Publications Archives - Baker Tilly South East Europe

Emergency ordinance no. 156/2024 (Ordinance “little train”)

COO — Wed, 26 Mar 2025 08:49:15 +0000

The new „little train” Ordinance introduces changes regarding the taxation of dividends, the elimination of some tax facilities in the IT, construction and agriculture sectors and lowers the threshold for micro-enterprises.

BTK_tax-alert_OUG-trenulet-2025

The post Emergency ordinance no. 156/2024 (Ordinance “little train”) appeared first on Baker Tilly South East Europe.

Romania Tax Overview 2024

COO — Wed, 26 Mar 2025 08:45:34 +0000

Taxe-Guide-2024_RO

The post Romania Tax Overview 2024 appeared first on Baker Tilly South East Europe.

What exactly is a “data breach” and what are the obligations of an organisation? | Article by Constantinos Michael

COO — Wed, 26 Mar 2025 08:38:19 +0000

A data breach in the European Union (EU) is defined under the General Data Protection Regulation (GDPR) as a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This can affect the data’s confidentiality (ensuring that it is accessible only to those authorized to access it), integrity (ensuring that it is accurate and complete), or availability (ensuring that it is accessible when needed).

Key Obligations under GDPR in case of a Data Breach:

Notification to Supervisory Authority: If a data breach occurs, and it is likely to result in a risk to the rights and freedoms of individuals (e.g., risk of identity theft, fraud, financial loss, or damage to reputation), the organization must notify the relevant Data Protection Authority (DPA) without undue delay, and no later than 72 hours after becoming aware of the breach. This notification should include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address it.
Notification to Data Subjects: If the breach is likely to result in a high risk to the individuals’ rights and freedoms, the organization must also inform the affected individuals without undue delay. This notification should be clear and explain in plain language the nature of the breach and the steps the individuals should take to protect themselves.
Data Processor’s Obligation: If the organization in question is a data processor (a third-party entity processing data on behalf of another organization), it must notify the data controller (the organization that determines the purpose and means of processing) of the breach. The data controller is then responsible for notifying the DPA and the affected individuals, depending on the severity of the breach.

Examples of Data Breach:

Textile Company Employee Data Breach:

Scenario: A textile company’s employee data, including sensitive information such as home addresses, family details, salary information, and medical claims, is inadvertently disclosed.
Obligations: Since this breach involves sensitive personal data, the company must notify both the DPA and the affected employees. Sensitive data like health information increases the risk to the individuals, making it imperative to inform them directly.

Hospital Patient Data Breach:

Scenario: A hospital employee copies patient details, including highly sensitive health information (e.g., details about cancer, pregnancy), onto a CD and publishes them online. The hospital discovers this breach a few days later.
Obligations: Upon discovery, the hospital has 72 hours to notify the DPA. Due to the sensitivity of the data, the hospital must also inform the affected patients. If the hospital had implemented strong security measures like data encryption, it might argue that the risk to patients is lower, potentially exempting it from the requirement to notify them. However, in this case, the failure to prevent such a breach suggests that appropriate measures might not have been in place, necessitating full disclosure.

Cloud Service Provider Data Breach:

Scenario: A cloud service provider loses several hard drives containing personal data belonging to its clients.
Obligations: The cloud provider must notify its clients immediately. The clients, depending on the sensitivity of the data and the risk posed by the breach, may then need to notify the DPA and the affected individuals. The responsibility to determine the severity of the breach and the need for further notifications lies with the data controllers (the clients), not the cloud service provider.

Preventive Measures:

To mitigate the risk of data breaches, organizations must implement appropriate technical and organizational measures. These might include data encryption, regular security audits, staff training on data protection, access controls, and data minimization strategies. By doing so, they not only reduce the likelihood of a breach but also limit the impact should a breach occur, potentially reducing their obligations under GDPR.

In conclusion, GDPR imposes strict requirements on organizations in the event of a data breach, particularly when sensitive personal data is involved. The regulations ensure that both authorities and individuals are promptly informed so that they can take appropriate measures to protect themselves.

The post What exactly is a “data breach” and what are the obligations of an organisation? | Article by Constantinos Michael appeared first on Baker Tilly South East Europe.

Amendments on RO e-Invoice, RO e-Transport, RO e-VAT

COO — Wed, 26 Mar 2025 08:35:49 +0000

Baker-Tilly-RO_Tax-News_01-2024-3

The post Amendments on RO e-Invoice, RO e-Transport, RO e-VAT appeared first on Baker Tilly South East Europe.

Transforming Workplaces: Introducing Paid Leave for IVF Procedures

COO — Wed, 26 Mar 2025 08:35:16 +0000

Baker-Tilly-RO_Legal-News_05-2024

The post Transforming Workplaces: Introducing Paid Leave for IVF Procedures appeared first on Baker Tilly South East Europe.

