Category: Serbia

AP Legal, working with CMS’ London office, has advised Raiffeisen Bank International AG and its subsidiary Raiffeisen bank a.d. Belgrade on the acquisition of Credit Agricole Bank Serbia a.d. Novi Sad and its subsidiary CA Leasing Serbia from Credit Agricole S.A. D’Ornano Partners and Maric, Malisic & Dostanic acted as legal advisors to Credit Agricole.

According to AP Legal, the closing of the transaction, which is subject to customary regulatory and competition clearances, is expected in Q1 of 2022.

AP Legal team was led by Partner Aleksandar Preradovic and included Senior Associates Jovan Cirkovic and Dusan Preradovic and Consultant Maja Stojiljkovic.

CMS’ team was led by London-based Partner Eva Talmacsi.

Maric, Malisic & Dostanic’s team included Managing Partner Ana Maric, Partners Oliver Radosavljevic and Rastko Malisic, and Attorneys Uros Zigic and Marina Zivanovic.

BDK Advokati has advised MediGroup on its acquisition of biochemical laboratories TalijaLab in Serbia.

Financial details of the transaction were not disclosed.

According to BDK Advokati, TalijaLab operates 20 laboratories across Serbia and provides diagnostic services in the fields of biochemistry, microbiology, and genetics. In addition, according to the firm, through the acquisition “MediGroup has expanded its MediLab network, becoming the largest network of laboratories in Serbia, with laboratories in over 50 locations.”

MediGroup is a Serbia-based privately-held healthcare provider. The company operates nine health centers, one general hospital, a maternity hospital, an ophthalmology clinic, and an institute for skin and venereal diseases.

BDK Advokati’s team included Senior Partner Vladimir Dasic, Associate Sanja Dedovic, And Junior Associate Jovana Dukovic.

Zivkovic Samardzic and Cytowski & Partners have advised Credo Ventures on Serbian and Us aspects, respectively, of its investment in Trickest. Solo practitioners Vladimir Boskovic and Dusan Delic advised the founder of Trickest on the deal.

Trickest is a Belgrade-based startup building a workflow automation and orchestration tool for bug bounty hunters, penetration testers, and enterprise security teams. According to Zivkovic Samardzic, “Trickest has raised a EUR 1.4 million seed round and the round is led by Credo Ventures, with participation from Earlybird Digital East Fund, with Daniel Dines and Marius Tirca, CEO and CTO of UiPath also participating as angel investors. Proceeds from the round will be used to accelerate hiring and support the company’s early access launch.”

Credo Ventures is a venture capital company focused on early-stage investments in Central and Eastern Europe. 

Zivkovic Samardzic’s team included Partners Igor Zivkovski, Slobodan Kremenjak, and Ana Popovic.

Cytowski & Partners’ team included Partner Tytus Cytowski and Associate Kunal Kolhe.

NKO Partners has advised CTP on its acquisition of a 7-hectare plot on the outskirts of Belgrade from a group of unidentified sellers. Solo practitioner Jadranko Kecman reportedly advised the sellers.

Financial details of the transaction were not disclosed.

According to NKO Partners, the land is earmarked “for development on behalf of international technology and services provider Bosch.”

CTP is a developer and manager of customized industrial and logistics parks in Austria, Germany, Poland, Serbia, the Czech Republic, Hungary, Romania, and Slovakia.

Previously, NKO Partners advised CTP on the acquisition of 27.5 hectares of land close to Belgrade’s city center from the Roaming Group and Robne Kuce Beograd (as reported by CEE Legal Matter on March 12, 2021).

NKO Partners’ team was led by Partner Djordje Nikolic.

Vulic Law has advised the International Finance Corporation on the restructuring procedure of Vino Zupa. 

Vino Zupa is a Serbian wine and beverages company, operating since 1956.

According to Vulic Law, the “IFC is the key lender of Vino Zupa, and its claim has been restructured through a pre-pack plan filed by Vino Zupa, which was adopted by the majority of the creditors.”

