competition Authority fails to adopt a decision within ninety days from the filing date of the notification, the transaction will be deemed as approved.

Both clearance or prohibition decisions may be subject to appeal to the Competition, Supervision and Regulation Court (Tribunal da Concorrência, Regulação e Supervisão) created in 2011. The Competition Authority’s decision that prohibits the transaction may be also subject to an extraordinary appeal to the Minister of Economy.

 

Consequences for breach of merger control rules

The Competition Authority will prohibit any operations that create significant impediments to effective competition in the national market or in a substantial part of it – the SIEC test –, particularly whether the impediments result from the creation or the reinforcement of a dominant position in the internal market. The Competition Authority will be responsible for defining the criteria for the existence of a dominant position based on the precedents set by the European case law.

In general terms, an undertaking will be deemed to have a dominant position in the relevant market if it dominates the market and has no relevant competitors. Two or more undertakings operating jointly in the relevant market and having no relevant competitors will be also deemed to hold a dominant position in such market. Conversely, concentrations, which do not create a SIEC in the national market (or in a substantial part of it), are allowed and will be approved by the Competition Authority.

Failure to notify the Competition Authority (whenever the notification thresholds are met) or the completion of a transaction in breach of a decision issued by the Competition Authority refusing to approve the transaction or approving the transaction with remedies, may entail the parties to severe consequences, as follows:

  • A fine up to 10% of the previous year’s turnover for each of the involved undertakings;
  • Periodic penalty payments, in an amount not exceeding 5% of the average daily aggregate turnover of the undertakings in the preceding year to the Competition Authority’s decision for each day of failure; and
  • All legal acts related to the transaction are null and void to the extent that they are in breach of the Competition Authority’s decision. If the transaction has already been completed, the Competition Authority may order to perform the measures required for the re-establishment of effective competition in the market including, but not limited to, the splitting of the merged undertakings or the transfer of control over the acquired undertaking or business units thereof.

If you wish to find out more, please download our PFD down below. 

Top seven actions companies need to take

2022-06-08
Voir pdf

The General Data Protection Regulation is directly applicable in all EU Member States since May 25, 2018 and it has certainly been the most significant global development in data protection laws across all EU Member States since the "Data Protection Directive".

The GDPR has a global scope, as businesses based outside the EU that offer goods or services to individuals in the EU may be required to comply with the GDPR.

The risk of fines up to 4% of annual worldwide turnover or €20 million is surely a strong incentive for companies to comply with the GDPR.

For entities to better comply with the GDPR, we present and analize a seven step plan detailing the main aspects of the GDPR that companies need to take.

Some of these steps include: (i) maping all your data by organizing data audits within your company's departments in order to understand the personal data held by your company and how your company can manage and protect data; (ii) reviewing your privacy policies, individuals’ consents, contracts throught the procedures to confirm whether individuals make use of their privacy rights; (iii) appointing a single DPO or making individual appointments for each legal entity and/or jurisdiction; (iv) training your employees and staring by reviewing and updating your internal policies and technical measures with your company's IT team to fulfil the privacy “by design” and the privacy “by default”. And, of course, reviewing your security measures, as well as (v) reviewing your current international data transfers and understanding if they will be justified under the GDPR. Consider adopting a data transfer key-solution with your legal team.

These are just some of the measures we propose and carefully explain in this study to better help your company fulfill the GDPR's requirements. 

E-commerce topics

2022-05-31
Voir pdf

E-commerce is the process of buying and selling goods or services by electronic means, such as mobile applications and the Internet. E-commerce refers to both online retail as well as electronic transactions.

Nowadays, e-commerce can be carried out via websites or apps or via e-commerce marketplaces available on external websites or apps. Examples of marketplaces are: eBay, Amazon, Etsy and Alibaba.
Over the last few years, the share of persons ordering goods or services online increased steadily. Based on the results of the 2018 survey on “ICT usage and e-commerce in enterprises”, in the EU-28, the percentage of businesses that had e-sales increased by 7% and the businesses’ turnover realized from e-sales increased by 5%, between 2008 and 2017.
In 2019, EU-28 businesses gathered 20% of their total turnover from e-sales, 7% of which were gathered from web sales via own websites or apps and only 13% from EDI-types messages.
E-commerce obviously reflects Internet penetration and usage. From 2010 to 2019, the percentage of enterprises that had e-sales increased from 15% to 21%.

