CEE Legal Matters

Author: admin

  • Acar & Ergonen and Esin Attorney Partnership Advise on Sale of Yargici

    Acar & Ergonen has advised Tims Group, Tims Production, and Timur Savci on the acquisition of Yargici from GB Retail Investments Holding. Baker McKenzie’s affiliate law firm Esin Attorney Partnership advised the sellers.

    Yargici is a Turkish retail apparel and fashion company.

    The Acar & Ergonen team included Managing Partner Duygu Acar Yucesoy, Partner Asli Tezcan, and Associates Pınar Akkaya and Sila Eyvaz Sir.

    The Esin Attorney Partnership team included Senior Partner Ali Selim Demirel, Senior Associate Sila Pinar, and Associate Hilal Aydin.

  • GDPR Fines and Data Breach Trends in the CEE Region

    The latest DLA Piper GDPR Fines and Data Breach Survey provides a comprehensive overview of data protection enforcement trends across Europe, including the Central and Eastern European (CEE) region. CEE countries are in the mid-range in terms of total GDPR fines imposed since the regulation became applicable in 2018 and for last year, but enforcement activity is steadily increasing. Here are the latest trends and legal developments in Austria, the Czech Republic, Hungary, Poland, Romania, and Slovakia.

    In terms of total GDPR fines imposed from 25 May 2018 to date, CEE countries are in the middle of the ranking of 31 European countries.* Austria leads the region, ranking 9th with EUR 44,816,915 in fines, followed by the Czech Republic (13th, EUR 12,123,489), Poland (15th, EUR 6,919,077), Hungary (17th, EUR 4,170,000), Romania (21st, EUR 2,086,318) and Slovakia (26th, EUR 644,247).

    In contrast, Ireland and Luxembourg dominate the rankings with EUR 3,507,481,500 and EUR 746,380,875 in fines, respectively. These exceptionally high figures are mainly because the European headquarters of major technology giants such as Meta are located in these countries. Liechtenstein recorded the smallest total fines, amounting to just EUR 28,107.

    In Romania, the Data Protection Authority has maintained its approach of issuing numerous but relatively low fines throughout 2024, solidifying its position as one of the most active regulators in the EU.

    The report also provides insights into the total number of personal data breach notifications between May 2018 and January 2025, where Poland stands out significantly, ranking third with 70,204 breach notifications. Other CEE countries are in the mid-range, with reported data breaches ranging between 800 and 7,000.

    Technology and financial sectors face high fines

    Since the GDPR was introduced, companies in the technology, social media, and financial sectors have been among the most heavily fined entities. Given the vast amounts of personal data these businesses handle and their widespread consumer impact, regulators continue to closely monitor and assess their data processing practices.

    In 2024, one of the most notable enforcement actions in these sectors occurred in the Czech Republic. The Czech Office for Personal Data Protection (Czech DPA) imposed a fine of CZK351 million (EUR14 million) on Avast Software, a cybersecurity company, for transmitting around 100 million users’ pseudonymized internet browsing data to its subsidiary, Jumpshot, Inc. The Czech DPA determined that Jumpshot unlawfully shared this data with marketers to track online consumer behaviour. Avast misled users by falsely claiming the data transfers were anonymous and solely for trend analysis. In reality, the data wasn’t properly anonymized and allowed for re-identification. Avast also processed the data for consumer tracking without a legal basis.

    In Poland, the President of the Personal Data Protection Office (PUODO) imposed administrative fines on several large international banks, including issuing a fine of EUR870,000 for failing to notify customers of a data breach.

    In Hungary, significant fines were imposed in recent years on companies for unlawful video surveillance practices. The Hungarian National Authority for Data Protection and Freedom of Information focused on data subject access rights, the data processing activities of health service providers and data breaches.

    Recent legal developments

    Beyond enforcement actions, the Czech DPA continued its methodological activities by issuing guidance on the recommended use of camera systems in public spaces, schools, and on processing drone camera recordings.

