CEE Legal Matters

Category: Austria

  • Nicholas Coddington Joins Wolf Theiss as Partner in Vienna

    Former Deloitte Legal Poland Partner Nicholas Coddington has joined Wolf Theiss in Vienna as a Partner in its Banking & Finance practice.

    “As a former Magic Circle member, Coddington will enhance Wolf Theiss’ services across Austria and the CEE/SEE region,” the firm announced, with a focus on corporate and project finance transactions, energy, green & sustainable, infrastructure, and real estate finance. Before joining Wolf Theiss, he spent three years as a Partner with Deloitte Legal in Poland. Earlier, he spent over ten years with White & Case.

    “Joining Wolf Theiss opens a new chapter in my career. I anticipate contributing to the firm’s Banking & Finance practice and offering expert advice to clients in Austria and the wider region,” Coddington said.

    “The addition of Nicholas Coddington reinforces Wolf Theiss’ regional service offer in complex finance transactions and adds another great talent to our team,” Managing Partner and Head of the firm-wide Banking & Finance practice Andrea Gritsch commented. “His English law experience throughout the entire CEE/SEE region will greatly benefit our clients, reinforcing our position as a legal leader in Central, Eastern, and Southeastern Europe.”

  • Herbst Kinsky Advises Everfield on FENZ-Software Acquisition

    Herbst Kinsky has advised European B2B software group Everfield on its acquisition of Austria’s FENZ-Software.

    According to Herbst Kinsky, “FENZ is one of the leading providers of food service solutions in the DACH region. With its highly specialized software, FENZ provides its customers with comprehensive and end-to-end merchandise management in the food service industry.”

    Everfield is a European software company group focusing on business-to-business software solutions. The company has recently acquired Grafik Optymalny, in 2023 (as reported by CEE Legal Matters on October 20, 2023), and Blue Bridge Technologies, in 2022 (as reported by CEE Legal Matters on November 23, 2022).

    The Herbst Kinsky team included Partner Philipp Kinsky and Attorneys at Law Christina Bernhart, Angelika Kurz, Valerie Mayer, and Benedikt Wolf.

    Herbst Kinsky did not respond to our inquiry on the matter.

  • GDPR and Inclusion – Ignorant Instead of Woke?

    The GDPR generally prohibits the processing of data relating to sexual orientation. In practice, this can be an obstacle to efforts towards inclusion.

    Many companies these days are asking themselves how they can become even more attractive to applicants and employees belonging to social minorities. In the corporate world, this is referred to as diversity and inclusion and is often the subject of group-wide initiatives. These initiatives stem from the recognition that people belonging to minorities often have needs that not only differ from the needs of the (relative) majority, but are also simply unknown to this majority.

    Equal treatment can be discriminatory

    The effort to meet the individual needs of each employee, especially considering their minority background, is the subject of discussion across the globe under the term “woke”. It is increasingly recognized that treating everyone “equally” is often driven by the best of intentions, but typically leads to forms of institutional discrimination. This is because equal treatment is traditionally based on the needs of the (relative) majority of the employees.

    For example, a company outing scheduled on the Saturday on which the Pride parade takes place would not appear to be a scheduling conflict to many employees, while members of the LGBTIQ community (and those who advocate for them) would perceive this as a discriminatory restriction on private activities. Similarly, an internal company policy on “paternity leave” would be perceived as discriminatory by mothers who do not give birth to the child – in  the international context, this is referred to as “non-birthing parent”.

    The first step towards addressing this is to better understand the extent of the challenge within your own organization. To this end, many global companies try to gain a better understanding of unwanted discrimination by conducting surveys among their employees about their satisfaction and their ethnic origin, sexual orientation and religious affiliation. After all, only those who know where the challenges lie can tackle them effectively. For example, if the organization loses an above-average number of Muslim employees, there are clear starting points for necessary changes. However, the right countermeasures can only be taken if the underlying cause is known.

    Staff surveys and data protection

    Addressing your own employees, better understanding the reality of their lives and focusing more closely on their needs as an organization inevitably means collecting information that qualifies as “sensitive” data under the General Data Protection Regulation (GDPR). This includes, in particular, ethnic origin, religious beliefs, health data or data relating to a person’s sex life or sexual orientation. The GDPR only permits the processing (and therefore the collection) of this data in very limited cases.

