Category: Bulgaria

“This comes as no surprise, but the main focus of the government is still the COVID-19 crisis,“ says Stefan Tzakov, Managing Partner at Kambourov & Partners in Sofia. Although the situation in Bulgaria was not as bad as in some other countries, Tzakov says, it nonetheless “gave the politicians a good chance to show strength — and for the two months that we’ve had a state of emergency in place they have tried to do just that.“

During the crisis, Tzakov says, the government has ushered in a lot of new legislation, although not without controversy. “The negative impacts of the crisis were felt across the board” he explains, “not just in the narrow specter of businesses that the government provided measures for.“ As a result, he says, a lot of his firm’s clients voiced their concerns about the stimulus measures “not being enough.” Among other problems, he reports, is that “a lot of companies, which seem to be unaffected at first glance, still suffer due to their partners backing out of deals because their businesses have been affected. The ripple effects of the crisis need to be dealt with, not just the most obviously impacted areas.“

Tzakov says that “financial burdens like taxes, social, and health contributions could have been further reduced, and some more exemptions could have been introduced. On the whole, I think that the circle of businesses designated as ‘affected’ should have been broadened.“ In his opinion, more flexibility is the key. “We could drag on disputes about whether or not this is a force majeure until the end of time, and nobody would be able to get their own day in court. I think that the government should have focused on more types of businesses in other sectors and that this would have circumnavigated a lot of issues.“

Still, Tzakov says, some business sectors are doing well. “The banking sector is still going very strong and has been doing okay even during the pandemic,” he notes. “Also, the hypermarket sector has been booming in the last few years in Bulgaria.“ He reports that large hypermarket chains have been purchasing land plots, investing in the development of new locations for stores, and continuing to open doors to consumers. “The demand for goods one can acquire in hypermarkets went up as the virus spread and more and more people started stock-piling and switching to a more domestic-based consumption, as opposed to, say, restaurants and the like.“ This drew much political attention as well, with the government “placing incentives to stimulate these chains to provide local producers with beneficial conditions. These weren’t that kosher at all times, and even the European Commission weighed in to say that this is not in line with the principle of free movement of goods, but nothing has changed yet.“

Tzakov says that the renewables sector is active as well, “reflecting the recent EU incentives initiative to end coal-fired power plants.” According to him, “the renewable sector in Bulgaria is at its most active in the past seven years,“ and he says that some other ambitious energy projects are going on, including the establishment of the Balkan GasHub gas exchange. “This is aimed to counter the strong position Gazprom has had on the Bulgarian market, and we’ll have to wait and see if it does in the long run.“ Also, he says, plans for the development of Bulgaria’s second nuclear power plant are moving forward. “There have been some hurdles, like, for example, interested parties having to perform due diligence on-site and in-person because most of the documentation for the project is classified and exists as a physical copy only – no digital version – which means that it has to be inspected in person, but the good thing is that this is going somewhere.“ He reports that the project is more likely to actually be completed now, especially given the “EU trend of stimulating different energy sources than the ones we have now.“

In 2010, France’s Agence Nationale de Sécurité du Médicament published the results of tests of breast implants produced by the French company PIP and banned their use, due to an increasing number of reports of incidents related to impaired implant integrity and subsequent health-related complications.

In December 2018, an Irish manufacturer of breast implants and tissue expanders announced that it had suspended the sales of breast implants and had withdrawn its products from the market in the EU Member States. This decision was a result of an order for compulsory withdrawal made again by France’s regulatory authority.

Following the scandal over PIP products, MEPs in the European Parliament unanimously adopted a resolution calling on the European Commission to review existing legislation on medical devices. In 2015, the Permanent Representatives Committee finalized the Council of the European Union’s position on two draft regulations aiming at updating EU rules on medical devices and in vitro diagnostic medical devices. The European Parliament adopted the two regulations on April 5, 2017. Regulation 2017/745 on medical devices will take effect on May 16, 2020, and Regulation 2017/746 on medical devices for in vitro diagnostics will take effect on May 26, 2022.

There are more than 500,000 types of medical devices – including those for in vitro diagnostics – on the EU market, including x-ray machines, pacemakers, breast implants, artificial joints, medical spikes and automatic seams, sutures, contact lenses, etc. In vitro diagnostic medical devices are used in sample testing and include blood tests for HIV, pregnancy tests, and blood glucose monitoring systems for diabetics.