    An important legal development in Austria in the past year relates to data subjects’ rights, which have been extended to legal entities. The discourse on the application of the GDPR to legal entities has been ongoing in Austria since 2018, but the specific application of data subject rights is a recent development. The initial decision by the Data Protection Authority (DPA) dates back to October 2023, but the court’s decision in the appeals procedure, which upheld the DPA’s stance, was issued in 2024.

    What to expect in 2025?

    The “consent or pay” model is expected to remain a key regulatory focus in 2025, both in Europe and the CEE region. Under this model, users can choose between two options: consent to the use of their personal data for behavioural advertising or pay for the service.

    Following the European Data Protection Board’s (EDPB) opinion on the model, the Czech DPA issued a preliminary measure against Seznam.cz, the Czech Republic’s leading search engine and app provider, requiring it to stop processing personal data obtained through consents where the only alternative was paid access. Investigations into similar practices by major media companies are ongoing.

    The EDPB’s long-awaited opinion on AI-related data processing, published in December, didn’t provide definitive guidance, leaving room for uncertainty regarding the lawful use of personal data in AI models. With AI adoption expanding rapidly across industries, European regulators are expected to intensify investigations and enforcement actions related to AI-driven data processing. As a result, businesses leveraging AI for data analytics, automation, and customer interactions should prepare for heightened scrutiny and ensure their AI models align with GDPR requirements.

    *DLA Piper’s seventh annual survey takes a look at key GDPR metrics across the European 

    Economic Area (EEA) and the UK since GDPR first applied and for the current year to 27 January 2025. The EEA includes all 27 EU member states, plus Norway, Iceland and Liechtenstein.

    By Sabine Fehringer, Partner, Austria, Tomas Scerba, Partner, Czech Republic, Zoltan Kozma Partner, Head of IPT, Hungary, Ewa Kurowska-Tober, Partner, Head of IPT, Poland, Irina Macovei, Counsel and Andrei Stoica, Senior Associate, Romania, and Eva Skottke, Legal Director, Slovakia, DLA Piper

  • “‘Stewardess’ Out of the Game,” or the First Successful Follow-On Claimant’s Damages Action in the Czech Republic

    When discussing competition law, the Competition Authority and its powers are usually part of the business conversation, given that it is the key enforcer ensuring fair competition and penalizing those who try to distort it. However, for many undertakings, a decision by the Competition Authority isn’t always the end of their fight for justice – sometimes it’s just the beginning. Affected competitors often have to undertake significant efforts to seek compensation from those whose anti-competitive behaviour has harmed or even destroyed their business. In this article, we share our experience with the first-ever successful follow-on damages action in the Czech Republic and the challenges we encountered along the way.

    Our story began in 2004 when Student Agency launched its bus service between the two largest Czech cities, Prague and Brno. However, its distinctive yellow buses didn’t remain the sole option on this route for long. In 2007 Asiana – a Czech company previously focused mainly on selling airline tickets – entered the market with its own buses on the same route. To Asiana’s surprise, Student Agency responded immediately by aggressively expanding its transport capacity on the Prague-Brno route. Moreover, it provided services at prices lower than the average monthly total cost, slashed fares on buses departing at the same time as Asiana’s, prevented access to the bus boarding point in Brno, and even thwarted a ticket sales agreement with a local newsstand operator in Brno. After nearly a year of fierce struggle, Asiana was ultimately forced out of the market.

    Following the anti-competitive behaviour of Student Agency as the dominant player in the market, we assisted Asiana in preparing a complaint to the Czech Competition Authority regarding possible abusive exclusionary practices. The Competition Authority began to look into the matter and to gather evidence it conducted a dawn raid at Student Agency’s headquarters, during which it seized the following emails: “Today the ‘stewardess’ went on her first ride. The fight begins, which must end within 2 months with Asiana’s withdrawal from the Brno – Prague route.” and “we decided to take an uncompromising approach. ‘Stewardess’ out of the game. If we don’t give it a chance, it will be pushed off the line within 2 months……[1] In these emails, the references to ‘stewardess’ refer to Asiana’s other business activities of selling flight tickets through its website and trade name “Letuška“, which translates as ‘Stewardess’. Based on these emails, the Competition Authority concluded that Student Agency deliberately sought to exclude Asiana from the market. Therefore, to establish abuse of dominance the Competition Authority only needed to prove that Student Agency set its prices below the average total costs, rather than the average variable costs.