In the near future, the most competitive e-businesses will be able to gauge consumers’ needs and understanding what they want even before consumers do. Anticipating consumers’ behavior is crucial for the e-business success.
In recent years, consumer behaviors have been modifying in the ever-changing landscape of the digital world.
More and more businesses are investing in e-commerce (and “mobile commerce” – “m-commerce” – caused by an increasing use of smartphones), along with big data analytics and artificial intelligence (AI), to boost their industries.
In a report from Accenture on the future of AI, Accenture foresees that AI could boost profitability rates by 38% in the wholesale and retail industries by 2035.

Several generations of e-consumers emerged over the last few years, and the following can be distinguished:

  • The first generation of e-consumers – «consumers 1.0» – was practically eradicated by «consumers 2.0», who wanted more than simply being able to place online orders; they intended to view their preferences, orders history, invoices, etc.. Then they were replaced by «consumers 3.0», even more sophisticated and pointing toward greater online customization experiences. To satisfy those needs, e-commerce strategies had to change namely by using big data analytics and AI systems, to build personalized strategies, recommend new products as per consumers’ demands, make online payments easier and more secure.
  • «Consumers 3.0» are currently facing the fourth successor – «consumers 4.0» –, who are the evolution of the previous version, with a fundamental change: technology. These consumers demand a more digitized communication and relationship, with the full consumer experiences: innovative advertising, storytelling, humanized customer service through various channels, retail and online integration. Finally, «consumers 5.0» want their five senses to be stimulated. They are the digital natives that are influenced by interactive digital TV and immersive reality, which enable the replication of the human senses in simulated spaces: the consumer is influenced by websites, social networks, and seeks out critics or reviews on the product.

For e-businesses to adopt the best approach and make sure that everything is in order to face «e-consumers 5.0», this paper provides some tips that you should be aware of about e-commerce.

Websites are the foudation of e-commerce. A website needs to follow the legislation of the country it is based in, regardless of sales made to other EU countries, save for consumer law, copyright, electronic money and unsolicited emails.
Before you setting-up an online store, you must confirm whether your website fulfils all the e-commerce requirements. In general, when users access the website:

  • Information about your business must be available, including name, address, contact information, registration number, details of any trade association which you are party to, VAT number;
  • The website terms and conditions (T&C’s), a disclaimer and the privacy policy must be visible and accessible to them;
  • Users should clearly receive a message, by means of an interactive banner or a small pop-up, informing them about the use of cookies. A link on the use of cookies (the “cookies policy”) must be disclosed at the top or bottom of your website; and
  • There must be, at least, one way by which users may contact you, as they may need any support, e.g., purchase terms, after-sales assistance.

For an online sale to be valid and effective, you must provide consumers with:

  • A description of the goods, services or digital content;
  • The total price, including all applicable fees, taxes (VAT) and surcharges. If this cannot be determined, you the way it will be calculated must be provided;
  • Payment means and delivery schedules or, at least, an estimated delivery time for the goods;
  • Legal guarantee of goods and warranties, if any. In Portugal, the legal guarantee is of two years. For second-hand goods, a one-year guarantee may be agreed by the parties; and
  • The terms and conditions of the purchase and codes of conduct, if any, as well information on how such codes can be accessed electronically.

What are the specifics of data in e-commerce?

The GDPR has been directly applicable in the EU since 25 May 2018. E-businesses based outside offering goods or services to individuals in the EU are subject to the GDPR, and non-compliance can lead to fines of up to €20 million or 4%turnover.
One of the best ways to protect yourself is to have a well-designed privacy policy available at your website. The privacy policy, among others, must include: what data is collected; why it is collected; how data is stored and kept safe; if the data will be shared; how you can be contacted.
You must also take care about the use of cookies, as they may leave traces which, when combined with unique identifiers and other information, may be used for profiling and identifying your website’s users From an end-user privacy point of view, cookies may be:

  • Non-intrusive cookies, e.g. session cookies, users’ preferences cookies, or load-balancing cookies do not require prior consent; or
  • Privacy-intrusive cookies, e.g. cookies for tracking activity on social networks or third-party cookies (e.g. Google Analytics) when used for behavioral advertising, market research or analysis, require prior consent. 