In Bulgaria, the medical device market is estimated unofficially at about 400 million Bulgarian levs (approximately EUR 200 million) a year, and there are over 1000 registered dealers in the country. The National Health Insurance Fund’s budget for medical devices in 2018 was 98 million Bulgarian levs and another 46 million Bulgarian levs were provided for in the budget of the Social Ministry covering the need of medical devices such as hearing aids, wheelchairs, etc.

Until 2016, the Bulgarian Medical Devices Act provided that the State Agency for Metrology and Technical Supervision (SAMTS) is the competent authority for the assessment, designation, notification, and monitoring of medical devices released on the Bulgarian market. However, as of 2016, control over the medical devices has been exercised by the Bulgarian Drug Agency (BDA). Currently, the BDA is responsible for, inter alia: (i) Registering persons who place medical devices on the Bulgarian market; (ii) Issuing permits for conducting clinical trials with medical devices; (iii) Issuing authorizations for the conformity assessment of medical devices, including the evaluation of clinical data in accordance with Implementing Regulation (EU) No 920/2013; (iv) Providing licenses for wholesaling of medical devices; (v) Supervising products placed on the market/in operation on the territory of Bulgaria; (vi) Maintaining a system for recording, analyzing, and summarizing incidents and potential incidents with medical devices; (vii) Maintaining an electronic database of publicly paid medical devices; (viii) Provide information in a standardized format in the EUDAMED European Database; and (ix) Validating information submitted by applicants when registering manufacturers and medical devices in the electronic list of devices that can be paid for with public funds.

Once implemented, Regulation 2017/745 on medical devices will change the law in Bulgaria concerning medical devices, as well as the functions of the BDA. The Ministry of Health is working on drafting an amendment to the Bulgarian Medical Devices Act and has set up an intradepartmental working group on the project. According to official information from the Ministry of Health, the draft amendment to the Medical Devices Act will be published for public consultation before May 26, 2020 – the date for entry into force of Regulation 2017/745. This means that in practice the adaptation of national legislation to the directly-applicable Regulation 2017/745 will likely be delayed. For a certain period of time after May 26, 2020, there might be administrative ambiguity regarding the competencies of the BDA with regard to the registration and placing on the market of medical devices. Therefore, our advice to manufacturers is to keep the above information in mind when planning for the Bulgarian market.

By Elena Todorova, Head of Life Sciences, Schoenherr Sofia

This Article was originally published in Issue 7.3 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

CMS has advised Korea’s Solarian Holdings Ltd. on the acquisition of a 5 MW photovoltaic power plant in Bulgaria from FEC Perun.

According to CMS, “the project, which was commissioned in two stages in 2011 and 2012, has been operated by local developer FEC Perun. The project is financed by Expressbank (currently DSK Bank) and is the first acquisition of this Korean investor who plans to further expand its PV portfolio in Bulgaria.”

CMS’s team was led by Partner Kostadin Sirleshtov and included Associate Borislava Pokrass.

“The government acted well and fast in response to the crisis,“ says Viktor Tokushev, Managing Partner of Tokushev & Partners in Sofia. “The problem is, however, that the majority of the measures it enacted focus mainly on healthcare and the safety of the population, with other sectors lagging behind.“ In addition, he says, while many economic measures have been announced, not many have been actually implemented.

“On May 6,” Tokushev says, “everything went back to ‘normal,’ more or less, with only those businesses that operate predominantly indoors, like restaurants and shopping malls, remaining closed.“ Those businesses that were hit hardest by the crisis are currently still waiting to resume their operations. “On the other hand,“ he says, “this reopening of social life as we knew it may be a bit premature and it may have been more adequate to have waited for such a strong move. Perhaps a more nuanced opening, a gradual one with constant evaluation of impacts, would have been better — but the government decided to be more direct.“

Tokushev also says that the rules which have been enacted in respect of the state of emergency are now reflected through changes in the Healthcare Act, enacted as of May 13, which will remain relevant in the following months of transition. According to him, “the  changes are rather broad and focus on the next couple of months of recovery.“ Harmonizing these amendments to work smoothly with existing legislation may be a tough challenge, he believes. “I hope that the limited time for drafting and implementation of these legal provisions does not result in a need for frequent amendments and shall provide sufficient stability for society to recover.“