Doing Business Overseas – Cover Story For Inbusiness Magazine

pazq3 — Mon, 29 Apr 2024 14:06:53 +0000

Απο τα πρώτα χρόνια των δραστηριοτήτων της υπό τη διεύθυνση του Μάριου Κλείτου, η επιχείρηση κατάφερε να προσελκύσει στην Κύπρο μεγάλες ελληνικές εταιρείες που είχαν επενδύσει στη Ρουμανία και τη Βουλγαρία. Το γεγονός αυτό ώθησε την ηγεσία της επιχείρησης να τις ακολουθήσει στις δυο αυτές βαλκανικές χώρες: «Επρόκειτο τότε για δύο υπό ένταξη στην ΕΕ κράτη, δεδομένο το οποίο παρείχε μια εγγύηση τόσο για την περαιτέρω ανάπτυξή τους όσο και για την ευόδωση των δικών μας προσπαθειών στο επιχειρηματικό τους πεδίο», εξηγεί ο Σάββας Κλείτου. Κάπως έτσι δημιουργήθηκε το 2001 η πρώτη θυγατρική εταιρεία στο εξωτερικό και συγκεκριμένα στη Ρουμάνια, ενώ το 2003 η επιχείρηση έγινε μέλος του διεθνούς δικτύου Baker Tilly, καθιστώντας τη χρονιά ορόσημο την ιστορία της. Σε μια γρήγορη διαδοχή των γεγονότων, το 2005 οι εργασίες επεκτάθηκαν στη Βουλγαρία και το 2007 στη Μολδαβία. Η τελευταία επέκταση ήταν εκείνη της Ελλάδας το 2017. «Όλες οι αγορές έχουν τις ιδιομορφίες τους, διαφορετικές αντιλήψεις και κουλτούρα, η οποία επηρεάζει τον τρόπο με τον οποίο υποδέχονται τους ξένους επενδυτές. Μπορώ να πω ότι η αντιμετώπιση ήτανε πολύ θετική σε όλες τις χώρες που δραστηριοποιούμαστε».

Οι υπηρεσίες της επιχείρησης στο εξωτερικό είναι οι ίδιες με αυτές που προσφέρονται στην Κύπρο και με μικρές μόνο παραλλαγές σε θέματα συμμόρφωσης με τους κανόνες της κάθε αγοράς. Το βασικό πλεονέκτημα της Baker Tilly, σύμφωνα με τον κ. Κλείτου, έγκειται στο ότι μπορεί να προσφέρει υπηρεσίες στις πέντε χώρες μέσω μιας επαφής στη χώρα που θα επιλέξει ο πελάτης (single point of contact). Την ίδια στιγμή, κάθε τμήμα της επιχείρησης σε οποιαδήποτε από τις χώρες, μπορεί να προσφέρει στους πελάτες, κάτω από τη μεγάλη ομπρέλα της Baker Tilly South East Europe, υπηρεσίες που εμπερικλείουν τις εμπειρίες και τις γνώσεις από όλα τα γραφεία της εταιρείας στο region.

Καθώς στρέφουμε τη συζήτηση στις προκλήσεις της επέκτασης με θυγατρικές στο εξωτερικό, ο Σάββας Κλείτου υπογραμμίζει πως η εμπειρία του τον έχει διδάξει δύο πράγματα. Το πρώτο ότι η δυσκολία να δημιουργήσεις κάτι στο εξωτερικό σε σχέση με την Κύπρο, είναι αναλογικά 1:10. Το δεύτερο, ότι η διαχείριση των γραφείων στο εξωτερικό δεν μπορεί να γίνει με τηλεχειριστήριο, πρέπει να είσαι παρών. Κατά τα άλλα, ο ίδιος θεωρεί ότι τα προβλήματα είναι τα ίδια, ιδικότερα με την παγκοσμιοποίηση και την εξέλιξη της τεχνολογίας. Έτσι και αλλιώς, στην Baker Tilly South East Europe έχουν διαμορφώσει το δικό τους reporting system, που επιτρέπει την επιτυχή λειτουργία και παρακολούθηση των απανταχού δραστηριοτήτων. «Η ψηφιακή μετάβαση έχει κάνει τις διαδικασίες διαχείρι σης ποιότητας και αποτελέσματος πολύ πιο εύκολες και αποδοτικές. Επενδύουμε συνεχώς σε νέες τεχνολογίες και συστήματα με βασικό γνώμονα τη βελτίωση του επιπέδου των υπηρεσιών που προσφέρονται άλλα και την παροχή των καλυτέρων ευκαιριών στον κόσμο μας για να εξελιχθεί». Αξίζει να σημειωθεί ότι η Baker Tilly South East Europe θεωρείται, πλέον, ο βασικός σύνδεσμος για το δίκτυο της Baker Tilly International στα Βαλκάνια και την περιοχή της Ανατολικής Ευρώπης.

