Skip to main content

Tag: tech-and-digital

BIRD Incubation Program

  • Blog

Last week, BDV had a wonderful opportunity to contribute as a mentor and support startups in BIRD Incubator through their Incubation Program by fostering legal workshops.

BIRD Incubator welcomed BDV as a partner in 2024. BIRD is an AI-focused startup incubator dedicated to nurturing early-stage AI startups and fostering Croatia’s startup ecosystem. The Incubation Program spans six months and is designed for early-stage startups, offering a dynamic, in-person experience.

Throughout the program, startups participate in a range of extracurricular activities aimed at enriching their entrepreneurial journey. The first stage of the Incubation Program consists of 12 weeks, with each week focusing on a specific topic to ensure all startups attain the same level of knowledge and understanding before advancing to the next stage. These weeks are packed with workshops led by mentors and external experts who bring valuable insights to the table.

We are excited about the opportunities ahead and look forward to continuing our collaboration with BIRD Incubator in the future, fostering innovation and empowering startups to thrive.

Summa Equity acquires Nutris

  • Blog

BDV M&A team (Laurenz W. Vuchetich, Partner and Anamarija Javor, Attorney at Law) advised Nutris, a leading producer in the plant-based food industry in partnering with Summa Equity, one of the largest European investment funds.

Through this investment, Nutris will continue its development, focusing on scaling up its operations and enhancing the impact it has on the food system. Congratulations to Nutris for its continued growth and pushing the boundaries of innovation in plant-based nutrition.

More information can be found at the following link: https://lnkd.in/dVr4Y2Ab

BDV advised Gideon on entering into a strategic cooperation agreement with Toyota Material Handling Europe

  • Blog
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text] The BDV team (led by Partner Marko K. Bohaček) is proud to have provided legal support to Gideon in entering into a strategic cooperation agreement for new automated logistics solutions with Toyota Material Handling Europe. According to Toyota Material Handling, the combination of Gideon technology with the company’s own vehicles will enable them to automate a variety of logistics applications and significantly reduce project implementation times. More details can be found here: [/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text css=”.vc_custom_1715338327219{margin-bottom: 0px !important;}”]

For more information please contact

[/vc_column_text][vc_column_text]

MARKO K. BOHAČEK

+385 (0)1 5626 001 marko.bohacek@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

BDV advises Merit Media Int. on shareholding consolidation

  • Blog
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text] BDV team advised the majority shareholder of Merit Media Int., a leading publisher of daily news and updates in the energy transformer industry, on its shareholding consolidation. The team is proud to have supported for a long period of time a significant and successful international publisher with a wide reach to the targeted global energy industry audience in nearly 190 countries. The BDV Corporate team that advised Merit Media Int. on its shareholding consolidation was led by Partners Laurenz W. Vuchetich and Marko K. Bohaček. [/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

LAURENZ W. VUCHETICH

+385 (0)1 5626 001 laurenz.vuchetich@bdvlegal.com
[/vc_column_text][vc_column_text]

MARKO K. BOHAČEK

+385 (0)1 5626 001 marko.bohacek@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

Telegram Media Group Investment

BDV team led by Laurenz Vuchetich, partner and Anamarija Javor, senior associate advised Telegram Media Group, one of the leading digital publishers in Croatia on its recapitalization by Media Development Investment Fund (“MDIF”), specialized in investing in debt and equity financing supported by technical assistance to media companies. The deal also included negotiating shareholders arrangements in Telegram Media Group. Congratulations to Telegram Media Group and MDIF on their cooperation, which will certainly safeguard the company’s independence and maximize its long-term prospects. More information can be found at the following link:

For more information please contact

[/vc_column_text][vc_column_text]

LAURENZ W. VUCHETICH

+385 (0)1 5626 001 laurenz.vuchetich@bdvlegal.com
[/vc_column_text][vc_column_text]

ANAMARIJA JAVOR

+385 (0)1 5626 001 anamarija.javor@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