In the meantime, the crisis has left Bulgaria with “fewer investments and fewer projects, which of course is reflected in all sectors of business.“ He says that “the Bulgarian Development Bank and the Fund Manager of Financial Instruments (the Fund of Funds) will be the ones implementing real economic measures and controls – they will have the most important job to do until the end of the year, translating the economic measures into reality and making them more accessible for business sector players. In order to achieve these goals, these institutions will need the support and collaborations of the commercial banks, because the banks will be the ones providing the funds to possible beneficiaries. For us as consultants working with these institutions, our priority until the end of 2020 will be providing clients with information and support for utilizing all funding available to them.“

Over the last few weeks, the search for effective measures to stop the spread of COVID-19 has been the number one priority of affected countries. So far, there is no unified approach. A noteworthy trend is the increased awareness of the potential of data, which is sometimes even referred to as the “new oil”. This potential is more than ever being used for key decision-making, e.g. in the development of medicines or vaccines, when assessing whether anti-epidemic measures are effective, in which countries travel restrictions should be imposed, in which public places access should be restricted, etc.

Many countries seem especially interested in using location data from mobile devices to help track and fight the spread of the pandemic. But many privacy experts have voiced their concerns.

Nevertheless, the omnibus data protection legislation in the EU – the General Data Protection Regulation (“GDPR“) – provides enough flexibility and possibilities to process personal data, including special categories of data such as health data. On 6 April 2020, the European Data Protection Supervisor (“EDPS“) expressly noted that “GDPR is not an obstacle for the processing of personal data, which is considered necessary by the Health Authorities to fight the pandemic“. The EDPS also noted that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.“

Thus, for EU Member States, the question seems to be not whether such data may be used, but rather where do we draw the line? This article will provide a brief overview of the current situation in Bulgaria, considering the measures adopted during the state of emergency (declared on 13 March 2020), and the possible outlooks for coordination on an EU level.

What amendments were adopted in Bulgaria in relation to the state of emergency?

Due to the pandemic and the spread of COVID-19 in Bulgaria, towards the end of March a new piece of legislation was adopted – the Act on the Measures and Actions During the State of Emergency, announced by a decision of the National Assembly of 13 March 2020 (“Act“). The Act introduced a number of measures for effective crisis management during the state of emergency and amended some other legal acts. One of them was the Electronic Communications Act (“ECA“).

The ECA amendment touched on a rather sensitive topic. Namely, the sharing of personal data that can be used to determine the location of a mobile device (e.g. a smartphone). However, this amendment did not receive much media attention and public discussion, or at least not as much as in other countries.

What was the situation before the ECA amendment?

The ECA amendment affects the provisions governing the storage and access to data of providers of publicly available electronic communications services (e.g. telecom operators, internet service providers, etc.)¹. For example, even before the amendment, telecom operators were obliged to store data from mobile devices for purposes strictly defined in the ECA for a period of six months. These data include dialled phone numbers, date, time, duration and type of connection, device IMEI, and cell ID. The ECA expressly clarifies that telecom operators do not store data about the contents of the message.

The purpose of these provisions is that data be stored for a short six-month period only for purposes of public importance (strictly defined by the ECA) – national security, investigating certain serious crimes and search and rescue operations (Article 251b). Thus, public authorities explicitly mentioned in the ECA (e.g. the State Agency for National Security, the National Police, etc.) may request access from telecom operators to the above data only for these purposes and not as a general rule. Such access is only allowed after prior court authorisation. As an exception, the ECA allows telecom operators to provide immediate access in certain emergency cases, and only then will a court authorise or deny the already granted access.

What has been amended?

The result of the ECA amendment is that telecom operators are now obliged to store and (upon request, without prior court authorisation) provide data to competent authorities for one more purpose, i.e. to monitor citizens’ compliance with the imposed quarantine measures during the state of emergency.

The following paragraphs will briefly look at the details of the newly introduced power of public authorities. A glance below the surface could provide a better idea of whether the line between controlled, targeted anti-COVID-19 measures and uncontrolled digital surveillance has been crossed.

Who is affected by the amendments?

The wording used by the legislator to define the purpose of the data storage and affected persons is the following: “for the purposes of enforcement of mandatory isolation and hospital treatment of persons under Art. 61 of the Health Act, who refused or did not comply with mandatory isolation and treatment“. At first glance, it seems that the number of affected persons is limited only to those who have refused or did not comply with mandatory isolation and treatment. The number is further decreased by the reference to Article 61 of the Health Act. Therefore, persons whose data could be accessed by the competent authorities must meet three cumulative conditions.