    The Competition Authority then concluded that Student Agency was a dominant undertaking on the relevant market, which deliberately priced its tickets below the average total costs and expanded transport capacity in order to exclude Asiana from the market, as a result of which consumers were restricted in their choice of carrier and suffered harm in the subsequent increase in transport prices. Given the above, the Competition Authority imposed a fine of CZK 5,154,000 on Student Agency.

    However, Asiana was still far from receiving proper compensation at this point. Student Agency challenged the Competition Authority’s decision in Czech administrative courts, seeking to have it overturned. Understandably, Asiana was eager to prevent this, as the decision formed the foundation for its claims in a subsequent follow-on action. Therefore, Asiana attempted to intervene in the proceedings brought by Student Agency. To be able to intervene in proceedings before the administrative courts in the Czech Republic, one must, simply put, be directly affected in one’s rights and obligations by the issuance or revocation of the contested decision of the administrative authority (e.g., the Competition Authority). Thus, we argued that the abuse of dominant position was to Asiana’s direct detriment (exclusion from the market) and that if the Competition Authority’s decision were overturned, Asiana’s private and public rights would be affected. The issue of Asiana’s participation in the administrative proceedings came before the Czech Supreme Administrative Court, which – surprisingly enough – concluded that the purpose of the Czech Competition Act[2] is to protect competition as an economic phenomenon, not to protect individual market participants, and that Asiana was thus only indirectly affected by the Competition Authority’s decision.[3]

    Although Asiana was not able to intervene in the proceedings before the administrative courts, the courts upheld the Competition Authority’s decision and the path to compensation was finally open. We therefore filed a lawsuit on behalf of Asiana against Student Agency, asserting several claims. First, we claimed actual damages for the costs incurred in the operation (lost costs consisting of the preparation, entry and implementation of the operation of the Praha – Brno bus line). Second, we claimed lost profits for the duration of the operation. And third, we claimed lost profits for the year following Asiana’s exclusion from the market.

    A major benefit of this follow-on action was that the court was bound by the fact that was proven in the administrative proceedings that Student Agency had breached the Competition Act to the detriment of Asiana. Therefore, it was sufficient for us to prove only the amount of damage incurred. Even though our procedural situation was significantly simplified by the existing decision of the Competition Authority, the court proceedings took an unreasonably long time and we did not see a final decision until January of last year (2024). Over the years, a total of seven decisions have been issued, which reflects how the courts have leaned one way or the other throughout the proceedings. However, the lengthy litigation had a happy ending for Asiana, as the courts concluded that it was entitled to compensation of over CZK 22,000,000, which could at least financially compensate for the injustice caused by Student Agency’s anti‑competitive behaviour.

    Let us conclude with a few remarks for further reflection. The case described above (the first successful follow-on claimant’s damages action in the Czech Republic) shows that enforcement of damages claims arising from competition law infringements remains in its early stages in the Czech Republic and that the courts lack sufficient experience to be able to resolve these claims quickly and effectively. The situation is not helped by the fact that affected competitors cannot join the administrative court proceedings in which the Competition Authority’s decisions are reviewed, which not only complicates their access to relevant information and documents but mainly prevents them from exercising influence on the proceedings, the outcome of which has far-reaching consequences for them. In our view, the current dismal situation may discourage affected competitors from pursuing their claims, which we consider unfortunate. We hope that reaching justice in area of private competition enforcement in the Czech Republic will be significantly accelerated in the coming years, whether through the application of adopted competition damage laws or an increase in the experience of the courts with this type of civil action.

    [1] The text of the emails was translated from Czech. Some phrases have been modified to maintain their true meaning.

    [2] Act No. 143/2001 Sb., on the Protection of Competition (Act on the Protection of Competition), as amended.