Vulic Law’s team was led by Managing Partner Milos Vulic.

Vino Zupa relied on its in-house counsel for the deal.

On 4 June 2021, the European Commission adopted two implementing decisions (Decision no. 2021/914 and Decision no. 2021/915) which contain Standard Contractual Clauses for processing and transferring of personal data and are set in line with the General Data Protection Regulation (2016/679) (“GDPR”) with the hope of bringing about a higher level of personal data protection.

Standard Contractual Clauses (“SCCs”) are a contract appendix with provisions that control the operation of personal data, whose main purpose and function is to ensure the appropriate protection safeguards for transferring personal data outside of the European Union/European Economic Area to third countries (international transfers). SCCs are a clear choice for situations in which data processors or controllers are based in countries recognized by the European Commission as “not safe” from the perspective of ensuring an adequate level of personal data protection.

In this particular case, the SCCs adopted in 2001 and 2010 under the Data Protection Directive 95/46/European Commission are being replaced with the new ones, since they are intended as an improvement over the previous standards. The new SCCs are to be proven as a better solution in the field of long and complex processing chains, as they provide greater flexibility. Besides that, unlike the old SCCs, which only applied on the controller to controller and controller to processor transfers outside of the European Union/European Economic Area, the new SCCs include different modules that parties may select, conclude, and complete, depending on the circumstances of the transfer, such as:

• processor to processor,
• processor to the controller, or
• processor to sub-processor.

Finally, the new SCCs take into effect on 27 June 2021, whilst the old SCCs are not to be repealed straight away but 3 months after the entry into force of the new ones. As far as the usage of the old SCCs goes, they may be used for new data transfers/contracts during the transition period (which amounts to the additional 15 months, i.e. 27 December 2022), but only for the performance of contracts concluded between the data exporters and data importers before the date of their repeal.

By Katarina Zivkovic, Senior Associate, and Aleksandra Bijeljac, Trainee, Samardzic, Oreski & Grbovic

BDK Advokati, working with Sidley Austin, has advised Archer Daniels Midland on the acquisition of Sojaprotein from MK Group, Apsara Limited, Mr. Milija Babovic, and Sliderule Trading Limited. Holman Fenwick Willan advised the sellers on the deal, with Jankovic Popovic Mitic advising Sliderule and Markovic Vukotic Jovkovic advising MK Group, Apsara Limited, and Milija Babovic.

The transaction remains contingent on regulatory approval.

ADM is an American multinational food-processing and commodities-trading corporation. Sojaprotein is a European soybean processing company and provider of non-GMO soy ingredients.

BDK Advokati and JPM previously advised on Sojaprotein and Victoria Group’s sale of Serbia-based Vetzavod to Labiana (as reported by CEE Legal Matters on November 21, 2019) 

BDK Advokati’s team included Senior Partners Vladimir Dasic and Tijana Kojovic, Counsel Bisera Andrijasevic, and Assocaites Jelena Zelenbaba, Jovana Dujovic, Tijana Martinovic, and David Vucinic. 

MVJ’s team included Partner Marko Jovkovic and Senior Associates Jelena Otasevic and Lazar Todosijevic. 

JPM’s team included Senior Partner Nenad Popovic, Partner Nikola Poznanovic, and Senior Associate Bojana Javoric. 

Holman Fenwick Willan’s team included Partners Georges Racine and Alex Kyriakoulis and Associates Craig Grant and Daniel Li.

Sidley Austin’s team included Partner Thomas Thesing, Senior Associates Lauren Bretton, and Associate Hui Zhen Gan.

When advising organisations how to comply their businesses with GDPR, i.e., with the Serbian Law on Personal Data Protection, many times we received answers that organisations apply “best information security practices”. What does this formulation mean?

