Intellectual property

Black Friday is unquestionable one of the most profitable and busiest days of the year for retail, particularly online. Worldwide almost all online store do offer sales or special promotions on Black Friday or Cyber Monday. Already after this practice has established online, a trademark for "BLACK FRIDAY" was registered in Germany back in 2013. In 2016 a Chinese company acquired the trademark and then filed in 2017 for its extension to Austria. Based on the registered trademark, it granted exclusive rights to an Austrian company, which licensed usage rights to various partner stores against remuneration. Further, an exclusive "Black Friday-Cooperation Program" was established. Non-partners who used the event name or trademark were prosecuted and requested to either pay a license fee or refrain from running Black Friday promotions. Some followed the request and entered into license agreements. Some, however, did challenge the validity of the trademark. Finally, respective proceedings to check the actual protection of the trademark were initiated. Austrian courts now held that the trademark "BLACK FRIDAY" is not protected in Austria. Black Friday is unquestionable one of the most profitable and busiest days of the year for retail, particularly online. Worldwide almost all online store do offer sales or special promotions on Black Friday or Cyber Monday. Already after this practice has established online, a trademark for "BLACK FRIDAY" was registered in Germany back in 2013. In 2016 a Chinese company acquired the trademark and then filed in 2017 for its extension to Austria. Based on the registered trademark, it granted exclusive rights to an Austrian company, which licensed usage rights to various partner stores against remuneration. Further, an exclusive "Black Friday-Cooperation Program" was established. Non-partners who used the event name or trademark were prosecuted and requested to either pay a license fee or refrain from running Black Friday promotions. Some followed the request and entered into license agreements. Some, however, did challenge the validity of the trademark. Finally, respective proceedings to check the actual protection of the trademark were initiated. Austrian courts now held that the trademark "BLACK FRIDAY" is not protected in Austria: The court held that the word "BLACK FRIDAY" cannot be monopolised in Austria, since it lacks of distinctiveness. The term is mere generic. Therefore, the international registration for Austria has been refused. The decision is final and enforceable. Thus, anyone may use the popular advertising term "BLACK FRIDAY" in Austria for free without the need of entering into license agreements and to pay remunerations. If a company entered into a license agreement in the past, one may possibly challenge the payment obligation thereunder. However, the decision covers only the word trademark. Any registered sign combining a distinctive word and figurative design with the term is not covered. Further, no one is entitled to make the impression to be member of the Black Friday-Cooperation Program without having entered into a respective agreement. Thus, any promotion using the term Black Friday should be checked to comply with the outlined framework. The decision is also limited to Austria. In other jurisdictions, the trademark might still be enforceable, although also challenged. In Germany, for example, the basis mark is challenged in court proceedings which is now pending before the Federal Patent Court as court of appeal. Thus, one has to be cautious with for e-commers business typical cross border marketing campaigns not to infringe still valid registrations in other jurisdictions. Axel Anderl, Managing Partner and Head of the IT, IP and Data Protection Practice at DORDA Rechtsanwälte GmbH Alexandra Ciarnau, Associate and member of the IT, IP and Data Protection Practice at DORDA Rechtsanwälte GmbH

Processing operations subject to the requirement of a data protection impact assessment. Following the "White List", the data protection authority has now also issued the long-awaited "Black List" in form of a binding regulation. This provides greater clarity as to when Data Protection Impact Assessments ("DPIA") are actually to be carried out in practice in Austria. As already in the draft, the regulation does not provide an exhaustive list of processing operations that are subject to the requirement. Rather, the regulation specifies criteria - some of which require further interpretation - which shall make it necessary to carry out a detailed examination. Art 35 GDPR establishes the requirement for controllers to carry out and continuously update DPIA if the data processing is associated with a "probably high risk" for the data subjects. In practice, however, it is sometimes difficult to assess when such a high risk is to be expected. Art 35 Para 5 GDPR therefore stipulates that the Data Protection Authorities shall provide a list of processing operations ("Black List") which are subject to the requirement of a DPIA in any case. This shall make the vague criteria more tangible for the controllers and processors and at the same time to serve as an aid to interpretation. After a first draft of the Austrian Data Protection Authority had circulated a few weeks ago, the corresponding regulation of the authority on processing operations for which a data protection impact assessment is to be carried out ("DSFA-V") was published on 9 November 2018. As previously explained by DORDA data protection experts, this is a supplement to the existing Austrian White List, which as opposite exempts certain processing operations from the obligation to carry out a data protection impact assessment since 25 May 2018. In a nutshell, the recently issued Black List distinguishes between processing operations where a DPIA must already be carried out in the case of one criterion and those where at least two different criteria must apply cumulatively in order to trigger this obligation. However, data processing operations that are already included in the White List are expressly excluded from the requirement of a DPIA. This establishes a meaningful link between the two lists. In practice, both regulations have to be reviewed in parallel when assessing the necessity of a DPIA. The issued Black List largely corresponds to Data Protection Authority's previously published draft. One welcomed aspect is that the critical comments on the draft by European Data Protection Board - which is also chaired by Dr Jelinek - have been taken into account: For instance, the mere existence of joint controllers as a trigger for an obligation to carry out a DPIA has finally been deleted. As a result, each of the following criteria for itself triggers the requirement for a DPIA: Ratings or classifications (including profiling and forecasting) in case of potential adverse effects; Profiling and automated decision making; Monitoring, surveillance or control of data subjects, in particular in public areas; Data processing using or applying new or advanced technologies or organisational solutions, in particular artificial intelligence or biometric data processing; Merging and/or comparing data sets resulting from more than one processing operation, where such merging and/or comparing may lead to adverse decisions; Data processing in the personal area - even with consent With regard to employment relationships, there is a (reasonable) exception for processing operations already authorized by a plant agreement (consent of the works council) or the consent of the staff representatives. This is most likely based on the appreciated consideration that in such cases the involvement of a concrete body who represents data subject's interests and thus ensures control of the measures and sufficient reconciliation of interests. Thus, no further examination is required. A data protection impact assessment shall also be carried out if at least two of the following criteria are met:         · Large-scale processing of special categories of personal data;         · Large-scale processing of data on criminal convictions and offences;      · Collection of location data as defined in the Telecommunications Act (Telekommunikationsgesetz – TKG); ·  Processing of data on persons in need of higher protection (e.g. minors, employees, patients, mentally ill persons and asylum seekers); · Merging and/or comparing of data sets from several processing operations, provided that they are processed for purposes other than originally intended. However, it is still unclear what "large-scale" processing means. Recital 91 only provides the well-known negative definition that data processing should not be considered to be on a large scale if the processing concerns patients or clients of an individual physician or lawyer. At the same time, however, it is not possible to deduce when the threshold of large-scale processing is reached. Both regulations - Black and White List – now provide for greater clarity as to when and under what circumstances a DPIA is required. Nevertheless, in practice, there is still room for interpretation due to the purposes and criteria, some of which are only roughly explained. It will therefore be up to the practical exercise and, above all, the decisions of the national Data Protection Authorities and, in particular, the European Court of Justice, to provide for sharper distinctions in this regard. Authors: Axel Anderl, Felix Hörlsberger, Nino Tlapak, Dominik Schelling, Alexandra Ciarnau

New legislation regulating e-cigarettes in the Czech Republic entered into force on 1 March 2017, introducing specific safety and quality requirements on e-cigarettes in the country for the first time. read more...