The first condition requires an order by the Minister of Health, providing for mandatory isolation of sick, contagious, contact persons and persons who have entered the territory of the country from abroad. This condition is in fact fulfilled in connection with COVID-19. The Minister of Health has issued orders in that regard which can be accessed on its website. According to the Health Act, the second condition is for the affected persons to be subjected to mandatory isolation or treatment by an order of the head of the respective hospital at the recommendation of the attending physician or the doctor who referred the patient for hospitalisation (Article 61(3) of the Health Act). The third condition is that those persons have refused or are not complying with the mandatory isolation or treatment.

Therefore, according to the legislation, only the data of persons who have refused or do not comply with mandatory isolation or treatment, imposed by order of the head of a hospital, can be accessed. On the one hand, the number of persons is sufficiently limited so that there is no concern that an unjustifiably wide scope of persons will be subject to location tracking. Thus, the legislative idea is not to apply the measure to all citizens, which in turn would have been a much more intense intrusion of privacy. On the other hand, the question of how the fact of non-compliance with mandatory isolation will be established (especially for people quarantined at home) inevitably arises. And this fact should be established before telecom operators are required to provide the person’s data. The answer to this question cannot be found in the legislation so far.

What data?

It is important to clarify that when adopting the change in the ECA, the legislator explicitly restricted the data that telecom operators are required to provide to only the cell ID (data to locate a device). Information regarding dialled phone numbers, call duration and other data is not disclosed. It follows that the competent authorities could only obtain the data based on which the approximate location of the device could be determined. In terms of the clarified scope of affected persons, collecting this type of data seems logical. Based on these data, the competent authorities could, for example, establish that a person who should be under 14 days quarantine is not complying with the prescribed isolation measures.

Who can access the data?

According to the ECA, only the following authorities can access the data: the General Directorate National Police, the Sofia City Department of the Interior, and the Ministry of Interior Regional Directorates, i.e. bodies of the Ministry of Interior and the police.

One of the noteworthy features of the data access procedure is the accelerated “instant access” with subsequent (rather than prior) notification and court authorisation. It follows that the police would not have to use the standard procedure, which requires prior court authorisation. On the contrary, telecom operators are obliged to grant access immediately, and the court may subsequently order the refusal and destruction of the data within 24 hours of receiving the request, but only after the data have already been provided.

Data protection?

It appears that the Bulgarian legislator has decided to utilise mobile devices data as a measure to limit the spread of COVID-19. The police will be able to monitor, through location data, whether infected and quarantined persons comply with the mandatory instructions of health authorities. In terms of data protection, the ECA amendment establishes a necessary legal basis for data processing by the telecom operators and the Ministry of Interior bodies for the purposes of enforcing mandatory isolation and hospital treatment. The question of whether this measure is necessary within the meaning of Article 8 of the European Convention on Human Rights and respects the right to private life is beyond the scope of this article.

While objectively intruding on the privacy of individuals, it is important to note that the ECA amendment is also limited in duration. With the end of the state of emergency, the new power of the Ministry of Interior will cease to exist. The latter seems to be an additional safeguard for the right to privacy and minimises risks related to excessive digital surveillance after the state of emergency has ended.

On the other hand, the most serious drawback of the measures goes beyond the specific legislative amendment: the lack of transparency and broader public discussions on how citizens’ data will be used, especially in times of crisis.

Mobile application

Although not a legislative measure, in early April the Ministry of Health introduced a new mobile application to help combat COVID-19. Unfortunately, a lack of transparency and public awareness could also be observed in this measure.

The main purpose of the mobile application is for citizens to enter their health data themselves, and to receive information about close contact with a person infected with COVID-19. The mobile application data should also provide a better overview and statistics for public authorities on population morbidity rates.

In addition to personal data such as personal identification number, age and gender, the app also processes special categories of personal data – current health status (symptoms that may be associated with COVID-19) and chronic medical history. The mobile application can also track location data. However, installing the app and providing any personal data is voluntary, i.e. based on consent. There is no obligation to install the app or to provide the data (some countries have chosen a mandatory approach).

Undoubtedly, the use of such an app can help public authorities combat COVID-19. Nevertheless, there are at least two significant data protection aspects which could be improved: data anonymisation and transparency. For example, according to the terms and conditions of the app, the data is received by the Ministry of Health, which in turn can provide it to the authorities competent to take measures against the spread of COVID-19. So far, so good. However, the potential recipients of the data include third-party service providers connected with the administration and operation of the app. The provision of data to third parties does not appear to be made in a particularly transparent manner for citizens, especially given the sensitivity of the processed data. In such circumstances, it is strongly recommended at least to anonymise data (where possible) and to provide greater transparency as to whose and what type of data third parties can access. There is room for improvement here.