Privacy-intrusive cookies require a «cookie consent rule», as set out in the GDPR. The consent must be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individuals’ agreement; silence, pre-ticked boxes or inactivity do not serve as consent.
You must provide customers all the list of privacy-intrusive cookies your website uses and require consent for each type of intrusive cookies.

Advertising law prohibits the use of unfair or deceptive acts or practices in sales means, advertising claims, and marketing and promotional activities, including on websites. Keep in mind that:

  • Your ads must be clearly identifiable as such;
  • The details, on whose behalf ads are made, must be clearly identified;
  • Promotional offers, competitions or games must be clearly identifiable and the conditions which are to be met to qualify for them or to participate must be presented clearly and unambiguously.

In a digital context, hyperlinks and metatags are commonly used for online advertising, as follows:

  • Hyperlink, or link, is a reference to data that a user can directly follow either by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document;
  • Metatags are basically keywords (“tags”) that a web designer uses to label groups of information. When a user types a particular keyword on a search engine, this matches the keyword with the metatags of several web-pages and displays the most relevant results.

In order to boost their industries, e-businesses are employing big data analytics and machine learning (ML) to understand their customers’ preferences and gradually align their market offers with customers’ needs.
In the past few years, AI has developed algorithms and feed machine learning (ML); this latter one, a subset of AI built from a mathematical model of sample data (“training data”), used to make estimates without being explicitly programmed to perform a task.

What does the future hold for e-commerce? 

New EU rules are on the horizon to boost online businesses under conditions of fair competition, removing geo-blocking and addressing consumer, data protection and copyright issues.
These new rules focus on consumers’ collective actions, unfair terms in consumer contracts, indication of the prices of goods, unfair “B2C” commercial practices and consumer rights.
In the coming years, the future of the e-commerce seems very much linked to big data analytics and AI, along with new consumer, data protection and copyright issues. To face these next challenges, e-businesses should be well-prepared. You will need to set up new alliances with tech partners for the use big data and AI tools, which will be crucial for you to know your customers’ day to day activity and allow you to satisfy the needs of a new generation of customers that will expect to buy what they want, anywhere, and anytime.

To learn more, please download our PDF down below.

Green Finance | Setting new standards

2022-05-11
Voir pdf

Introduction

Sustainable financing, with an emphasis on "green" financing, reveals the growing concern with new environmental, social and governance (ESG) challenges.

Sustainability has a tangible financial dimension that has been growing at an exponential rate. According to Refinitiv, in 2021 sustainable bonds reached a global value of $1 trillion, which represents 10% of the global debt market.

Because we believe that sustainability is an essential aspect of company’s business purpose and will become a pre-condition for accessing financial markets in the future, MACEDO VITORINO has created a Green Finance Team dedicated to the development and financing of green projects.

Our Green Finance Team has deep knowledge of the energy sector and the key regulatory and financial issues in preparing and structuring up green finance transactions.

The pace of development of the green debt and equity markets means that green finance will become dominant in the medium term. In the long term, companies that do not meet sustainability requirements will face increasing difficulties in accessing the financial markets.

 

Background

According to McKinsey, to prevent a rise of more than 1.5°C, no more than 400 gigatons can be emitted, which means cutting present emissions levels by two-thirds over the course of the decade.

In 2019, the European Union (EU) approved the "European Green Deal" with the aim of transforming Europe’s economy and set the following objectives:

  • Neutral greenhouse gas emissions by 2050; and 
  • Reduction of greenhouse gas emissions by at least 55% (compared to 1990) by 2030. 

The Portuguese National Plan for Energy and Climate (PNEC) establishes the following goals for 2030:

  • Reduce greenhouse gas emissions by 45-55% compared to 2005; 
  • Increase to 47% the share of energy from renewable sources in gross final energy consumption; and 
  • Reduce primary energy consumption by 35% compared to 2005. 

 

Green Finance: The New Framework

McKinsey estimates that to reach a net-zero transition between 2021 and 2050, requires a capital spending on physical assets for energy and land-use systems of about $275 trillion, an average of $9.2 trillion per year.