South Central Ventures investment

  • Blog
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]BDV team (led by Antonia Ćurković) acted as legal counsel to South Central Ventures in its investment into Recommend within the Seed investment round. Recommend provides digitalized word-of-mouth marketing services through its digital platform aimed at improving digital marketing performance for both the customer and the merchant.[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

ANTONIA ĆURKOVIĆ

+385 (0)1 5626 001 antonia.curkovic@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

ADSCANNER Series A investment round

  • Blog
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]BDV (Antonia Ćurković and the team) advised AdScanner d.o.o. in its Series A investment round led by Enter Tomorrow Europe Magántőkealap (LEAD VENTURES) as the new investor and Enterprise Innovation Fund Coöperatief U.A. (South Central Ventures) and J&T Ventures CG SICAV a.s. (J&T Ventures) as existing investors and partners of the company. AdScanner closed the investment round at a total of nearly EUR 5m following the past 18 months of extensive growth and expansion. AdScanner is a company providing solutions for data-driven TV advertising based on its own, in-house developed AI and big data algorithms.[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

ANTONIA ĆURKOVIĆ

+385 (0)1 5626 001 antonia.curkovic@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

Infobip Shift Conference

  • Event
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]Our Partner, Marko Bohaček, participated in Infobip Shift Conference, the largest developer conference in Southeastern Europe held in Zadar. The conference purpose is to gather the global tech community. Ever since the first conference a decade ago, Shift has positioned Croatia as an IT powerhouse in Europe. Thanks to a packed program, breathtaking production, and a unique vibe, Infobip Shift is constantly growing. Congrats to Infobip and all the speakers for this outstanding event. It was great spending time with our clients and business partners and insightful to hear more about the future of the IT industry. We are eagerly anticipating next year’s conference.[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

MARKO K. BOHAČEK

+385 (0)1 5626 001 marko.bohacek@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

The Buzz in Croatia

  • Blog
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]BDVs partner Laurenz Vuchetich delivered his views on some of the most pressing issues in the Croatian market for the latest CEE Legal Matters interview. More information can be found at the following link: https://lnkd.in/euXUYRxR[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

LAURENZ W. VUCHETICH

+385 (0)1 5626 001 laurenz.vuchetich@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

BDV advises in intragroup share deal

[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]BDV (Laurenz W. Vuchetich, partner and Antonia Ćurković, attorney at law) advised SD Venture A/S as the seller, and SD Venture Nutris ApS, as the purchaser, in the process of intragroup restructuring of their shareholding in NutriS d.o.o. As BDV previously reported, NutriS d.o.o. has recently launched the first fava bean protein isolate factory in Europe thus revolutionising the technology of protein and starch production. Both SD Ventures A/S and SD Venture Nutris ApS as well as NutriS d.o.o. operate under a SiccaDania A/S umbrella – a leading process technology providers for food producers.[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

LAURENZ W. VUCHETICH

+385 (0)1 5626 001 laurenz.vuchetich@bdvlegal.com
[/vc_column_text][vc_column_text]

ANTONIA ĆURKOVIĆ

+385 (0)1 5626 001 antonia.curkovic@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

FIRST EUROPEAN FAVA BEAN PROTEIN ISOLATE FACTORY

BDV is proud to have advised NUTRIS in the development of an innovative factory based on a new and revolutionary technology of protein and starch production. BDV also advised Nutris in negotiating a facility agreement for financing of the construction of a new food processing factory and obtaining a new line of financing from partners. NUTRIS partnered with Danish international engineering company in the field of food, starch, and dairy industries – SiccaDania Group. For the first time such patented technology is implemented in a factory of this size. This development is highly significant as it is the first fava bean protein isolate factory located in Europe.   More information can be found at the following link:

BDV DELIVERED A LECTURE ON THE FUTURE OF FINTECH & INSURTECH

  • Blog
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]

A broad range of topics have been discussed at the F2I – FUTURE OF FINTECH & INSURTECH. Congrats to the organizer Bug and all the speakers. Our atorrney Marko Bohaček  delivered a lecture on “Changing the rules game in FinTech – PSD2 and other regulatory novelties”

 

PSD2 is the second Payment Services Directive (EU) 2015/2366 was adopted by EU Member States and seeks to improve the existing EU rules for electronic payments. It takes into account emerging and innovative payment services, such as internet and mobile payments. The directive sets out rules concerning:

  • strict security requirements for electronic payments and the protection of consumers’ financial data, guaranteeing safe authentication and reducing the risk of fraud;
  • the transparency of conditions and information requirements for payment services;
  • the rights and obligations of users and providers of payment services.
 