Is there a plan to coordinate measures on an EU level?

On an EU level, the need to coordinate the fragmented approach of Member States is becoming ever more apparent. The EU has already voiced concerns about the lack of a common approach towards the use of location tracking and mobile applications.

Amongst the EU bodies and institutions calling for coordination of the various national measures are the EDPS, the European Commission (“EC“) and the European Data Protection Board (“EDPB“).

The first EU body to provide guidance on coordinated action between Member States was the EDPS in a letter of 25 March 2020 to the EC. The specific reason for the EDPS letter were the ongoing discussions between Member States and telecom operators with the objective of using location data to track the spread of the COVID-19 outbreak. In addition, on 8 April 2020, the EC issued recommendations on a common Union toolbox for the use of technology and data to combat and exit the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data. On 3 and 7 April 2020, the EDPB announced that one of its priorities is to provide guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.

At the EU level, the potential of data is being recognised as an important tool for informing the public and helping relevant public authorities in their efforts to contain the spread of the virus or allowing healthcare organisations to exchange health data. At the same time, it is recognised that adequate mechanisms must be provided to protect fundamental rights and freedoms, particularly the rights to privacy and protection of personal data.

Among the priorities in the EC, EDPB and EDPS documents published so far are the call for anonymisation of data received from telecom operators, limiting the storage period and deleting data, transparency requirements on the privacy settings to ensure trust in the applications, preference for the least intrusive yet effective measures, etc.

The active involvement of EU bodies and institutions is an indicator of the significance and sensitivity of any measures requiring location tracking via telecom operators’ data or mobile applications. Although many Member States have already adopted measures, including legislative ones, they must be reconsidered in the light of a common EU coordinated approach, particularly with a view to finding a reasonable balance between public safety and the fundamental human right to privacy.

Arguments for and against such measures, as well as their specific implementation, are being actively discussed. On the one hand, it cannot be denied that the use of data at this time can be a highly effective means of curbing the pandemic, as has already happened in China, South Korea and Singapore. On the other hand, history has shown that some permanent measures were first introduced as temporary. Privacy experts are concerned that providing sensitive data in large quantities crosses a line that may be difficult to draw back from when things return to normal. Therefore, broad public discussion and coordinated measures at the EU level are increasingly necessary.

This text was originally published on April 15, 2020

By Kristina Chakarova, Associate, Schoenherr

CMS Sofia has advised Korean investors KOSEP and SDN on additional EUR 10 million financing obtained from UniCredit Bulbank AD, Expressbank AD, and DSK Bank EAD for two 42 MWp photovoltaic projects in Bulgaria. CMS Vienna advised the lenders on the financing.

The two projects are located in northern part of Bulgaria, in the villages of Samovodene and Zlataritsa. According to CMS, “with 42 MWp installed capacity these projects represent the biggest Korean investment in Bulgaria to date.” CMS reports that it “assisted the parties on all matters related to the project, including during the negotiation process, preparation of the paperwork and perfection steps.”

The CMS Sofia team advising KOSEP and SDN was led by Partner Kostadin Sirleshtov, assisted by Associates Borislava Piperkova and Elena Yotova-Yordanova.

The CMS Vienna team advising the lenders was led by Partner Dimitar Zwiatkow, assisted by Associates Marin Drinov and Ivan Gergov. 

 

 

Georgiev, Todorov & Co has successfully defended the rights of concessionaire BMF Port Burgas – Burgas East 2 and Burgas West port terminals – in an administrative proceeding appealing against the Energy and Water Regulatory Commission’s decision under Art. 22 of Bulgaria’s Energy Act in a dispute concerning direct connection to electricity grids.

In its judgment, the Court of Justice of the European Union upheld the legal argument put forward by Georgiev, Todorov & Co. – that, according to the firm, “directly connecting a consumer to the electricity transmission network shall be decided based on objective and non-discriminatory considerations, since this user is connected to an electrical substation which, under Directive 2009/72 and national law, falls within the scope of this transmission system.”