Investors are increasingly interested in green finance. According to Refinitiv, in 2021 "sustainable" bond issuance will exceed the $1 trillion mark for the first time, representing a 45% increase in debt when compared to 2020.

Sustainable bonds accounted for 10% of overall global debt market activity, which exceeds the 6.6% of 2020 by large.

The global value of green bonds reached $488.8 billion, almost doubling the 2020 levels. In number of issues, green bonds have increased by 54% compared to 2020.

Europe accounted for 54% of the sustainable bond market, compared to 22% for America and 18% for the Asia Pacific region.

 

The ICMA Principles

  • Use of proceeds. Bond proceeds should be utilised in eligible green projects (i.e. projects with clear environmental benefits that should be assessed and, if possible, quantified by the issuer).
  • Project evaluation and selection. The issuer should communicate to investors the environmental sustainability objectives, the process for determining the eligibility of projects and the complementary procedures by which it identifies and manages the environmental and social risks associated with the project.
  • Management of proceeds. Bond proceeds should be credited to sub-accounts or accounts controlled by a formal internal process to ensure that the proceeds are utilised in eligible green projects and can be audited by the issuer and external auditors.
  • Reporting. Issuers should disclose, and keep available information about, the use of proceeds, projects and their impact, on an annual basis or whenever there is a material change, including qualitative and, where possible, quantitative performance indicators.

 

Eligible Investments

The main types of 'green' investments identified by ICMA are, among others:

  • Renewable energy, including production, transmission, appliances and products;
  • Energy efficiency, such as in new and refurbished buildings, energy storage, district heating, smart grids, appliances and products;
  • Pollution prevention and control;
  • Clean transportation, such as electric, hybrid, public, rail, infrastructure for clean energy vehicles and reduction of harmful emissions;
  • Sustainable water and wastewater management;
  • Climate change adaptation, including information support systems such as climate observation and early warning systems; and
  • Green buildings.

 

The EU taxonomy regulation

Regulation (EU) 2020/852 on the establishment of a regime for the promotion of sustainable investment (referred to as the "Taxonomy Regulation") qualifies an economic activity as environmentally sustainable if that economic activity:

  • Contribute substantially to one or more environmental objectives, i.e. (i) climate change mitigation, (ii) adaptation to climate change, (iii) sustainable use, (iv) protection of water and marine resources, (v) transition to a circular economy, (vi) prevention and control of pollution and (v) protection and restoration of biodiversity and ecosystems;
  • Not significantly impair any of the environmental objectives listed in Article 17 of the Taxonomy Regulation;
  • It is developed in accordance with certain minimum safeguards; and
  • Satisfy the technical assessment criteria set by the Commission in Delegated Regulation (EU) 2021/2139.

 

Requirements of the taxonomy regulation

The Taxonomy Regulation requires projects to comply with the following requirements:

  • Identify the most relevant potential contributions to the environmental objective and the minimum requirements that must be met to avoid significant harm to any relevant environmental objectives;
  • Be quantifiable or, when this is not possible, use sustainability indicators;
  • Be based on conclusive scientific evidence and the precautionary principle;
  • Take life-cycle considerations into account by considering the environmental impact of the economic activity and the environmental impact of products and services resulting from that activity, the nature and scale of the economic activity, and the potential market impact of the transition to a more sustainable economy; and
  • Covering all relevant economic activities in a specific sector and ensuring that these activities are treated equally.

 

The future Green Bond regulation

The European Commission's proposed Green Bond Regulation sets out the following requirements for bonds to receive the designation "European Green Bond“ or “EuGB”:

  • The proceeds of the bonds should be allocated to activities that comply with the Taxonomy Regulation (Regulation (EU) 2020/852)
  • Before issuing EuGB, issuers must complete a factsheet in accordance with the model attached to the Regulation, obtain external certification and publish both documents;
  • Issuers must prepare an annual report on the allocation of the proceeds until they are fully used and a report on the environmental impact of the use of the proceeds at least once during the lifetime of the bonds; and
  • Issuers should obtain a post-issuance verification of the report regarding the allocation of revenues by an external entity.