BDV looks forward to tackle together with its clients the exciting FinTech regulation times ahead.

[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

MARKO K. BOHAČEK

+385 (0)1 5626 001 marko.bohacek@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

First legaltech conference in Zagreb

[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]

We were happy to be inspired by all the interesting topics covered at the first legaltech conference in Zagreb. Congrats to the organizer Bug and all the speakers. Our law technology expert Ms. Marija Bošković Batarelo delivered a lecture on “Regulation of AI”.

The technology is definitely changing the legal landscape as well as clients’ expectations. New opportunities will arise as robots are bringing more and more attention to lawyer’s strengths and weaknesses.

BDV looks forward to the challenging but exciting times ahead.

[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

MARIJA BOŠKOVIĆ

+385 (0)1 5626 001 marija.boskovic@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

AmCham Member Seminar: GDPR – Data Processing Agreements

[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]On 23 May 2019, our privacy counsel Mrs. Marija Bošković Batarelo has performed the seminar on the topic “GDPR – Data Processing Agreements”. At the seminar, 25 participants, representatives of American Chamber of Commerce in Croatia member companies, learned more about determining the scope of personal data being processed in case of business cooperation, what are the key roles in personal data processing (Data Controller, Data Processor, Joint Controllers), and what are the key elements of Data Processing Agreements.[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

MARIJA BOŠKOVIĆ

+385 (0)1 5626 001 marija.boskovic@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

Bitkom Privacy Conference in Berlin

[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]Last week our Privacy Counsel Marija Boskovic Batarelo participated at Bitkom Privacy Conference in Berlin. Topics of discussion were GDPR compliance, artificial intelligence, and right to be forgotten. Important questions were raised regarding international transfers, Privacy Shield and Brexit. It was interesting to hear experiences from the DPOs of the EU, Data Protection Comissioner of Ireland, and the US Department of Commerce.[/vc_column_text][vc_single_image image=”2553″ img_size=”full”][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

MARIJA BOŠKOVIĆ

+385 (0)1 5626 001 marija.boskovic@bdvlegal.com
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]

Rethinking Interim Period Clauses in SPAs: European Commission’s decision against Altice brings new insights into the application of gun-jumping rules

  • Blog
[vc_row equal_columns=”true”][vc_column width=”3/4″][vc_column_text]European Commission recently published its decision by which it imposed a record fine of EUR 124.5 million on the cable and telecommunications company Altice in April earlier this year, for the so-called “gun-jumping” in its acquisition of the Portuguese telecommunications operator PT Portugal. EU merger rules require that companies notify the European Commission of the planned mergers which fall within the scope of the EU Merger Regulation (the “EUMR”) (the “Notification Requirement”) and do not implement them until cleared by the European Commission (the “Standstill Obligation”). The purpose of the standstill obligation serves to preventing the potentially irreparable negative impact of transactions on the market. In accordance with EUMR, the European Commission may impose fines of up to 10% of the aggregated turnover of companies which intentionally or negligently breach such obligations. In its decision, the European Commission found that Altice breached both the notification and the standstill obligations. The Commission concluded that Altice’s contractual rights under the acquisition agreement, combined with pre-closing interaction with PT Portugal, amounted to de facto early implementation of the transaction which is prohibited by the EU merger rules.  