    One of the justifications for the processing of sensitive data under the GDPR is a legal obligation. Discrimination on the basis of ethnicity, religious beliefs or sexual orientation is prohibited under the Equal Treatment Act in Austria. However, there is no legal obligation to actively promote diversity and inclusion as an employer. This means that there is no legal obligation as a basis for data processing. The consent of the data subject is not a valid justification either. According to the prevailing view, such consent given by employees is not sufficiently free from employment-related constraints and is therefore invalid.

    For companies that aim to comply with the GDPR, the only feasible option is a works agreement. Insofar as the works council allows the company to process the aforementioned sensitive data to promote diversity and inclusion, companies can indeed collect this data and respond to the associated special needs of the employees. This ranges from the consideration of religious dietary requirements in Islam or Judaism to religious fasting periods, for example in Ramadan or before Easter in Christianity, to the needs-based individualization of working hours.

    That said, if no works council has been established or if the national law in the respective member state does not recognize the institution of a works council, the collection of such data about the company’s employees is, in principle, inadmissible. It is therefore fair to argue that the GDPR is based on the misconception that treating everyone equally will create a positive, inclusive working environment that values people in their individual characteristics. A self-critical examination reveals that this misconception  is probably based on the white, Christian or agnostic and heterosexual privilege of not having to deal in depth with the social reality of people belonging to other social groups.

    A legislative amendment would be sensible and necessary

    Not least the lively discussion about diversity and inclusion that has been taking place in the United States for several years and increasingly in Europe has shown that not taking into account the reality of the lives of people belonging to minorities is detrimental to equal opportunities and leads to companies losing valuable employees. This results not only in a disadvantage for society as a whole, but also an economic disadvantage for companies that have not yet recognized the potential of a “woker” HR culture.

    In order to at least partially improve the current legal situation, it would be worth introducing explicit legal provisions that allow the collection of sensitive data for the purpose of promoting diversity and inclusion. In order to prevent misuse, certain data protection and data security requirements, which must be strictly defined, would have to be met. The existing rules on data processing for statistical purposes could serve as a point of reference here, but require some clarification. According to the wording of the law, the collection of sensitive personal data for statistical purposes is currently only permitted – subject to approval by the data protection authority – if the company cannot determine the identity of the data subjects by legally permissible means. However, as this is often not realistic even for statistical surveys, improvements would have to be made here.

    The objectives of diversity and inclusion constantly require us to question traditional structures and look for improvements. This also holds true for established legal regulatory structures such as the protection of sensitive personal data under the GDPR. Otherwise, we are left with well-intentioned equality instead of genuine inclusion.

    By Lukas Feiler, Partner IP Tech, Adrian Brandauer, Associate IP Tech, and Ariane Mueller, Law Clerk IT Tech, Baker McKenzie

  • Herbst Kinsky Advises Maguar Capital on Investment in TimeTac

    Herbst Kinsky has advised Maguar Capital Partners on its partnership with TimeTac. Fieldfisher reportedly advised TimeTac.

    Maguar Capital Partners is a German private equity fund focussing on B2B software investments in the DACH region.

    Based in Graz, TimeTac provides software solutions for digital time recording.

    The Herbst Kinsky team included Partners Christoph Wildmoser and Sonja Hebenstreit and Attorneys at Law Alexander Lotz, Elisabeth Fitzek, Anna Diensthuber, Julia Hubmayer, Michael Cepic, Maximilian Kroepfl, and Valerie Mayer.

  • Binder Groesswang, Schoenherr, and Fokus Advise on Lucky-Car Acquisition of ATU Auto-Teile-Unger in Austria

    Binder Groesswang has advised Lucky-Car on the acquisition of the Austrian business of ATU Auto-Teile-Unger. Schoenherr and Fokus advised ATU. Bodmann reportedly advised Lucky-Car as well.

    Lucky Car has more than 40 branches in Austria and one location in Switzerland, making it the largest independent garage chain in Austria, according to Schoenherr.

    ATU Auto-Teile-Unger is a trading company for motor vehicle accessories, car spare parts, tires, and branches with motor vehicle workshops.

    According to Binder Groesswang, via the takeover, “24 locations and over 250 jobs can be maintained from ATU. The automotive workshop and specialist retail chain ATU, headquartered in Weiden, Germany, had recently encountered financial difficulties and had been planning to withdraw from the Austrian market for a long time.”

    The Binder Groesswang team included Partners Philipp Kapl and Georg Wabl and Attorneys at Law Roswitha Seekirchner and Matija Bernat.

    The Schoenherr team included Partners Michael Marschall, Marco Thorbauer, and Stefan Kuehteubl, Counsels Peter Madl and Karin Pusch, and Associates Roland Misic and Florian Weisgram.

