Legal Brain

From the perspective of the seller of a company (or business), the section of the contract concerning the limitation of its liability should not be missing. Moreover, it must be sufficiently well drafted to ensure that liability is limited both in time and in value. In this respect, several concepts are regularly used in SPAs: de minimis amount, tipping/spilling liability basket, maximum liability cap, liability period, limitations given by the time of notification to the seller of an event which may give rise to liability under the contract (in fact, further conventional limitation periods – in Romanian “termene convenționale de decădere”). In this article, we will briefly address each of these concepts.

De minimis amount

An example of the de minimis amount could be this: "The Seller shall not be liable for a claim unless: [ ] the Seller's liability in respect of that claim (together with any related claim) exceeds the amount of [●] EUR."

The purpose of introducing such a clause is to set a minimum value that the buyer's claims under the sales contract must reach for the seller to be liable to pay damages. The effect is that the seller will only be held liable for defects in the assets sold or breaches of representations and warranties which give rise to damage which the parties consider to be sufficiently substantial, while the seller will not be held liable for minor damages.

Cumulative minimum values - tipping / spilling liability basket

The minimum value clause can be combined with a minimum cumulative values clause i.e. liability basket. An example of such a clause could be this: "The Seller shall not be liable for a claim in respect of its warranty obligation unless: [1] the Seller's liability in respect of that claim (together with any related claim) exceeds [●] EUR [and] [2] the amount of the Seller's liability in respect of such claim, either individually or when aggregated with the Seller's liability for all other claims exceeds [●] EUR, in which case the Seller shall be liable for the whole amount and not just for the excess."

Our example above considers a tipping basket, which means that once the thresholds have been reached, the seller will be liable for the full amount demanded by the buyer. By contrast, a spilling basket refers to the fact that, once the value thresholds have been reached, only the amount of the claim exceeding the threshold will be indemnified by the seller.

In practice, if the parties agree to a de minimis plus basket seller liability limitation mechanism, a tipping basket will usually be adopted, rather than a spilling basket, as the latter represents an even more aggressive limitation of the seller's liability - which buyers seem to find difficult to accept.

Liability cap

The contract for the sale of a company (shares/stock or goodwill) may provide for a maximum total value cap for the seller's liability. Such a liability cap is an extremely useful tool for the seller to manage the risk arising from the signing of the sale contract, as the maximum limit of his/her/its liability under it is known at the time the contract is concluded.

Conventional liability period

According to Art. 2517 of the Romanian Civil Code, the general limitation period (applicable also to claims that could arise from a SPA) is 3 years. Art. 2515 of the Civil Code allows for the parties to agree on contractual limitation periods, if they observe certain limits laid down by law.[1]

In the context of an SPA, the seller will want to set specific limitation periods shorter than the statutory period to limit the time up to which the buyer can make claims based on the sales contract.

Limitations created by the time of notification to the seller of an event which may give rise to liability under the contract – further conventional limitation periods (Romanian, “termene de decădere convenționale”)

The Romanian Civil Code provides in Art. 2545 the possibility for the parties to establish by their own will further limitation periods applicable to the legal relationship between them.[2] These limitations have a different legal regime than the concept of “limitation period” and are a different legal concept under Romanian law.

Typically, SPAs include clauses providing for the parties' agreed procedure for handling claims that the buyer may make against the seller for damages under the warranty for defects, but also under the contract for breach of the seller's representations and warranties. These clauses may work to the advantage of the seller if they set agreed limitation periods after which the buyer will no longer be able to exercise his/her/its right to claim under the contract.

For clarity, this is a simple example of such a contractual mechanism for handling the buyer's claims: "The Buyer shall notify Seller of the occurrence of circumstances relating to a Breach in the form of a substantiated notice (a "Notice") which shall list in detail the facts underlying the Notice, including (i) the basis of the claim (ii) the estimated amount of the loss and (iii) any other facts and circumstances relevant to the claim) ("Claim") within [●] business days of the date on which the Buyer became aware (or the date on which the Buyer ought reasonably to have become aware) of the occurrence of the circumstances relating to a breach of the representations and warranties."