Background

In February 2015, Altice notified the European Commission of its intention to acquire PT Portugal, which was controlled by the Oi, the Brazilian telecommunications operator. The transaction was conditionally cleared by the European Commission in April 2015, subject to the divestment of Altice’s subsidiaries in Portugal at the time, Oni and Cabovisão, since the subsidiaries were competitors of PT Portugal for telecommunications services in Portugal. In May 2017, the European Commission addressed a Statement of Objections to Altice raising its concerns that Altice implemented its acquisition of PT Portugal before obtaining the European Commission’s clearance, and in some cases, even before its notification of the merger.  

Decisive influence and information exchange

In accordance with the transaction agreement, Altice was granted veto rights over decisions concerning PT Portugal’s ordinary business. Altice exercised its rights in certain cases, for example by giving PT Portugal instructions on how to carry out a marketing campaign. Altice also requested and received commercially sensitive information about PT Portugal. The operational and competitively sensitive information was exchanged between the parties without any confidentiality agreements in place. In its decision, the European Commission states “that having a degree of oversight over agreements which a target can enter into, and the commitments it can make, between signing and closing may be justified in order to preserve the value of a target, for example, to preserve the perimeter of the business or to guard against commitments of such magnitude that the value of the business could be affected. However, the Commission considers that having a veto right over almost all commercial action with a low monetary threshold in the context of the target’s business goes beyond what would be necessary to guard against material changes to a target’s business for the purposes of preserving its value. In particular, the European Commission considers that issues falling within a target’s ordinary course of business are unlikely to be relevant to preserving the value of the target’s business.” The European Commission concluded that the range of agreements and actions over which Altice had a veto right was so broad that it gave Altice the possibility to exercise decisive influence over PT Portugal. The decision demonstrates that certain veto rights, when going beyond what is necessary for the preservation of the value of the target company, may amount to gun jumping. Examples of such veto rights found in this decision are i) veto rights in relation to commercial policy, ii) the possibility to influence the appointment of the target’s senior management staff and iii) veto rights over nearly all commercial action with a low monetary threshold in the context of the target’s business.  

Other merger procedural cases

In May 2017, the European Commission fined Facebook EUR 110 million for providing incorrect or misleading information during the European Commission’s 2014 investigation of Facebook’s acquisition of WhatsApp. The European Commission issued a clearance decision in October 2014, approving the transaction under the EU Merger Regulation. Despite the previous fine, the European Commission gave a clearance since its decision was based on various elements going beyond those linked to the incorrect or missing information. In July 2017, the Commission sent three separate Statements of Objections, alleging breach of EU merger rules: one to General Electric, one to Merck and Sigma-Aldrich for allegedly providing incorrect or misleading information and one to Canon for allegedly implementing a merger before notification and clearance. These investigations are ongoing.  

Conclusion – Implications on SPAs

While the buyers can impose obligations on the sellers with the aim of securing the value of the target company, the stakeholders need to carefully consider the gun jumping rules when drafting the share purchase agreements, disclosing confidential information, as well as during other pre-closing interactions. The pre-closing oversight over agreements which a target may enter into, and the commitments it can make must not go beyond what is necessary for the preservation of the value of a target and cannot result in acquiring decisive influence over the target company prior to European Commission’s merger clearance. With this decision, it appears the European Commission once again safeguarded the EU merger control system, sending a strong message to merging companies of the importance of complying with EU merger procedural rules, which shall also reflect the application of local merger control rules within Member States.[/vc_column_text][/vc_column][vc_column width=”1/4″][vc_column_text]

For more information please contact

[/vc_column_text][vc_column_text]

LAURENZ W. VUCHETICH

+385 (0)1 5626 001 laurenz.vuchetich@bdvlegal.com
[/vc_column_text][vc_column_text]

ANA LAH

+385 (0)1 5626 001 ana.lah@bdvlegal.com
[/vc_column_text][vc_empty_space][vc_wp_custommenu nav_menu=”87″ el_class=”objavamenu” title=”Related Areas”][/vc_column][/vc_row]

Antitrust: Commission fines Google €4.34 billion for illegal practices regarding Android mobile devices to strengthen dominance of Google’s search engine