    [3] See the judgment of the Supreme Administrative Court, file No. 7 As 7/2014-39 of 14 May 2014.

    By Pavel Dejl, Partner, and  Filip Rehak, Intern, Kocian Solc Balastik

  • New Regulation of Cloud and Data Center Services in Ukraine

    On 11 February 2025, the Ukrainian Government adopted a resolution regulating various aspects of cloud and data center services (the “Services“) provision and use. In particular, the resolution introduces:

    • a procedure for the provision of Services related to the processing of state information resources (“SIR“) or restricted information, the requirement for the protection of which is established by law (“resricted information“);
    • requirements for Service providers;
    • a framework for the formation and use of electronic catalogues of Services;
    • a model contract governing the provision of Services to public users of cloud services and critical infrastructure operators for their critical information infrastructure.

    The resolution is adopted under the Law of Ukraine “On Cloud Services”.

    Key provisions

    1. Services related to the processing of SIR or restricted information

    The resolution establishes the procedure for providing Services related to processing SIR or restricted information. In particular, such Services must be provided under a contract, the term of which may not exceed the validity period of a conformity document issued by an accredited conformity assessment body in electronic communications. The conformity document serves as a evidence of compliance with requirements for information security management, service continuity, network and information system security. Users also consider these conformity documents when comparing Services and cloud infrastructure options.

    1. Requirements for Service providers

    The resolution defines the obligations of Service providers, including

    • the steps required for a Service provider to be included into the official list of providers (the “List”), which is maintained by the Administration of the State Service for Special Communications and Information Protection of Ukraine (the “SSSCIP”); and
    • the procedure for confirming compliance of Service providers with these requirements.

    The requirements cover technical, organisational, and physical security measures, including the implementation of an information security management system (the “ISMS”) or comprehensive information security system (the “CISS”), cybersecurity incident management and service continuity management, automated service control, monitoring, auditing, and security testing.

    The Service provider shall ensure compliance with the established standards, in particular international standard ISO/IEC 27001 or a standard of a foreign country adopted under this standard, or the Ukrainian national standards ISO/IEC 27001:2023 (ISO/IEC 27001:2022, IDT), ISO/IEC 27018:2019.

    To confirm compliance with the requirements, a provider must obtain: (i) a conformity document issued by a conformity assessment body or a document confirming the compliance of a CISS based on the results of a state examination in the field of technical information protection; (ii) policies and procedure for processing personal data; (iii) documents confirming the ownership or other property rights to equipment and premises used for providing Services; and (iv) a conformity document issued by a conformity assessment body in the field of electronic communications, confirming compliance with the requirements.

    1. Electronic catalogues of Services

    The resolution also regulates the procedure for forming and using electronic catalogues of Services. Key provisions include:

    • Service providers must publish and maintain an electronic catalogue of their services in Ukrainian on their website;
    • the catalogue will be a reference for public users* and critical infrastructure operators. It will assist in market analysis and procurement planning under the Law of Ukraine “On Public Procurement”.

    Under the Law of Ukraine “On Cloud Services”, a public user of cloud services is a state authority, an authority of the Autonomous Republic of Crimea, a local self-government body, a state enterprise, a state institution, a state organisation or other subject of authority or other entity to which such authority has been delegated.

    The catalogue must include: (i) a description of the Service, terms and conditions of use, data protection procedures, location of cloud resources/data center, incident reporting mechanism, compliance with standards, and (ii) an identification code such as the USREOU (Ukrainian company code), LEI code (international legal entity identifier) or taxpayer identification number for individual entrepreneurs. These provisions indicate that the Service provider may be either a resident or a non-resident of Ukraine.

    1. Model contract for the provision of Services

    The model contract governs agreements between Service providers and public users and critical information infrastructure facility operators. The model contract outlines the procedures and conditions for granting access to the Services, the payment procedures, and the rights and obligations of both parties. For example, the provider is obliged to immediately notify the user of a cybersecurity incident that has or may have a significant negative impact on the provision of Services, confirming the notification to CERT-UA, and further inform the user of the measures taken to respond to the cybersecurity incident.