Up to our understanding, such formulation often stands for an excuse for non-compliance with GDPR. Controllers and processors must perform information security risk assessment and assess risks of business activities (processing activities) for personal data (assess security of processing of personal data) to be able to respond to risks for personal data and risks for rights and freedoms of data subjects, i.e., to apply adequate technical, organisational and legal measures to mitigate identified risks to acceptable level. Those who are familiar with application of information security, Data Protection Directive and GDPR understand that information security is predecessor and corner stone of personal data protection. Security of information systems is integral part of GDPR compliance because information security systems are essential means for processing the personal data.

Risk assessment in GDPR – adequate or fake measures?

To protect confidential business information, efforts of business community and information security experts resulted in adoption and implementation of information security standards. Organisations which had and still have business interest to protect confidential business information could and still can apply requirements defined in information security standards to secure their information systems. Efforts of these organisations should result in certification with information security standards, such as ISO/IEC 27001 – information security management standard (ISMS) from 2013. The key matter in certification process is that an independent accredited body verifies the state of art of information security system and approves security measures in practice. Certification means that any organisation and its business partners can rely on such certificate and be confident with level of information security. However, organisations do not need to have ISMS certificate to protect their information security systems adequately. The pre-conditions for adequate protection of information security are that information security risk assessment based on adequate risk assessment methodology is performed and adequate measures proportional to such risk assessment are implemented. We have advised organisations to apply methodology defined in standard ISO/IEC 27005:2018.

When we started receiving information from organisation that they use “best security practices” to protect their security information system, we were a bit confused. We were confused with the meaning of such formulation and how “best security practices”, can be applied to specific business environments where risks for information security vary in each case. To cope with specific information security level, organisations must apply acceptable risk information methodology, and which measures for information security proportional to assessed risks shall be applied. Without information, security risk assessment, any “best security practices” cannot be verified in practice. When starting to analyse state of art information security within organisations, we came to a conclusion that everybody was “applying best security practices”. We had an impression that organisations “hide” information security measures, practices and possible security breaches due to market competitiveness. However, GDPR substantially changes such practice and imposes obligation for organisation to report data breaches to Supervisory Authority. Most organisations have information security policies, but never formally assessed risks for information security. Using “best security practices” without assessing information security risks is the same as when organisations use “know-how” which does not correspond to their real needs.

For example, when organisation applies technical measures, such as firewalls, computers’ and networks’ scanners, IDS/IPS systems, real time log file scanners, vulnerability real system scanners and similar, these measures may be unnecessarily too expensive and not adequate to real risks for information. In addition, organisational, operational and personal measures may be equally effective but much cheaper than technical measures. On the other side, with rapid development of information technologies and processing of personal data, key stakeholders in Europe came to conclusion that ISMS does not treat protection of personal data sufficiently (primarily treats business data information) and for this reason adopted GDPR. For example, ISMS has nothing to do with processing personal data or profiling or monitoring behaviour of data subjects. The crucial difference is that ISMS helps organisations implement system to protect security of information, while the focus of GDPR is how to use information security system to protect personal data.

Such concept is summarised is Article 24 of GDPR:

“Taking into account:

1. the nature, scope, context and purposes of processing;

2. the risks of varying likelihood and severity for the rights and freedoms of natural persons

the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

Where proportionate in relation to processing activities, the measures shall include the implementation of appropriate data protection policies by the controller.” Further, when obliging controllers and processors to ensure security of processing, which means not just security of information itself but security of any form of processing personal data, i.e., how information security system is used to process personal data, GDPR defines that, in assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

These provisions shall be interpreted as follows: Besides information security risk assessment, controllers shall consider additional risks sources for personal data (in GDPR: not just information security risks, but, in addition, security of processing of personal data): 1. Nature of processing – whether it is automated processing, semi-automated or manual processing. Automated processing or profiling may cause high risks for rights and freedoms of natural persons such as discrimination; 2. Scope of processing, meaning whether personal data are processed on a large scale or not; 3. Context of processing, meaning context of organisation which processes personal data, for example, the risk is more significant in organisation which sells goods online that in those which only produce food for animals; 4. Purposes of processing, meaning different purposes of processing may result in different level risks for personal data; 5. Organisation must assess “risk of varying likelihood and severity for the rights and freedoms of natural persons”, meaning likelihood and severity of risk impact (breach of confidentiality, integrity and availability of personal data) multiplied by likelihood and severity of risk occurrence (sourced from four main business areas: information technology, processing activities, humans involved in processing and production sector itself). In addition, organisations must assess how breach of confidentiality, integrity and availability of personal data may affect rights and freedoms of data subjects.