  • Blog
The European Commission has fined Google €4.34 billion for breaching EU antitrust rules. Since 2011, Google has imposed illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general internet search. Google has engaged in three separate types of practices, which all had the aim of bolstering Google’s dominant position in general internet search. In particular, Google:
  • required manufacturers to pre-install the Google Search app and browser app (Chrome), as a condition for licensing Google’s app store (the Play Store);
  • made payments to certain large manufacturers and mobile network operators on condition that they exclusively pre-installed the Google Search app on their devices; and
  • has prevented manufacturers wishing to pre-install Google apps from selling even a single smart mobile device running on alternative versions of Android that were not approved by Google ( “Android forks”).
Market dominance is, as such, not illegal under EU antitrust rules. However, dominant companies have a special responsibility not to abuse their powerful market position by restricting competition, either in the market where they are dominant or in separate markets. Based on the Decision of EC, Google is required to stop and not to re-engage in any of the three types of practices. The decision also requires Google to refrain from any measure that has the same or an equivalent object or effect as these practices. It is Google’s sole responsibility to ensure compliance with the Commission decision. If Google fails to ensure compliance with the Commission decision, it would be liable for non-compliance payments of up to 5% of the average daily worldwide turnover of Alphabet, Google’s parent company. The Commission would have to determine such non-compliance in a separate decision, with any payment backdated to when the non-compliance started. Finally, Google is also liable to face civil actions for damages that can be brought before the courts of the Member States by any person or business affected by its anti-competitive behaviour. The new Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions enables injured persons from anti-competitive practices to receive damages.

PRIVACY AS A DEFAULT SETTING UNDER THE GDPR

  • Blog
By Marija Boskovic Batarelo, LL.M Privacy Counsel, Batarelo Dvojkovic Vuchetich Law Firm  

INTRODUCTION

Privacy by Default principle is a part of Privacy by Design concept which consists of a set of seven foundational principles, developed back in the ‘90s. Privacy by Design stipulates privacy that takes into account all the privacy features beforehand and promotes privacy, not only as a matter of compliance with legislation and regulatory frameworks, but as default mode of operation.[1] During the last ten years, Privacy by Design has been widely accepted all over the world and most recently it was introduced as a part of the General Data Protection Regulation (EU Regulation 2016/679, hereinafter: GDPR) as data protection by design and by default.  

REGULATION OF CODE

Since Directive 95/46/EC demonstrated that the law cannot successfully keep track with fast technological developments and global digital market, the GDPR implemented rules regarding data protection by design and by default as a way of regulating behaviour by code. The code, as a system of rules used in information and communication technologies (hereinafter: ICT) to convert information, has no particular architecture that cannot be changed. By imposing obligation to integrate privacy into ICT settings, the code could equip data subject (identified or identifiable natural person) with more powers than law alone. This code can change, either because it evolves in a different way, or because governments or businesses push it to evolve in a particular way. It is up to national legislations to balance between privacy of individual, public security, and economic interests. Competition between different stakeholders (consumers, businesses, and governments) could develop. Authors of code might develop code that displaces law, while authors of law might respond with law that displaces code.[2]  

DATA PROTECTION BY DEFAULT UNDER THE GDPR

Ensuring privacy through default settings seek to foster data subject’s rights and deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given ICT system. Thus, no action is required on the part of the individual to protect their privacy – it is built into the system, by default.[3] The GDPR in Article 25 paragraph 2 prescribes: “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”   Such general provision can create lots of debates and we can expect many discussions and interpretations until the GDPR will be fully applicable and certification mechanism for compliance with data protection by design and default will be in place. Obvious question that pops out after reading this provision is – should any data ought to be collected without consent or data controllers should decide upon the level of collection of personal data that is necessary for each specific purpose of the processing? This question is particularly interesting with regards to smartphones, in which case there are many applications that collect various personal data and certain personal data is necessary for actual functioning of the application (for example, location).  