The time limit agreed by the parties for sending the Notice therefore operates as a conventional limitation period (Romanian, “termen de decădere convențional”), failure to comply with which effectively renders the buyer unable to enforce his/her/its claims.

[1] Art. 2.515 Civil Code: (1) The statute of limitations is regulated by law. (2) Any clause by which either directly or indirectly an action would be declared not time-barred, even though, according to the law, it is time-barred, or conversely, an action declared by law not time-barred would be considered time-barred, is prohibited. (3) However, within the limits and under the conditions laid down by law, parties who have full capacity to exercise their rights may, by express agreement, alter the duration of limitation periods or change the course of the limitation period by fixing the commencement of the limitation period or by changing the legal grounds for suspending or interrupting it, as the case may be. (4) Limitation periods may be shortened or extended by express agreement of the parties, but the new limitation period shall not be less than one year nor more than 10 years, except that limitation periods of 10 years or more may be extended up to 20 years. (5) The provisions of paragraph (3) and (4) shall not apply to rights of action which are not available to the parties or to actions arising from contracts of adhesion, insurance and those subject to consumer protection law. (6) Any agreement or clause contrary to the provisions of this Article shall be null and void. [2] Art. 2.545 Civil Code: (1) By law or by the will of the parties, time limits for the exercise of a right or the performance of unilateral acts may be established. (2) Failure to exercise a subjective right within the established time limit entails its loss, and in the case of unilateral acts, the prevention, under the law, of their performance.

#lclegalproof #databreach #dataprivacy #personaldata #GDPR

There is no doubt that the management’s focus is on the continuous growth of the business, but such endeavours need to happen in a legally compliant manner.

Each department of a business has its own, specific, legal challenges. One topic, though, is or to some extent should be, a common concern of all departments, namely the topic of data privacy compliance.

To a certain degree, personal data is processed by the HR department, but also by marketing, sales, accountancy, even by the administrative department which handles the correspondence of the company through the office desk or is doing the continuous monitoring of the spaces through the CCTV system.

These topics are for sure not new or unfamiliar to businesses. That is why, the aim of this article is to recall some of them which are still disregarded or not properly implemented, and which raise major red flags in respect of data privacy compliance. If technical/IT protection measures are given a high enough importance, in most cases those of an organizational nature, which seem less likely to generate risks, are given a low importance even though, in most cases, human error is the biggest source of risk.

Hence, from practical perspective, how much, to what extent and in what circumstances the collection and use of private information about individuals is allowed might still be current questions to ask each time the company needs to process personal data.

Let’s see some examples of non-compliant practices that companies need to eliminate from their daily data processing activity.

Why eliminate them? Because every manager needs:

• to protect the business growth from fines;

• to protect the company’s image and reputation on the relevant market;

• to make sure that the company is compliant with the contractual obligations undertaken by it towards its business partners.

Here is our blacklist for data privacy related conduct that companies need to keep away from:

1. Sending significant quantities of personal data by email, without protection or communication of passwords needed for accessing it using the same means of communication or, even worse, in the same email. Protecting the documents sent by email with passwords is a safety belt in case, by mistake, the sender chooses the wrong email address from the Outlook address book. The risk of sending an email to a wrong addressee is potentially higher than a cyberattack on the email server! So, use the safety belt and use password protection or other secured way of transmission of data.

2. Disregarding the fact that the business email addresses containing the name of the company’s employees/representatives are personal data too and the prior consent from such data subjects for sending marketing communications is needed.

3. Sending marketing communications even after the targeted individuals exercised their opposition right to such processing or even the right to be forgotten. Keeping up to date records of those contact details which opted-out for marketing communication or required the erasure of their personal data is highly recommended.

4. Disregarding the minimization principle. Do not collect and use more personal data that you need for the specific purpose you envisage. The person in charge with the processing for a specific purpose should make up a list of the categories of personal data that might be needed for that purpose and then ask herself why each category is needed. It should not come as a surprise to see that they will not find a reasonable and objective explanation for processing some categories of personal data. If such happens, for that purpose, there is no need to process such category of data.