 

What we can do

We can help funders and promoters with all legal aspects of funding, including:

  • Identify eligible projects against the European Taxonomy and the ICMA Principles;
  • Strategic advice on the definition of project eligibility criteria;
  • Define "green" commitments regarding the application of funds and the project;
  • Preparation of the technical file and financial documentation required for financing;
  • Collaborate with technical advisors in the certification and auditing of the project; and 
  • Monitor and verify compliance with "green" commitments throughout the life of the contract. 

If you wish to learn more, please download our PDF down below. 

Privacy in M&A

2022-05-09
Voir pdf

Data is everywhere. Information assets are highly valued by companies. Nowadays, businesses depend more frequently on information technologies and data than a few years ago, mainly before the entry into force and application of the European General Data Protection Regulation (GDPR).

In M&A transactions, data is the key for the evaluation of the target company and the risks associated with the deal. Transactions rely on cybersecurity to protect sensitive and confidential information. However, as insurance coverage over information assets is still not widely sought for, risks are greater for companies that may be more vulnerable during M&A transactions.

But if not the risk of an information breach, or the risk of mispricing the transaction, then the risk of being held legally liable for such breach, including personal data violation, must be of alarming to businesses during M&A transactions.

Within the context of a transaction, there are two key points regarding data protection compliance to be considered: whether personal data can be transferred from the target to the acquiror; and whether the parties comply with privacy laws.
In general, asset deals may be more exposed to data protection compliance risks than share deals or corporate reorganizations, since, in these latest two cases, there is no change in the position of the parties to contracts with employees, customers, and suppliers; that is, there is no transfer of the data controller position, which, even though a shareholders’ change, will remain the same entity. However, there are still significant compliance risks associated with share deals. The differences stages of a M&A transaction require different measures to ensure proper data protection compliance.

With this paper, we intend to provide you with the main points of interest that should concern the parties to a transaction, and to outline potential solutions to minimize or eliminate compliance risks.

 

Pre-signing

The typical M&A transaction kicks off with a due diligence on the acquiror, the target, or both. The due diligence is essentially an analytical review of data disclosed by the relevant party to a transaction. And the disclosure of data poses a significant compliance risk for those attributed the duty off keeping it safe.
Usually, access to data in a due diligence is assured via a data room, from which the reviewing party will obtain the contents that are object of the due diligence, including personal data, e.g., information on employees, customers. For this purpose, it may be advisable that data rooms disable save and print options, which is already common practice in many transactions.

Even before the transaction agreement is done, the parties are already obliged to comply with applicable data protection rules, as the pieces of information reviewed during a due diligence will most likely include personal data. And because data rooms usually host personal data, the parties to a transaction must execute data processing agreements with data room providers.
Personal data includes any information relating to an identified or identifiable natural person, as defined by the GDPR.
Deal structure and industry-specific due diligence is of great relevance, too. On one hand, personal data cannot always be transferred in asset deals, and, on the other, for businesses which are data-intensive, handling great amounts of personal data, it is advisable to conduct further compliance due diligence focusing on data protection.

When extra care is advisable, because e.g., the target company handles sensitive data, there are at least three main areas of play:

  • The transferability of data and, when applicable, the consent of data subjects on data transfer;
  • Whether the original purposes of the data processing (and for which, for example, data subjects gave their consent) are compatible with the acquiror’s business and data processing purposes in connection with the M&A transaction; and
  • The security standards in place at both target and acquiror to keep data safe.

Either for valuation or risk assessment, the acquiror should hence understand what the target’s liabilities on privacy matters are, as the acquiror may take on the target’s liabilities at completion.

What you should watch for:

  • Access to the data room should be restricted and information disclosed in the data room should be the necessary (data minimization principle). The employees or customers should not be identified or identifiable. For this purpose, and so that the information keeps meaningful value to the due diligence, the disclosing party can anonymize/pseudonymize information;
  • Alternatively, employees or customers should be informed that their information will be processed for the purpose of a due diligence and the disclosing party should obtain their consent. Not only this is impractical in large transactions, but also the parties should consider the fact that consent is only an appropriate lawful basis for data processing if it is genuine, which is not likely in an employment context, and thus the parties should rely on a different lawful basis for transferring data of employees;
  • The information disclosed should be limited to that that is strictly necessary to perform the due diligence. For this purpose, e.g., employment agreements can be sampled, or the information can be aggregated, or only key information can be disclosed, or the disclosure of sensitive data should be avoided;
  • The valuation of the target company should take into consideration that there may be restrictions to the use of personal data by the acquiror post-closing;
  • Whenever the target is processing data on behalf of a third party, data sharing agreements will likely include change of control or change of ownership clauses, which should be accounted for by the acquiror;
  • Both deal structure and the industry of the target are relevant for the purpose of assessing price, exposure to risk and steps required for a compliant M&A transaction.