For assessment of risks for personal data (security of processing), we apply the same risk assessment methodology as for information security risk assessment but with the focus to security of processing.

Example:

1. Nature of processing: automated processing or profiling of the personal data of clients in one part of the processing operation;

2. Context of organisation: a bank;

3. Scope of processing: one of the major players on the market;

4. Purpose of processing: to make decisions on request for granting loans.

5. Whether breach of confidentiality, integrity and availability of personal data of the clients is low, medium, high or very high and how those breaches may affect rights and freedoms of data subjects.

Based on the risks identified in both risk assessments (information security risk assessment and risk assessment for security of processing), we recommend and provide assistance to organisations to implement adequate organisational, technical and legal measures to mitigate risks identified to acceptable level. Only when organisations implement adequate organisational and technical measures proportional to risks assessed, they can say they are complied with GDPR. 

By Ivan Milosevic, Partner, Andrea Cvetanovic, Senior Associate, JPM Jankovic Popovic Mitic

Managed Entry Agreements consist of various forms of confidential arrangements between pharmaceutical companies and paying healthcare systems that aim to facilitate access to new technologies in public healthcare systems. MEAs make innovative and costly medicines or medical technologies affordable to patients by providing conditional access to a reimbursement system for a limited period and on balanced terms.

In Serbia, the first MEAs emerged in 2016, two years after they were introduced in the Rulebook on Conditions, Criteria, Method, and Procedure for Including Medicines on the List of Medicines Financed by the National Healthcare Fund. The Rulebook mentions four types of MEAs. Cap agreements enable manufacturers to contribute to the cost of the medicines by limiting the number of patients whose healthcare costs are reimbursed by the NHF (volume-cap) or by setting overall budget caps (value-cap). Beside the financial agreements, the Rulebook provides for performance-based “risk-sharing” arrangements or other agreements allowed under the national competition rules.

In practice, however, the NHF relies mainly upon financial agreements. A bonus agreement provides discounts for public purchasers in the form of additional quantities that are delivered free of charge and cross-subsidization, where the price of one medicine is funded from the price of another. From 2016 to 2018 the NHF signed just 28 MEAs, predominantly for List C medicines, which include the most costly and innovative medicines for treating serious diseases.

Very little information is currently shared or published about MEAs in Serbia, since the entire process, including the procurement phase, is kept confidential under non-disclosure provisions in the MEAs. The confidentiality leaves sufficient room for the parties to agree on better reimbursement prices without the threat of external reference-pricing being triggered in other countries. 

MEAs are subject to Serbia’s Freedom of Information Act, but the FIA contains several exemptions that allow public entities to withhold requested information, and MEAs appear to qualify. For instance, disclosing business secrets would be likely to prejudice an interest protected under the law, such that the interest in keeping the information confidential would outweigh the public interest in disclosing the information. The concept of a business secret is defined broadly – according to the relevant rules, a business secret is any undisclosed information that has commercial value because it is not generally known or accessible to third parties who could generate financial benefit by using or disclosing it – so many types of commercial information could potentially be treated as exempt from FIA disclosure.

In addition, in some cases disclosing certain information could prejudice the government’s ability to manage national economic processes or significantly impede the achievement of justified economic interests.

The Information Commissioner (Poverenik za Informacije od Javnog Znacaja) in Serbia usually suggests a narrow interpretation of the exemption. That makes it difficult for public authorities to prove that the public’s interest would be damaged by disclosure. However, we believe that MEAs – at least their financial details, if not their existence – could qualify as exempted information. There are numerous arguments in favor of the benefits generated through MEAs, especially when the NHF is struggling with healthcare budget constraints and needs to use resources efficiently. In situations like this, it seems reasonable to conclude that the public interest in withholding the financial details outweighs the public interest in disclosing them.