    In terms of liability, a penalty of 20 percent of the value of the defective Services will apply for failure to provide quality Services. Additional sanctions will apply for failure to comply with time limits for fulfilling the obligation.

    Early termination of the contract is allowed (i) by mutual agreement of the parties, (ii) by unilateral termination due to contract breaches, (iii) in case of termination or cancellation of the document confirming compliance with the requirements for managing information security, continuity, security of network and information systems of the providers.

    Under the provisions of the model contract, the law of Ukraine applies to legal relations not regulated by the contract. Disputes fall under the jurisdiction of Ukrainian courts.

    1. Compliance deadline and next steps

    Providers and users of cloud services or data center services in Ukraine must comply with the new regulatory framework. Until 31 December 2025, public users may still procure Services from providers not included in the official List. After that date, only listed providers will be eligible for public procurement contracts.

    Given this, Service providers should prepare in advance to meet the requirements for inclusion in the List to maintain the possibility of providing Services to public users after 2025.

    By Yuriy Kotliarov, Partner, and Sergiy Tsyba, Counsel, Asters

  • Walless Advises Enterstore on Acquisition of Miss Mary of Sweden

    Walless has advised Enterstore, part of Hartenberg Holding, on its acquisition of Miss Mary of Sweden from Swedish Bra Holding AB. Vinge reportedly advised Swedish Bra Holding.

    Miss Mary of Sweden is a brand specializing in the design, production, and sale of women’s underwear.

    The Walless team included Partners Hannes Vallikivi, Rolan Jankelevitsh, and Toomas Taube, Counsel Johanna Maksing, Senior Associates Angela Kase, Kaisa Uksik, Liis Venelaine, Linda Merileid Tilk, and Riin Rehepapp, and Associate Laura Melk.

  • Bernitsas Advises Eurobank Holdings on EUR 588.5 Million Liability Management Exercise

    Bernitsas has advised Eurobank Ergasias Services and Holdings on a liability management exercise totaling EUR 588.55 million.

    According to Bernitsas, the transaction involved two components: an invitation to holders of EUR 200 million fixed-rate reset callable tier 2 dated subordinated notes due June 14, 2033 – issued by Eurobank Holdings’ subsidiary, Hellenic Bank Public Company Limited – to exchange their notes for new Euro-denominated tier 2 dated subordinated notes; and the issuance of EUR 400 million fixed-rate reset subordinated instruments due 2035 offered to international and domestic institutional investors via a bookbuilding process and subsequently listed on the Euro MTF market of the Luxembourg Stock Exchange.

    In 2024, Bernitsas advised Eurobank Holdings on EUR 300 million subordinated tier II instruments issuance (as reported by CEE Legal Matters on February 8, 2024). 

    The Bernitsas team included Partners Nikos Papachristopoulos and Maria Nefeli Bernitsa and Counsel Alexia Kefalogianni.

  • The Dual Obligation of EPR and Environmental Product Charge Has Been Abolished, EPR Penalty Rates Have Been Introduced

    Following the year-end legislative news, several changes affecting so-called “green taxes” came into force at the beginning of 2025. The most significant of these is the effective abolition of the dual obligations of the Extended Producer Responsibility (EPR) and the Environmental Product Charges (EPC), except for plastic carrier bags, and the introduction of the EPR penalty rates that have been expected since the introduction of the EPR. At the same time, there are also many changes to the EPR rules.

    The amendment aims to reduce the double administrative burden for the obligated parties.

    From 1 January 2025, the dual obligation of the EPR and the Environmental Product Charge (EPC) on the packaging, electrical and electronic equipment, batteries, tyres, office stationery, and promotional paper will be abolished. Since the introduction of the EPR, the product charge obligation for these product streams consisted only of administrative tasks and did not constitute a payment obligation, as the introduction of the EPR made the amount of the EPR charge for the relevant product or material stream deductible from the product charge. Although the amendment has not brought any significant financial benefits to companies, it has nevertheless relieved the businesses concerned of a significant administrative burden.