 

Signing

If it were not for the comprehensive set of privacy rules, the assumption would be that the target company owned (and could freely exploit) the personal data it acquired over the years. But that is not the case.
Once the due diligence is complete, the transaction documents should safeguard the party’s position in view of any potential data breaches or infringement of data protection rules.

There are plentiful ways to ensure one’s position during negotiations and at signing: contract negotiations should entail an adequate level of protection against the findings resulting from the due diligence, whether this is reflected on the price or in contractual provisions; the share and purchase agreement should include representations and warranties that are tailored for data protection compliance and/or transferring the risk of violation; the counterparty should be able to warrant that it is compliant with privacy laws and has put in place adequate security standards, etc.
The target should warrant the acquiror, e.g., that there are not any pending proceedings related with data security breaches, that it has adequate security standards in place, or that it is compliant with the applicable privacy laws. Indemnification clauses and limitations of liability are also relevant in view of any potential breaches and/or liability resulting from the target’s business up until the completion date.
Insomuch as some transactions may be of greater complexity as regards data, data sharing and data integration, it may be cost-effective and legally advisable to include ancillary services agreements for the specific purpose of ensuring data protection compliance in the transaction documents.
There should be extra care in international M&A transactions due to potential international data transfers.
If data is transferred to a country outside of the EU-EEA, an assessment of the level of adequacy of the jurisdiction, to which the data will be transferred, has to be carried out. Alternatively, mechanisms such as standard contractual clauses, binding corporate rules, approved codes of conduct, approved certifications or a combination thereof have to be included in the transaction documents.
At signing, if the target processes or controls data, the acquiror should have obtained a comprehensive catalogue of data and respective consents, Records of Processing Activities (RoPAs), Data Protection Impact Assessments (DPIAs), if applicable, and Legitimate Interests Assessments (LIAs).

What you should watch for:

  • Data breaches and infringements of privacy laws are costly. Whenever appropriate, privacy-related risks should be accounted for with remediation and indemnification clauses;
  • If deemed adequate, it may be advisable that the parties agree to conditions precedent and covenants in respect to data processing;
  • Non-disclosure agreements (NDAs) should include data protection clauses and contractual penalties in case of failure to keep information confidential. We should note that NDAs executed by the parties for the purpose of ensuring confidentiality during the transaction process will most likely expire at signing of the asset purchase agreement (APA) or share purchase agreement (SPA), so it may be relevant to execute a new NDA at signing or include a non-disclosure provision in the purchase agreement;
  • If the target does not warrant that it is legally authorised to share the data with the acquiror, the acquiror risks exposure to liability for unauthorised processing of data;
  • Insurance on cyber risks is valuable and may even be a solution to a deadlock where the target is reluctant to be exposed to such a relevant liability.

 

Pre and post-closing

The day the share and purchase agreement are executed by the parties does not always match the closing of the transaction. The period between signing and the closing date could, in fact, take months. During this period, the transaction parties may also exchange information.
The parties should take into consideration that while the transaction is not closed, the acquiror is a third party and sharing information can result in responsibility before the competition authorities.

Some deals require a level of confidentiality that is sometimes conflicting with the interests of privacy laws. The timing for transfer of liability is key, then. When possible, and to avoid unnecessary exposure to compliance risks, the acquiror can be provided with statistical information instead of actual data, even if it is pseudonymized.

After the deal is closed, it is likely that the acquiror might have to face limitations on the use of data.

The acquiror should mind that the consent provided to the target by data subjects sometime in the past may both enable and limit the data processing by the acquiror. And even in a share deal, where the controller of data does not change, privacy policies will need to be updated, should the purpose or use of personal data change after completion.