However, there is room for a balanced approach that would make the existence of MEAs public while keeping the financial information confidential. For instance, a registry of MEAs that does not reveal the pricing details, or at least making MEA templates transparent, could enable an external evaluation of the entry arrangements and validate that a specific model is beneficial to the healthcare system.

Naturally, MEAs may, at some point, intersect with competition rules, so it is important that they do not inhibit competition from upcoming products. For example, although the three-year duration of MEAs is relatively short, their prolongation could, over time, jeopardize generic entries. Hence, when deciding on extensions of an MEA, especially if a generic entry is imminent, the paying entity should design the commitments under the MEA to make generic competition possible.

By Srdjan Jankovic, Head of Competition and TMC, Petrikic & Partneri AOD in cooperation with CMS Reich-Rohrwig Hainz

This Article was originally published in Issue 8.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

The Law on Electronic Invoicing entered into force on 7 May 2021 (“Official Gazette of the RS“, no. 44/2021). It obliges public and business entities to use the system of electronic invoices for issuing, sending, receiving and storing electronic invoices. On July 9 2021, the government adopted a set of bylaws necessary to implement the law.

Start of application of the Law for public sector entities is as follows:

• Obligation to receive and keep records of electronic invoices as well as the obligation to issue electronic invoices to other public sector entity – 1 January 2022;
• Obligation to issue electronic invoices to a private sector entity – 1 July 2022;
• Obligation to electronically record the calculation of value added tax – 1 January 2022.

Start of application of the Law for private sector entities is as follows:

• Obligation to issue electronic invoices to a public sector entity – 1 January 2022;
• Obligation to receive and keep the records of electronic invoices issued by a public sector entity as well as electronic invoices issued by a private sector entity – 1 January 2022.

The administration of electronic invoicing can be entrusted to specially organized companies – Information intermediaries. The application for creating, exchanging, storing and administering electronic invoices will be provided by the Republic of Serbia, free of charge and available to all entities, which can independently undertake all activities related to electronic invoicing.

Moreover, Article 10 of the Law which stipulates that an electronic invoice is considered to be delivered at the moment of issuance in accordance with the Law. This means that proof of sending by registered mail will no longer be required, which significantly saves time and money.

For participants in legal transactions, especially interesting is the solution that stipulates that if the recipient of an electronic invoice who is a public sector entity does not accept or reject an electronic invoice issued by an electronic invoice issuer, directly or through an information intermediary, the electronic invoice is considered accepted after the expiration of the period of 15 days. This rule does not apply to the private sector. On the contrary, if the invoice is not accepted by the recipient, which is a private entity, upon repeated request, it is considered that it has been rejected.

A special question arises as to the impact and possibility of subsequent challenging in court proceedings at any time when there is an explicit acceptance of invoices issued in this way through the application or when there is the application of legal fiction of accepting invoices from public users. It will be particularly interesting to see whether courts will take the view if this is considered as material acceptance, that is, whether it constitutes recognition of a debt from an undisputed invoice.

Also, in the case when the invoice is considered accepted by public users, the question of justification of the current legal solution is posed, which imposes an obligation on creditors to address the Ministry of Finance before submitting a proposal for execution against users of budget funds. Therefore, if the Law on Electronic Invoicing stipulates the obligation of public sector entities to actively control all invoices issued to them and to challenge them within 15 days, imposing on businessmen and citizens the obligation to resubmit reminders and notifications in the classic form to the Ministry of Finance, acts as an inefficient solution that is contrary to the goals pursued by the Law on Electronic Invoicing.

Certainly, we advise all entities to prepare in time for the transition to the new invoicing regime, bearing in mind that the new regime will be applied from January 1, 2022.

The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.

By Andrej Jelenkovic, Senior Associate, Independent Attorney at Law in cooperation with Karanovic & Partners