The Administrative Court of the City of Sofia dismissed the electricity distribution operator’s complaint and maintained BMF Port Burgas’ right to connect directly to the grid. Included in the court’s decision was the following: “Community law does not create a legal barrier to electricity, which in this substation is converted from high to medium voltage directly from the transmission grid to the end user BMF Port Burgas, without the obligatory intermediate involvement of a distribution company.”

Georgiev, Todorov, & Co.’s team included Partner Miglena Peneva and Senior Associate Mariya Derelieva.

The “order for payment procedure” was initially introduced in Bulgaria with the adoption of the new Civil Procedural Code in 2007 as an accelerated enforcement procedure for debt collection. This procedure provides creditors with a relatively fast and easy way to obtain an enforcement order against debtors. In general, the order for payment procedure is like a closed administrative procedure and requires only the submission of a standard application form and payment of a state fee of 2% of the amount claimed.

The Civil Procedural Code introduced two different types of order for payment procedures providing different levels of protection to creditors. The ordinary order for payment procedure applies when collecting sums of money up to BGN 25,000 or fungible items, and for the delivery of movable items that the debtor has received with an obligation to return which are encumbered by a pledge, or which have been transferred to the debtor with an obligation to surrender possession. In such cases the court issues an ordinary enforcement order which is not immediately enforceable.

When the creditor has a receivable, regardless of the amount, based upon a specific document as listed in the Code, the court can issue an order for immediate enforcement and a writ of execution against the debtor. Through this order the creditor can, in most cases, immediately undertake execution actions against the debtor, regardless of any objections from the debtor’s side. The immediate execution can only be stopped by the court if the debtor provides adequate security to the creditor.

Following official notification of the European Commission dated January 24, 2019, referring to Council Directive 93/13/EEC of April 5, 1993 on unfair terms in consumer contracts and strongly recommending revision of the current enforcement procedure regulations in Bulgaria, the existing rules of the order for payment procedure were significantly amended, and new consumer protection rules were introduced in December 2019.

To fulfil the EU Commission’s recommendation and provide sufficient protection to debtors under consumer contracts, the Bulgarian parliament adopted several crucial amendments. One revolutionary change is the new procedural rule that the court is officially obliged to check for unfair terms in a contract with a consumer, and if any are found, not to enforce them. Court claims against consumers must be filed in the court in the region where the consumer currently resides, and exceptionally before the court where the consumer permanently resides.

With regard to the ordinary order for payment procedure, the changes include a requirement that the consumer contract be attached to any application for an enforcement order and a requirement that the court reject the application if it is grounded on an unfair clause in the consumer contract or if an assumption that it is so grounded could reasonably be made. The new rules also extend the term for objecting to the issued enforcement order from two weeks to one month as of the date of service in order to provide the consumer with enough time to react adequately.

The procedure for immediate enforcement has also been adapted to the recommendations of the EU Commission. One of the most criticized options for obtaining an order for immediate enforcement was the right of the banks to apply for an order against a consumer based only on excerpts from their accounting ledgers. Therefore, to provide more protection for consumers, banks are now also obliged to attach the document on which the receivable is based (and all attachments and general terms and conditions thereto) to the application for an order for immediate enforcement. Going forward, courts are obliged to cancel issued orders for immediate enforcement if receivables are based on unfair clauses in consumer contracts.

Consumers are also protected by the introduction of special new rules for suspending immediate enforcement. It is now enough for the consumer to provide only one third of the receivable’s amount as security to suspend the enforcement. Further, the court may also suspend immediate enforcement against a consumer even without security when there is written evidence that the receivable is based on an unfair clause in a consumer contract.

The amendments to the Civil Procedural Code from December 2019 are also reflected in amendments to Bulgaria’s Consumer Protection Law.

By Antonia Kehayova, Co-Head of Dispute Resolution, CMS Sofia

This Article was originally published in Issue 7.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

 

During the COVID-19 outbreak businesses are facing the dilemma of whether to seek state aid or survive the crisis using their own resources. Every company should assess if meeting certain criteria for state aid is justifiable financially and in terms of timing. The state has the tool while the business has the option to use it. State aid is a sensitive topic, since it distorts competition by favouring certain undertakings, but this is allowed to take place when its compatibility with the single market is confirmed by the European Commission (the “EC“). Thus, the EC sets the parameters for the implementation of state aid while the Member States align the incentives with the needs of local business.