What you should watch for:

  • Data sharing before the closing date should be limited to that strictly necessary for data integration purposes, and those handling data should be limited to the minimum;
  • Should the transaction not occur, the parties must be able to adequately eliminate and dispose of any data obtained during negotiations and before closing date;
  • Consent is not transferable in the context of an M&A transaction unless the data subject was informed of such a possibility when providing his consent, so this should be considered by the acquiror;
  • Data sharing before the closing date should be limited to that strictly necessary for data integration purposes, and those handling data should be limited to the minimum;
  • Where the purpose or use of data does change after completion, the acquiror will need to obtain the consent of the data subjects for their data to be processed under the revised privacy policies.

 

How does the GDPR impact M&A?

In the context of an M&A transaction, personal data of many sorts is handled and/or transferred from target to acquiror. This will include employees’ information, applicants’ CVs, IP addresses, suppliers’ information, etc..
The right to data privacy is not an absolute right. It is relative to its function in society. Throughout the transaction process, it is crucial that the parties weigh their legitimate interests against the fundamental rights and freedoms of data subjects.
The assessment of an adequate balance between the right to protection of individual data and freedom of enterprise adds a layer of complexity to M&A that is novel to the market.

During negotiations, the acquiror is a third party as it is neither the data subject, nor the controller, processor, or an entity who, under the direct authority of the controller or processor, are authorized to process personal data. This puts the parties in a very delicate position as to what information can be shared at a stage where trust and disclosure is key to the success of the transaction:

  • On one side, the logistics are seriously impacted as parties must go on tiptoe through each stage of negotiations and even after executing the agreement, bearing in mind that sharing information means exposure to a compliance risk.
  • On the other, data privacy influences both valuation and deal structure. As we explored, the price may be adjusted by exposure to compliance risks, and the structure of the deal must be compatible with the transfer of data from the target to the acquiror.
  • On the third, where transactions are negotiated behind closed doors, the current data protection framework, compliance obligations, and recent history of sanctions motivated by infringements during negotiations, suggest that even though the door is closed, it is not locked, and personal data protection concerns may not be neglected.

If you wish to find out more, please download our PDF down below.

Why Portugal 2021 | Doing Business in Portugal

2022-05-04
Voir pdf

Like the rest of the world, Portugal has been suffering from the devasting impact of the coronavirus pandemic. The measures adopted to prevent the spread of COVID-19 had a significant impact on the country´s economy.

Despite this, Portugal is currently the country with the highest percentage of people fully vaccinated, with 83,5% of the population fully vaccinated, as of September 2021, which is already encouraging the Government to open the economy and will decrease the numbers of the setback caused by the crisis.

Portuguese GDP fell 7.7% in 2020 and is expected to recover by 4.8% in 2021. Exports are also expected to recover 9.2% in 2021 after falling 20.1% in 2020. As expected, tourism, textile and footwear sectors, which are highly dependent on export markets, were severely hit.

However, investment in tourism, real estate, renewable energy and other longer-term projects in Portugal maintain their course. Despite the present difficulties, local and international investors remain confident in longer term prospects and in the resurge of tourism when the Covid-19 pandemic is behind us.

More importantly, against a backdrop of social unrest in many other developed countries in recent years, Portugal offers security, little social unrest and an inclusive and open society with low levels of racism, religious tensions and sex biases. According to Institute for Economics & Peace’s “Global Peace Index 2021”, Portugal ranks 4th in the most peaceful countries in the world, 3rd amongst European countries. Portugal also ranks 9th in Societal Safety and Security domain amongst the countries in the world.

Other opportunities will arise from the recently announced National Investment Program (Programa Nacional de Investments) with investments in 85 infrastructure projects over the next 10 years, supported by the European Union, with EUR. 21,660 million to be invested in the transportation sector, mainly in upgrading or building new railroads and subway infrastructure, EUR. 13,060 million in renewable energy and EUR. 7,418 million in environment related investments.

This guide reviews the main aspects to be considered by foreign investors looking at Portugal as a place to invest, such as how to set up of a business, government incentives, employment rules, tax system, intellectual property protection, investing in real estate and judicial system.

For more information go to www.macedovitorino.com/en/why-portugal.