    An important change is that from 1 January 2025, plastic carrier bags will be included in the product stream of other plastic products and will remain subject to the product charge as a single product subject to the EPR. A change from the draft was made to the level of the product charge payable on plastic carrier bags, with the deduction of the EPR charge from the product charge as the only product still covered by both pieces of legislation.

    Significant uncertainty for businesses has been removed by the definition of the penalty rates for non-compliance with the EPR obligation in the Government Decree on Waste Management Fines, which will enter into force on 1 April 2025.

    By Rozsa Rusvai-Darazs, Attorney at law, KCG Partners Law Firm

  • The Court vs. “Mr.” and “Mrs.”

    By judgment from 9 January 2025 in Case C‑394/23 the Court of Justice (CJEU) rules that the processing of personal data relating to the title of the customers of a transport undertaking is not necessary and might even be not legally grounded.

    Titles whose purpose is to personalize commercial communication based on their gender identity, do not appear to be either objectively indispensable or essential to enable the proper performance of a contract, says CJEU. Therefore, they cannot be regarded as necessary for the performance of that contract or as essential for the legitimate interests pursued by the data controller or by a third party, where those customers were not informed of the legitimate interest pursued when those data were collected; the processing is not carried out only in so far as is strictly necessary for the attainment of that legitimate interest; or in the light of all the relevant circumstances, the fundamental freedoms and rights of those customers can prevail over that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity.

    Association Mousse, an organization that fights against gender discrimination, challenged the practice of SNCF Connect, the French railway company, before the French data protection authority (CNIL), arguing that requiring customers to specify their title (e.g., “Monsieur” or “Madame” / “Mr” or “Ms”) when purchasing tickets online violates the General Data Protection Regulation (GDPR). Mousse believes this requirement violates the principle of data minimization, as the title, which indicates gender identity, does not appear necessary for purchasing a rail ticket.

    In 2021, the CNIL rejected the complaint, determining that the practice did not breach the GDPR. Mousse disagreed with the decision and appealed to the French Council of State, requesting that the decision be annulled. The Council of State referred the case to the CJEU, asking whether the collection of data regarding titles (specifically ‘Monsieur’ or ‘Madame’) can be considered lawful and compliant with the principle of data minimization, particularly when this data is used for personalized commercial communication, in line with common practices in the sector.

    The CJEU reaffirmed the principle of data minimization, emphasizing that data collected must be adequate, relevant, and limited to what is necessary based on the purposes for which it is processed. The CJEU also reiterated that the GDPR outlines a strict and exhaustive list of circumstances under which personal data processing can be considered lawful. This includes situations where processing is (i) necessary for fulfilling a contract with the data subject or (ii) necessary for the legitimate interests pursued by the data controller or a third party.

    Regarding the first justification, the CJEU stressed that for data processing to be deemed necessary for the performance of a contract, it must be objectively indispensable to fulfill that contract. In this case, the CJEU found that personalizing commercial communication based on gender identity, inferred from the customer’s title, was not objectively necessary for the proper performance of a rail transport contract. The railway company could instead use generic, inclusive language in addressing customers, which would be less intrusive and equally effective.

    On the second justification, the CJEU, referencing its established case law, stated that processing data on customers’ titles to personalize communication-based on gender identity cannot be considered necessary if (i) customers were not informed of the legitimate interest pursued during data collection; (ii) the processing is not limited to what is strictly necessary to achieve that legitimate interest; or (iii) the fundamental rights and freedoms of customers, especially in terms of potential gender identity discrimination, outweigh that legitimate interest.

    The CJEU’s analysis is interesting (probably to a very specialized, narrow audience dedicated to the regulation of personal data protection) and, to some extent, well-reasoned and in conformity with the letter of law. However, the judgment raises a number of questions as well:

    What exactly is the risk level associated with using titles, and to what extent are the rights and interests of the data subjects violated?

    Is there really no legitimate interest on the part of the railway company in considering the gender identity of its passengers? (For example, by doing so, it could improve its services during travel by providing specific additional comforts related to a particular gender, such as hygiene products or pregnancy care, etc.).