5. Starting the processing activity without the prior notification of the data subjects. Provide Notice of information to individuals before collecting their personal data. They need to know, before disclosing their personal data what the company is going to do with their data and for how long. Use the contracts signed with individuals or legal entities to provide such Notice of Information, use the company’s website to communicate such information, use the company’s social media account(s) for this purpose. The most important aspect is to communicate it to the data subjects in a way that ensures that they are properly informed.

6. Asking for the consent of the employees for the processing of their data for labour purposes. Relying on consent, as legal basis for processing, should be avoided in a labour relationship. The processing of data related to labour contracts has other legal grounds of processing, such as, the execution and performance of the labour contract, fulfilment of legal obligations and the employer’s legitimate interest. We note that there might be cases when the legal basis for processing employees’ personal data should be consent; however, they need to be analysed on a case-by-case basis.

7. Not applying the “clean desk” rule and forgetting printed documents at the printer or elsewhere, in unsecured places of the office. If someone takes the paper comprising personal data, this is clearly a data leak and a potential security incident.

To management: have you recently asked yourself whether any of the members of your staff could be in a position of conflict of interests?

If this is a topic that was already approached by your company and, as a result, rules in this regard have been implemented within the organisation, this is a great thing! The company’s compliance team may now concentrate their efforts on reminding such rules to the staff from time to time and on being sure that they are properly observed.

If not, maybe this is the right time for a close introspection into the organization to see whether:

- the concept of conflict of interests has ever been brought to the staff’s knowledge,

- it has been understood well, whether

- there are comprehensive guidelines in place to allow staff members to find answers should their actions ever come in conflict with the company’s interests, and whether

- the active avoidance of situations raising conflict of interests is on your staff members’ agenda.

Why do you need to be prepared and take a cautious stance? At least for three reasons:

1. to protect your company’s business,

2. to protect your company’s image and

3. to avoid breaching any contractual obligations you might have with your clients.

In case you are wondering, the answer is no, your company, a business acting in the private sector, is not so well protected by the applicable Romanian law. Hence the need for your company to create its own internal rules in this regard. In their absence, proving a breach of the loyalty obligation based on some conflicts of interest would be quite challenging for you.

While Romanian legislation concerning the public sector is quite generous in regulating conflict of interests of those holding a public office, in the private sector employers may rely on a single provision of the Labour Code (article 39 para. 2 letter d) which indicates that “employees have the obligation of loyalty to the employer in the course of performing their duties”. Nothing else!

What does this “loyalty obligation” mean though? We are quite sceptical that the immediate reaction of an employee reading about this obligation in their labour agreement (a standard provision) would be to think about situations concerning conflict of interests.

In the absence of clear guidelines, relying on the staff members’ due care and capacity to correctly assess a potential conflicting circumstance might not lead to the desired outcome. This would not necessarily be a result of bad baith, but merely a consequence of knowledge and awareness in this regard.

What is “conflict of interests” though?

“Conflict of interests” refers to a situation where an employee, acting in the performance of their duties within the company, takes actions or decisions that are favourable to them, personally, and that are less favourable (or even harmful) for the company, as employer.

To avoid being in a situation of conflict of interests when performing their duties, employees should avoid any circumstances in which their decisions would be influenced by their own personal interests.

Is “personal interest” related only to employees?

The concept also covers conflicting interests relating to the employee’s spouse and close relatives (such as children, parents). This means that, in the context of their work, employees should not act in favour of their close ones, but solely in the company’s favour.

What limits should be set for employees when they are mandated to bind the company in contractual relationships with third parties (e.g. services providers) and what rules should they observe to avoid drawing a personal gain for them or for their family members?

The answers to such questions depend on the company’s activity and industry field, as well as on the nature of the job positions in the organizational chart. Generally, employees should not be allowed to bind the company in acquiring services or products which, directly or indirectly, benefit themselves or their spouses/relatives. Otherwise, such actions may be found in conflict with the company’s interests and result in the – bluntly said – exploitation of the company’s interests for personal gains.

Clear rules, periodical declarations of conflict of interest and the prior approval of the management for any decision that might give rise to a case of conflict of interests are absolutely necessary for a good protection of any business.