    The Fokus team included Partner Philipp Wetter.

  • European Commission Proposes Five Substantial Initiatives to Enhance EU Economic Security

    Once implemented, those initiatives will require significantly more efforts from parties involved in trade and foreign investments to ensure regulatory compliance. The pursued security aims will lead to enhanced monitoring, assessments and controls being put in place, which will have to be factored into a reframed regulatory compliance approach by affected parties.

    In late January 2024, the European Commission (EC) proposed new initiatives to strengthen EU economic security. These initiatives illustrate a strong legislative trend over the past few years to establish a comprehensive EU approach to European economic security, which shall confront new emerging economic security risks resulting from increasing geopolitical tension, geo-economic fragmentation and profound technological shifts.

    Prioritised economic security risks include, namely, (i) risks to the resilience of supply chains, (ii) risks to the physical and cyber-security of critical infrastructure, (iii) risks related to technology security and of technology leaks as well as (iv) risks related to the weaponising of economic dependencies or economic coercion and similar risks (such as from foreign subsidies).

    Depending on the business sector (e.g. critical infrastructure, educational institutions), the role of a market player (e.g. [institutional] investor) or the economic action in question (e.g. exporting or even taking part in public procurement), this regulatory framework will likely cause an impact that leads to reframing one’s regulatory compliance approach, in order to manage the additional regulatory obligations and risk areas that arise. This in turn may necessitate further documentation, notification and approval requirements.

    This Client Alert on EU economic security provides for a heads up concerning the following key insights (followed by more focused insights on each of the new initiatives in the following weeks): 

    The EC intends to pursue and implement substantial initiatives in the following five areas:

    • Initiative 1: Further strengthening of foreign investment screening leading to EU-wide FDI screenings and – inter alia – harmonising core elements of national screening mechanisms with certain minimum standards. 
    • Initiative 2: Currently, the EC explores implementing a legal procedure regarding outbound investment risks. 
    • Initiative 3: The EC seeks more effective EU control in the field of sanctions law and of dual-use goods exports.
    • Initiative 4: The EC undertakes to review and assess the existing research and development support in technologies with dual-use potential.
    • Initiative 5: The EC plans to take action to provide guidance and enhance resilience across Europe with the aim of bolstering research security across the EU.

    Our Regulatory Team has broad experience in supporting clients from various business sectors in their efforts to navigate the regulatory framework under Austrian and European Union laws. Our specialized economic & national security expert group consists of Kurt Retter, Dominik Engel and Georg Knafl from the Vienna Office.

    By Kurt Retter, Partner, and Dominik Engel and Georg Knafl, Senior Associates, Wolf Theiss

  • New EU regulation on Digital Evidence Opens Up Risk of Data Misuse

    The new EU regulation on electronic evidence will enable law enforcement authorities from one EU member state to order service providers in other EU member states to surrender digital evidence. Providers who fail to comply within ten days or, in urgent cases, within eight hours, could face fines of up to two percent of their global group turnover.

    We manage our calendars online, store photos in the cloud, many of us haven’t seen the inside of a bank building for a long time, AI systems answer all our questions and physical letters are reserved for exceptional situations. Our lives are increasingly taking place in the digital space, both privately and professionally. A natural consequence of this trend is the steady rise in the number of cases of cybercrime. Be it phishing, hate postings or cyber-stalking, electronic evidence plays a decisive role in the detection of such crimes. Especially IP addresses are often an important starting point for investigations.

    Increasing relevance of electronic evidence

    Electronic data often provides powerful evidence even for traditional crimes such as assault, theft or fraud. The relevance of such data is well known, think of chat messages by politicians or the Instagram stories of a terrorist. According to statistics from the Council of the European Union, digital data is already used in 85 % of all criminal investigations in Europe. This trend is likely to intensify in the future. Combined with the increasing internationalization of crime, this poses new challenges for law enforcement authorities.

    Data stored in foreign countries pose difficulties

    Criminal investigations in connection with electronic evidence that has no connection to a foreign country can regularly be carried out on the basis of the criminal procedure law of the respective country. However, if the data is located abroad, it can only be obtained on the basis of international treaties. This can sometimes take ten months or longer, if the required data is at all available by then.

    In place since 2017, the European Investigation Order enables courts and public prosecutors in EU member states to request evidence from authorities in other member states. Yet it does not offer a satisfactory solution either. This is because up to 120 days may elapse between the issuing of the investigation order and its execution. The European Commission recognized this problem and drafted a proposal for an E-Evidence Regulation back in 2018. The final text of the regulation has now been adopted.