Και ποιο είναι το συστατικό της επιτυχίας της; Ο κ. Κλείτου κάνει λόγο για ένα και μοναδικό τρίπτυχο: Η σκληρή δουλειά, ο επαγγελματισμός και η επιλογή της σωστής ομάδας συνεργατών μπορούν να εκτοξεύσουν στα ύψη τις δραστηριότητες μιας επιχείρησης.

Πηγή: https://inbusinessnews.reporter.com.cy/inb.imh.com.cy.html#/reader/51017/1803958

The post Doing Business Overseas – Cover Story For Inbusiness Magazine appeared first on Baker Tilly South East Europe.

Key EU Laws Impacting Businesses In 2024

pazq3 — Mon, 29 Apr 2024 13:56:08 +0000

Three important EU laws that we should look out for in 2024

Article by: Constantinos Michael, Director – Legal Services , Baker Tilly South East Europe

Considering that 2023 was the “year of AI”, it seems now that 2024 is already moving to be quite similar. There is great hype about envisaged and proposed legislation at EU level for these matters, and organisations are already working on understanding their current (and forthcoming) obligations under these acts, putting in the necessary governance frameworks to meet such obligations which does not seem to be an easy task to handle.

In a nutshell and according to the EU’s legislative agenda, it seems that nearly forty digital sector laws are still in negotiation or planned as initiatives.

We are putting emphasis on three of these laws which seem, based on intense legal writings across the paper and digital worlds, to be considered as having heavy impact on many businesses from 2024 onwards.

NIS2 Directive

The NIS2 directive, or the Network and Information Systems Directive 2, is a European Union directive aimed at enhancing the cybersecurity and resilience of critical infrastructure and digital services. NIS2 repeals and replaces the NIS1 Directive and is designed to harmonise the approach to cybersecurity among EU member states. Some important points of the directive (coming into force in October 2024), which broadens the scope of the previous Directive, include:

Scope: It applies to operators of essential services (OES) in sectors such as energy, transport, banking, financial market infrastructures, health, water supply, and digital infrastructure, as well as to digital service providers (DSPs) such as cloud computing services, online marketplaces, and search engines. In certain cases (in the “essential” and “important” sectors) it will apply regardless of the organization’s size, and it will also apply to medium and large entities (i.e., those with less than 250 employees and an annual turnover below €50 million) in those sectors. Small entities — those with less than 50 employees and annual turnover below €10 million — are largely exempt, unless the entity is important to the functioning of the EU member state.

Obligations: OES and DSPs are required to implement risk management measures, report incidents to national authorities, and adhere to security and incident notification requirements. New enhanced obligations will relate to cybersecurity, governance and incident management.

Cooperation and coordination: Member States are encouraged to cooperate and coordinate with each other to ensure effective implementation and response to cybersecurity incidents.

Supervisory authorities: Each Member State is required to designate one or more competent national authorities to oversee compliance with the directive and handle incident response. For a breach of its reporting obligations, an essential organization could receive a maximum fine of the greater of €10 million or 2% of worldwide annual turnover for the previous financial year, while fines for important entities can be up to the greater of €7 million or 1.4% of worldwide annual turnover.

DORA

The Digital Operational Resilience Act (DORA) is part of the EU’s Digital Finance Package, which is a bloc-wide cybersecurity regulatory initiative for the financial services sector and aimed to come into force early 2025.

Scope: DORA applies to a wide range of entities, including credit institutions, investment firms, central counterparties, central securities depositories, data providers, cloud computing service providers, and more. It covers both financial entities and digital service providers.

Objectives: DORA aims to ensure the continued provision of critical services in the digital sector and enhance the overall operational resilience of financial entities. It focuses on preventing and mitigating cyber incidents, ensuring robust incident response capabilities, and enhancing coordination among relevant authorities. Its main obligations can be grouped in (a) governance and controls, (b) ICT risk management, (c) incident reporting and (d) third party contracting.

Cyber Resilience Act

The Cyber Resilience Act (CRA) seeks to set European-wide cybersecurity compliance standards for digitised products that are manufactured / sold in the EU. The law was agreed by the EU legislative bodies in November 2023; it will likely be passed early next year and take effect in 2025.

The CRA puts requirements on manufacturers to protect European consumers against cybersecurity risks and report vulnerabilities within 24 hours and obligations on manufacturers, importers and distributors to ensure products meet high cyber security standards. These include undertaking risk and conformity assessments, ensuring that the products they import bear CE markings and contain other transparency information.

Penalties under the CRA are similar to the GDPR provisos. A manufacturer that doesn’t meet its obligations can be subject to a fine of up to the higher of €15 million or 2.5% of total worldwide annual turnover. Other infringements can lead to similar fines up to a percentage of global annual revenue. If incorrect, incomplete or misleading information is given to authorities in response to a request, fines may once more be imposed.

The post Key EU Laws Impacting Businesses In 2024 appeared first on Baker Tilly South East Europe.