    Where is the line between the actual risk of discrimination and providing good services?

    Against the backdrop of such significant gaps in the application and practice of GDPR by individual Member States, which relate to business development, innovation, and the rights of data subjects – How is such judgment helpful for society in applying the legal provisions without feeling overwhelmed by excessive regulatory pressure?

    If it is not legally justified to use the titles “Ms.” and “Mr.” when purchasing travel tickets, is the use of these titles by the train staff when addressing travelers also a violation of the principles of data minimization?

    All questions without answers… and a judgment that undoubtedly reflects a strict interpretation of the norms, without, however, safeguarding or rationalizing the purpose of the law.

    By Irena Georgieva, Managing Partner, PPG Lawyers

  • Austria: Federal Fiscal Court Rules That Voluntary Self-Disclosure of Missed UBO filings does not require immediate UBO Filing To Qualify for Exemption from Late Filing Penalties

    The Austrian Beneficial Owners Register Act (BORA) requires certain legal entities to report their ultimate beneficial owners (UBO) recurringly, at least once a year and whenever changes occur in an entity’s UBO.

    UBO filings must be submitted electronically for each entity via the Austrian Business Service Portal. Grossly negligent non-submission of UBO filings may result in penalties up to EUR 100,000, while intentional misconduct may result in penalties up to EUR 200,000.

    If a UBO filing is missed, financial penalties may be avoided through a voluntary self-disclosure pursuant to the Austrian Financial Criminal Act. A valid voluntary self-disclosure generally requires (i) a statement of misconduct, (ii) disclosure of material circumstances, (iii) an act of restitution, (iv) identification of the responsible person, and (v) filing prior to detection or prosecution. However, in addition to these general requirements, the Austrian Tax Authorities mandate an immediate UBO filing within the Austrian Business Service Portal. Even if a voluntary self-disclosure is submitted in accordance with the Austrian Financial Criminal Act, the submission of this updated UBO filing becomes an additional relevant factor in practice. This is peculiar because the Austrian Tax Authorities typically become aware of the misconduct through the voluntary-self disclosure itself, which, by its nature, reveals all facts leading to a breach of reporting obligations under the BORA. As a result, even after full disclosure of the misconduct, the outstanding UBO filing creates uncertainty regarding the effectiveness of the voluntary self-disclosure.

    On 14 January 2025, the Austrian Federal Fiscal Court ruled that an immediate UBO filing is not legally required and, therefore, not necessary for a fully valid voluntary self-disclosure. A correctly submitted voluntary self-disclosure sufficiently includes, among other elements, a description of the misconduct and the disclosure of UBO information required by law, thereby meeting the requirements of the Austrian Financial Criminal Act.

    This ruling is the first decision by the Austrian Federal Fiscal Court to clarify whether a UBO filing must be submitted immediately in such cases. The outcome benefits all entities and individuals who regularly face the negative consequences of the BORA (e.g. managing directors) by removing an additional barrier to voluntary self-disclosure.

    By Stefan Egger and Lukas Lobinger, Associates, Schoenherr

  • Baker McKenzie Advises Dertour Group on Acquisition of Hotelplan Group

    Baker McKenzie has advised Dertour Group on its acquisition of the Hotelplan Group, with the exception of Interhome, which is being acquired by the HomeToGo Group. Bar & Karrer reportedly advised the seller – Migros.

    Dertour Group, based in Cologne and part of REWE Group, is a travel conglomerate operating across multiple European markets.

    Hotelplan Group specializes in leisure and business travel.

    Migros is a Swiss retail company.

    According to Baker McKenzie, the transaction, pending antitrust approvals, includes four of the five business units of Hotelplan Group and will strengthen Dertour Group’s presence in Switzerland, the United Kingdom, and Germany. 

    The Baker McKenzie team included Vienna-based Partner Andreas Traugott and Of Counsel Anita Lukaschek as well as further team members in Zurich, Duesseldorf, Munich, London, and Brussels.