    Directly addressing providers

    The cornerstones of the E-Evidence Regulation are the European Production Order and the European Preservation Order, which are addressed directly to service providers (e.g., online platforms or telecommunications providers). Where the data is located plays no role. The orders cover all providers that offer their services in the EU and have a branch or registered office or a significant number of users in the EU, or direct their activities towards users in the EU.

    One groundbreaking feature of the regulation is the obligation of providers to respond within ten days of receiving the order. In emergency cases, they must respond in as quickly as eight hours. This can significantly speed up investigation procedures.

    Powers with limitations

    Electronic evidence may include subscriber data, traffic data and content data. This may cover, for example, the identity of users, IP addresses, location data, but also messages or photos. The scope of application is therefore very broad, but the regulation is only intended to apply to criminal proceedings and the tracing of convicted criminals. Preventive investigations, for example in connection with suspected terrorist attacks, are not covered.

    The production order is issued by a judicial authority to a foreign-based service provider and orders the surrender of electronic evidence. There is also the possibility of issuing a preservation order in order to prevent the data in question from being deleted.

    Service providers may refuse to follow a production or preservation order for a number of reasons, for example if it conflicts with the freedom of the press or legal provisions of a non-EU country or if compliance is de facto impossible. However, refusing to comply generally poses a major risk for service providers. Refusal without an adequate justification can result in a penalty of up to two percent of the worldwide annual group turnover.

    Service providers should therefore think twice before refusing to comply with an order, even if there is an obvious reason for refusal. This is a potential gateway for misuse of data. Orders that are overstepping the mark or are in breach of the regulation are more likely to be complied with given the threat of enforcement.

    Significant potential of misuse

    The question of the compatibility of the planned regulation with the EU Charter of Fundamental Rights is also giving rise to controversy, in particular the rights to respect for private and family life and to the protection of personal data. As a general rule, the surrender or preservation of evidence must be ordered by a judge or a public prosecutor. In emergency cases, however, the police may take action on their own initiative. In these cases, the legality of the order may only be reviewed retroactively. This harbors considerable potential for misuse.

    It is also questionable how effective the legal protection mechanisms envisaged in the E-Evidence Regulation will prove to be in practice. The regulation provides for the establishment of effective legal remedies before a state court. However, the specific form of these legal remedies is left to the individual member states. It remains to be seen whether these rules will actually result in effective legal remedies, particularly in Member States where there is a deficit in the rule of law.

    Uncertain legal landscape

    For service providers, the E-Evidence Regulation entails substantial costs and new compliance risks. Service providers can only claim compensation for the costs of data transmission or data backup if the law of the issuing state provides for reimbursement of costs for comparable domestic orders. If this is not the case, service providers are left to bear the costs. Imposing the costs of criminal prosecution on service providers is, however, not in line with the fundamental right to property and the freedom to conduct a business. Against this backdrop, it is unclear why the EU legislator has not regulated the obligation to reimburse costs in a uniform manner.

    The new regulation also addresses the risk of claims for damages by data subjects against service providers by way of an exclusion of liability. This applies in the event that the damage results from good faith compliance with a production or preservation order. However, it is again unclear from the text of the regulation where the limit of good faith lies. Combined with the financial risk in the event of non-compliance with an order, this poses a considerable challenge for service providers.

    The regulation will enter into force on August 18, 2026. All in all, it raises a number of problems. There is obvious potential for misuse of data, fundamental rights are not effectively protected and service providers will have to face a high number of orders.

    By Lukas Feiler, Partner IP Tech, Mark Nemeth, Associate IP Tech, and Ariane Mueller, Law Clerk IT Tech, Baker McKenzie

  • Andrea Zinober Makes Partner at BPV Huegel

    Andrea Zinober has been appointed a Partner with BPV Huegel in Austria.

    Zinober has been with BPV Huegel since 2021. According to the firm, with this appointment, it “strengthens its group of partners in the areas of unfair commercial practices law, distribution law, and general corporate law.” Before joining the firm, Zinober spent eight and a half years with Northcote Recht and over 13 years with Zeiner & Zeiner.

    “Andrea Zinober has made a significant contribution to the success of the firm in recent years,” Co-Managing Partner Florian Neumayr commented. “We are very pleased to have such an excellent and experienced expert join our partnership.”

  • Christian Joellinger Joins E+H as Partner in Vienna

    Former Freshfields Bruckhaus Deringer Attorney at Law Christian Joellinger has joined E+H in Vienna as a Partner.