CONCLUDING REMARKS

Data protection by default puts a significant liability burden on developers of ICT platforms and applications. According to this principle all the ICT should be developed and implemented with mechanisms for ensuring data protection by default and the minimum necessary for collection purposes should be preciously defined. The technology should provide an opportunity for explicit consent and data subject must choose to share certain data. The law shall set limitations and grounds for the processing of data and contracts shall define precise scope of default settings. However, at this point we do not have clear guidelines prescribed by law and many ICT solutions usually have terms and conditions that are quite general.   What could be recommended as a good practice is that ICT should be developed as a mechanism that, by its initial settings, allows only minimum of collection of personal data along with minimum time of storage and defined circle of personal authorised to access the data. Only upon consent of data subject those settings would be changed, allowing more scope regarding data processing. This would mean, for example, that data controller would initially perform only such processing of data that is necessary for the core functionality of an application or service. Also, processing data that is prescribed by law, pursues legitimate interest, is necessary for vital interest of data subject or public interest, could be initially justified, whereas for all the processing of data outside of the limited scope, data controller would need additional consent and such consent would then change the default settings.   [1] https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf. [2] Lawrence Lessig “The Law of the Horse: What Cyberlaw Might Teach”, Research Publication No. 1999-05 12/1999, p. 532. [3] A. Cavoukian, Ph.D., Comments on the European Commission’s Comprehensive Approach on personal Data Protection in the EU – Public Authority, 13 January 2011, p. 2.  

The importance of cybersecurity in M&A

  • Blog
As with IT development during recent years, most companies tend to store their data in an electronic form. This provides them with many benefits, namely a more productive business conduct as well as reduced costs. However, this allows for data to be more vulnerable to cyberattacks. Cyberattacks have recently become more and more common and their actual number is not known having in mind the difficulty of their discovery. The awareness of their existence must find its place in a due diligence process in order to give them an appropriate weight in the negotiations of a deal.  

Cyberattacks in M&A deals

Cyberattacks have made the spotlights in 2013 when Neiman Marcus, a department store, experienced a cyberattack involving injection of malware into the customer payment-processing system. This resulted in compromising data of about 350,000 customer payment cards. The company’s knowledge of the malware was non-existent for a period during which the company entered an M&A to be acquired by another group. During this period, neither Neiman Marcus nor its acquirers were aware of their data being compromised. Shortly after the acquisition was completed, several fraudulent uses of credit cards were discovered which subsequently resulted in massive class-action claims against Neiman Marcus. Not being the sole such incident (Yahoo as another example), Neiman Marcus cyberattack illustrates that there is a growing need to assess a target company’s cyber vulnerabilities and the potential repercussions from incidents not just to protect the target company but to protect the acquirer itself. Cybersecurity due diligence must become an integral part of M&A and to be done properly, must begin at the earliest practicable time in the transaction.  

Cybersecurity due diligence

The scope of this area of due diligence will be different for each specific case. Nevertheless, certain guidelines should be followed in order to execute cybersecurity due diligence as more qualitative as possible. This would provide the acquirer with the approximation of the actual condition of the target company’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets and putting acquirer into a position which would allow him to fully protect his interests.

1. Initial assessment

The acquirers should firstly assess which data is important for the business of the target company and how the company processes them.

2. Internal protection

The target company should have internal rules and regulations on how to protect its digital assets. Acquirers should assess (i) whether such internal rules and regulations are appropriate whether the target company has effectively implemented such rules and regulations (i.e. do they regularly train their employees? Are security measures implemented? Are they aware of any non-compliances?). It is very important to assess whether the target company is properly prepared to identify cyberattacks and to respond within the relevant timeframes.

3. External regulations

When applicable, acquirers should assess the target company’s compliance with any external regulations governing cybersecurity issues.

4. Assessment of third-party relationships

Acquirers should investigate all (relevant/material) third-party relationships of the target company and assess whether the agreements with any vendors and other suppliers and contractors have appropriate contractual protection in place that ensure that the third party properly deals with the target company’s data and has appropriate IT security systems in place. Third-party contracts should also provide for contractual notification obligations and emergency response mechanisms, as well as audit rights for the target company to verify compliance with the foregoing.