On 19 March 2020, the EC adopted a temporary framework for state aid to support the economy in the current COVID-19 pandemic, as amended on 3 April 2020 by an extension to the scope of the measures (the “Temporary Framework“). The Temporary Framework sets out Member States’ options to ensure liquidity and access to financing for undertakings – especially small and medium-sized enterprises (“SMEs“) – experiencing difficulties due to the pandemic.

The Temporary Framework provides for the following types of aid schemes that the EC is ready to approve:

1. Direct grants, selective tax advantages and advance payments of up to EUR 800,000 to a company;
2. State guarantees for loans taken by companies from banks;
3. Subsidised public loans with favourable interest rates;
4. Safeguards for banks that channel state aid to the real economy guaranteeing that such aid is considered as direct aid to the banks’ customers, not to the banks themselves;
5. Short-term export credit insurance;
6. Aid for research and development related to COVID-19;
7. Investment aid for the construction or upgrade of testing and upscaling infrastructures required to develop, test and upscale medicinal products (including vaccines), medical devices, hospital and medical equipment relevant for COVID-19;
8. Investment aid for the production of products relevant for COVID-19 in the form of direct grants, tax advantages or repayable advances;
9. Aid in the form of deferrals of tax and/or of social security contributions; and
10. Aid in the form of wage subsidies for employees to avoid layoffs during the COVID-19 pandemic.

The Temporary Framework will be in place until the end of December 2020, as the EC may extend its term in case of necessity. Before certain measures are put into effect, the Member States must notify the EC, which will assess the support scheme or individual measures and approve them as compatible with the single market.

The EC has already approved a BGN 500m (approx. EUR 255m) public guarantee scheme to support SMEs, as the Bulgarian Development Bank AD (having recently increased its capital by state funds) will provide public guarantees on investment loans and working capital loans to SMEs affected by the coronavirus outbreak in Bulgaria (“Intermediated SME Loan Guarantee Programme“). The EC also approved a COVID-19 employment scheme for preserving jobs in the most heavily affected sectors in Bulgaria by providing wage subsidies. The estimated budget under this wage subsidy scheme is BGN 1.5bln (approx. EUR 767m) and the aid may be granted until 31 July 2020.

Given that many companies operate in multiple Member States, the question arises as to whether a company that has applied for state aid, e.g. in Germany (where all group companies will benefit from this aid, including those headquartered outside Germany), can also apply for state aid in Bulgaria through its Bulgarian subsidiary. As long as certain conditions have been met and the mandatory thresholds for the respective state aid have not been exceeded, the answer is yes. However, the authority responsible for granting the state aid in one Member State should assess whether it is compatible (in essence and in amount) with the state aid granted by another Member State.

The Temporary Framework enables Member States to combine different types of state aid, except for loans and guarantees for the same loan and exceeding the thresholds. Member States can also immediately act through public support measures that are available to all companies, such as suspension of payments of corporate and value added taxes or social contributions, which fall outside state aid rules. The idea is that Member States are flexible to use various support tools (state aid or other) as long as excessive accumulation of support measures for the same companies is avoided.

By Silvia Ribanchova, Attorney at Law, Schoenherr

As the COVID-19 pandemic has rapidly spread across Europe, more and more companies have been forced to implement remote working arrangements for their employees. Logistical difficulties aside, businesses are now facing very real risks associated with information leaks due to human error, use of vulnerable equipment or software, or deliberate external misappropriation of sensitive data (both of the employer and its contractual counterparties). Immediate actions may need to be taken to adapt to this new environment.

In Bulgaria, the Commercial Act imposes a general obligation on authorised officers, sales representatives and proxies to keep confidential the trade secrets of their principals, and the Labour Code provides for a general obligation of loyalty and confidentiality towards the employer. The trade secret protection regime is regulated in more detail by the Trade Secret Protection Act (“TSPA“) and the Competition Protection Act (“CPA“).

For the CPA to apply, the infringer and the entity whose manufacturing or trade secrets are improperly acquired, used or disclosed, must be competitors. Protection under the CPA is only available where two (or more) legal entities are involved (i.e. it does not apply to natural persons). To trigger an infringement, the acquisition, use or disclosure of a manufacturing or trade secret must be for the purposes of attracting customers and must have an actual detrimental impact, resulting in the termination or breach of a competitor’s contracts. 