    Bringing transactional and regulatory expertise, Joellinger will work in E+H’s banking/finance, restructuring/insolvency, and capital markets practice groups. Before joining E+H, Joellinger spent 13 years with Freshfields, most recently as a Counsel. He studied law in Vienna and Edinburgh and was admitted to the Austrian Bar in 2014.

    “We are extremely pleased to welcome Christian Joellinger to our firm as an experienced and highly qualified Partner,” E+H Partner Peter Winkler commented. “His expertise and specialized knowledge will contribute to fulfilling the individual needs of our clients on an even broader basis optimally.”

    “I am enthusiastic about the dynamism, expertise, and culture at E+H, and I am delighted to be able to strengthen this outstanding team,” Joellinger said.

  • The Protection of Gender Identity Under the GDPR

    Although gender identity does not constitute sensitive data under the GDPR, its legal protection is nevertheless very robustly designed. Companies that choose to disregard it may face claims for damages and fines.

    With Pride Month celebrated around the world this month, it is timely to reflect on the protection of gender identity under data protection law. The GDPR defines information requiring special protection as so-called sensitive data and imposes particularly strict rules on its processing. However, anyone hoping that gender identity falls under this category will be disappointed. Only personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed to uniquely identify a natural person, health data, and data concerning a natural person’s sex life or sexual orientation are protected as sensitive data by the GDPR.

    That being said, a robust legal protection of gender identity can still be constructed using the tools of the GDPR: To this end, it is first necessary to distinguish between gender identity on the one hand and biological sex on the other. While gender identity is chosen by the data subject and can therefore only be reliably collected from that person, biological sex is not a matter of self-identification. These two categories of data must be examined separately in order to meaningfully assess the permissibility of their processing.

    Processing of data on biological sex is usually prohibited

    When it comes to processing data on biological sex, there is usually no legitimate purpose at hand. For example, the collection of data on biological sex in a company’s customer database lacks any purpose. The collection of data on gender identity, on the other hand, is relevant, for example, to address a person correctly. The key aspect of gender identity is that it can be chosen by the person concerned and can therefore be changed at any time. Thus, if a company ignores the data subject and processes a different gender identity than the one specified by the data subject itself, it violates the principle of data accuracy under the GDPR.

    The practical challenge is that most currently implemented business processes, as well as the vast majority of available standard software, do not distinguish between gender identity and biological sex. This lack of distinction could in itself constitute a GDPR violation. This is because the inadequate identification of the specific category of data collected and the resulting lack of clarity within the company about the legal framework for processing this data may violate both the principle of data accuracy and the principle of fair processing under the GDPR.

    Lack of options regarding gender

    Companies that collect data on gender identity under the category “gender” often disregard the fact that there are also persons whose gender identity is neither female nor male and that it must therefore also be possible to specify a gender identity other than these two. In particular, software used for addressing customers typically only has the functionality to address customers as Mr. or Ms., which does not correspond to the essence of gender identity in its modern sense.

    Under the GDPR, companies that fail to implement the necessary distinction between gender identity and biological sex in their processes and IT systems therefore risk incurring a fine. The same applies to companies that disregard a request from a data subject to correct their gender identity. For these violations, this fine can reach up to 20 million euros or up to 4% of the global group turnover. In addition, the data subject could claim non-material damages by filing a lawsuit with the court if they have suffered a corresponding emotional or psychological impairment as a result of the disregard for their gender identity or the confusion of gender identity and biological sex.

    Businesses would do well to take Pride Month as an opportunity to take a critical look at which of the data still processed as “gender” refers to biological sex and which refers to gender identity. At least in the area of customer data processing, the review will likely reveal that the company only really has a legitimate purpose for processing gender identity. Therefore, this category of data should be consistently designated as gender identity and the input of gender identities other than just “female” or “male” should be allowed.

    Inclusion as an added value for business

    Such changes to business processes and IT systems can demand considerable time and effort. However, both from a legal and ethical perspective, it must be pointed out that it is in the nature of discrimination that persons belonging to minorities require special consideration. Also, the added business value of diversity and inclusion outweighs any extra expense from an economic perspective. If an enterprise wants to act in a legally compliant and ethically correct manner as well as be equally attractive to all persons regardless of their gender identity, it must urgently face up to this challenge.

    #WeAreNotNeutral

    By Lukas Feiler, Partner IP Tech, Adrian Brandauer, Associate IP Tech, and Ariane Mueller, Law Clerk IT Tech, Baker McKenzie