5. Assessment of past security breaches

Most importantly, acquirers should confirm with the target company whether there have been any past security breaches and if yes, assess their scope and impact. In this regard, they should specifically assess:
  • what data might the attackers have gained access to (did they read files, change permissions, made copies of customer lists);
  • what data might the attackers have viewed and exfiltrated copies of;
  • what data might the attackers have changed? Did they modify data contained in certain files and, if so, what changes did they make;
  • what defences of the target did the attackers force the target’s system to reveal (not knowing what the attackers have learned may cause a target to be far more vulnerable to future cyberattacks than the target (or an acquirer) may realize;
  • did the attackers gain entry by breaching a layer of the target’s system that did not have the same defences as other layers? At some of a target’s computer-network system layers there may be fewer or different protections than at others. The cyber attackers can breach a system by going through a layer that lacks protections at a higher or lower layer.
  Finally, to protect the acquirer, cybersecurity risks should eventually be dealt with in the final and binding transaction documents. Acquirers should consider requesting representations and warranties, including on the absence of current and past security incidents, implementation of appropriate internal rules and regulations and compliance therewith, compliance with applicable data protection and data / IT security laws, and absence of disputes and investigations relating to cybersecurity and data breaches. Additionally, they should request indemnities for specific identified risks, such as pending litigation, or risks of a general nature, for which acquirers expect that issues will likely arise in the future, such as pre-closing taxes or, in some jurisdictions, environmental matters (concerning leaks that occurred prior to closing).  

Cybersecurity Draft Act

In order to achieve high level of cybersecurity and protect service providers, Croatian Cybersecurity Draft Act provides for the key service operators (service such as banking, rail transport sector, air traffic) and digital service providers (services such as marketplace, online search engines, cloud services) to take technical and organizational measures for risk management, measures to prevent and mitigate the effects of the incidents on the security of the network and information systems and measures for determining the risk of incidents, prevention, detection and resolution of incidents and alleviating the impact of the incident. The providers should also inform competent bodies of any such cybersecurity incident. The implementation of such measures should mitigate the possible risks for cybersecurity as well as be a source of information for the acquirer when a company was the target of cyberattack.

The Court of Justice referred the €1.06 billion Intel antitrust case back to the General Court

  • Blog
[vc_row][vc_column][vc_column_text]In a judgment made on 6 September 2017, the Court of Justice has set aside the previous ruling of the General Court issued on 12 June 2014, which had upheld the fine of €1.06 billion imposed by the Commission on Intel in 2009 for abuse of a dominant position. According to the 2009 Commission’s decision, Intel abused its dominant position in the market by granting rebates to four major computer manufacturers (Dell, Lenovo, HP and NEC) under the condition that they purchase from Intel all, or almost all, of their x86 central processing units (CPUs). In addition to rebates, Intel awarded payments to Media-Saturn, which were conditioned on the latter selling exclusively computers containing Intel’s x86 CPUs. The Commission found that those rebates and payments induced the loyalty of the four manufacturers and of Media-Saturn, which as a result significantly diminished the ability of Intel’s competitors to compete. The General Court upheld the Commission’s decision which stated that loyalty rebates granted by an undertaking in a dominant position were, by their very nature, capable of restricting competition such that an analysis of all the circumstances of the case and, in particular, an efficient competitor test (the “AEC Test’”) were not necessary. The Court of Justice has however found in its judgment that the Commission did not carry out an in-depth examination of the circumstances of the case in its decision, in which, according to the Court, the AEC Test should have had an important role. The Court referred the case back to the General Court so that it may examine, in the light of the arguments put forward by Intel, whether the rebates at issue are capable of restricting competition. Intel’s arguments alleging that the Commission lacked territorial jurisdiction to penalise the abuse, and alleging procedural irregularities that affected its rights of defence, were rejected by the Court. Source: Court of Justice of the European Union, press release No 90/17 of 6 September 2017[/vc_column_text][/vc_column][/vc_row]