For certain commercial information, know-how or technological information to qualify as a “trade secret” under the TSPA, the person in control of such information must have taken measures to keep it confidential. However, the TSPA does not specify what these measures should be. Since the TSPA has only been in force since April 2019, there is still no established case law on what criteria to apply. It is expected that a different standard will apply to different types of information and businesses, depending on the nature, size, complexity and resources of the business. For more details on the TSPA, please refer to our publication “If you want to keep a secret, you must also hide it from yourself.” ― George Orwell, 1984.

In view of the above, the TSPA generally provides better protection to employers against the misappropriation, use or disclosure of trade secrets by employees. The application of the CPA, on the other hand, is a specific hypothesis that requires careful analysis on a case-by-case basis.

Below are some practical tips for companies to consider in order to avoid the misappropriation of sensitive data and the risk that information will lose its “trade secret” status under the TSPA because of a failure to take appropriate steps to protect it. 

1. Evaluate and update internal secrecy rules and policies: The starting point should be identifying, categorising and labelling the trade secrets and sensitive information which would be most vulnerable and exposed to inadvertent disclosure or misappropriation. This applies not only to your company information but also to any information provided to you by counterparties which may be a trade secret for them. Only in this way is it possible to outline in enough detail the procedures necessary to protect such data as a matter of priority. If your existing internal policies are not tailored to the risks associated with remote working, take the opportunity to critically evaluate and update them now. If this would be too time-consuming, create and circulate (by email) an info-sheet summarising the key rules for identifying sensitive information and practical recommendations for working with it, including remotely from home.

2. Staff confidentiality obligations: All staff members should be reminded of the confidentiality clauses in their employment or consultancy contracts and be asked to take even greater care of sensitive and proprietary information in the age of COVID-19. Set up internal information security training with a specific focus on IT security and confidential information protection when working remotely from home. Staff should be advised to (i) keep a “clean desk” to prevent others at home from viewing company trade secrets, (ii) set computer screens to lock up after a set period of non-use and require passwords to unlock them, and (iii) avoid having conference/video calls about confidential information in the presence of others in their household. 

3. Access restrictions: Make sure that all company network locations where sensitive information is stored are subject to appropriate access restrictions, i.e. information to be accessed (also remotely) only on a need-to-know basis by a limited number of teams/employees. Such locations need to be appropriately secured. Consider requiring two-factor authentication for access. Track access and keep logs. Set up alerts for irregular downloading, copying or transmission of sensitive information. Give instructions to staff on the handling and disposal of any printed materials (i.e. ask employees not to discard them in the household trash but to retain them in secure locations and dispose of them upon returning to the office). 

4. Use of company equipment and software: Allow staff members to use only company equipment (laptops and others), secure remote access to company networks and only the company’s cloud and document management systems for working at home. Designate authorised software for contacting clients, but also for communication and collaboration among team members. Issue repeat warnings against the use of personal devices or accounts for working tasks (personal email, cloud services or instant messengers) and for transferring company proprietary information. Provide guidance on how to set up password and other protection of home Wi-Fi networks. Security breaches must be reported to the IT team immediately so that damage control can be performed (e.g. remote lock-out and wipe of all company data from a device). Home assistant devices (such as Google Home and Alexa) should be turned off and out of earshot from the employee’s workspace where calls about confidential information are being held.

5. Strengthen confidentiality undertakings in contracts with third parties: In the ongoing digitalisation process, greater attention should be paid to confidentiality provisions in contracts with business partners, contractors and consultants, as well as to non-disclosure agreements signed in the process of deal negotiations. We expect to see more elaborate non-disclosure agreements and confidentiality provisions that specify in detail what information will be considered confidential in the relevant business or transaction, how your trade secret should be kept by the other party, but also how your company should protect the trade secrets of its counterparties in order to avoid claims for damages. The TSPA explicitly provides that even if information is lawfully obtained, if it is subsequently disclosed or used in breach of an explicit confidentiality obligation, this would trigger liability. For example, an employer who received confidential information from a counterparty under a confidentiality agreement could be exposed to a claim for damages if the trade secret of the counterparty is improperly disclosed by an employee. In addition to the purely legal consequences, this would lead to serious reputational damage.

When it comes to protecting trade secrets there is no one-size-fits-all approach. Each company must assess what measures are reasonable and appropriate during the COVID-19 pandemic to keep its trade secrets confidential depending on the nature, size, sophistication and resources of the business. It is advisable to consult not only IT security specialists but also legal counsel to assess what steps should be taken to protect trade secrets during this unprecedented crisis.

By Galina Petkova, Attorney at Law, and Stela Pavlova, Associate, Schoenherr