to the point: technology & digitalisation l April 2025

As we move through the spring season of 2025, we once again find ourselves navigating the rapidly evolving world of technology and digitalisation, encompassing a wide array of news, updates and topics. This newsletter highlights key legal updates, including the Austrian Accessibility Act, Germany's landmark decision on Employee Stock Option Plans (ESOP), Poland's Supreme Administrative Court decision on the processing of personal data of a car lessee after the expiration of the agreement, as well as guidelines issued by the Polish supervisory authority on data protection impact assessments.

One of the current trends in the (deep) technology sector are university spin-offs as innovation drivers in Europe. The European Commission's recent report (Spin-offs: Reinforcing a Vector of Value Creation for EU-27) emphasises their crucial role for innovation and economic growth in Europe and suggests aligning academic funding with venture capital expectations. Thus, this newsletter also features an interview with Noctua Science Ventures, a new spin-off initiative resulting from a partnership between TU Wien and Speedinvest, offering insightful information on the world of spin-offs in the technology sector.

We would also like to draw your attention to the upcoming Schoenherr Tech Night 2025 on 8 May 2025 in Vienna, where experts will discuss AI developments, EU digital regulations and cyberwarfare, including an interview with military expert Franz-Stefan Gady.

Interviewers: Thomas (Schoenherr)
Interviewee: Philipp Stangl (Noctua Science Ventures)

Thomas: Philipp, thank you for taking the time to speak with us about Noctua Science Ventures. Could you briefly introduce Noctua and explain its objectives?

Philipp: Thank you, Thomas. Noctua Science Ventures is a newly established spin-off initiative that stems from a partnership between TU Wien and Speedinvest. Our central aim is to harness the pioneering research conducted at Austrian universities and research institutions and transform these findings into commercial ventures. By leveraging both academic resources and investment know-how, we help propel high-potential scientific ideas into the marketplace. Ultimately, we seek to create successful companies that advance technology, drive innovation and contribute to the growth of the tech ecosystem in Austria and beyond.

Thomas: University spin-offs are quite an exciting space. What do you believe are the main benefits of forming a spin-off in the technology sector?

Philipp: Spin-offs offer many advantages for both universities and entrepreneurs. First, they enable academic innovations to be applied in a commercial context, which can bring real-world impact to scientific discoveries. For universities, this adds reputation and potential revenue streams, fostering further research. For founders, spin-offs typically provide a strong initial support network—including collaboration with faculty, access to specialised equipment, and often a ready-made community of mentors and advisors. Plus, by engaging investors at an early stage, spin-offs increase their chances of scaling and succeeding in competitive technology markets.

Thomas: Indeed. What are some issues that come up when structuring a spin-off?

Philipp: The structuring of a spin-off depends heavily on local laws, but there are a few key areas to keep in mind.

The first is intellectual property—or IP. Defining ownership and licensing rights between the university and the new venture is essential. Typically, universities own the IP created by their researchers, so it's crucial to have a clear licensing or assignment agreement in place.

Then there's shareholding and governance. Determining who holds equity—whether researchers, the university or other strategic partners—and establishing governance structures, like advisory boards or specialised management teams, can become complex.

Next is funding and investor relations. Negotiating term sheets, ensuring compliance with applicable regulations, such as state aid or public funding restrictions, and clearly allocating risk and rewards among investors and founders are crucial steps.

Finally, there's employment and academic commitments. Researchers who are also spinning out a venture may need to clarify if they can hold dual roles—say as academics and entrepreneurs. Conflicts of interest or time commitments must be managed properly.

Thomas: How does Noctua specifically support the commercialisation process once the spin-off is formed?

Philipp: We support spin-offs on multiple fronts. First, we aim to invest in pre-seed rounds as "first-cheque investors" and later open doors to seed or Series A investors. Second, we connect founders with mentors, academics and industry experts who can help reach the next technology milestones. Third, we help manage day-to-day challenges—everything from refining business models to navigating compliance. In other words, we aim to act not just as financiers but as partners, ensuring the spin-off has every tool necessary to succeed in a competitive tech market.

Thomas: From a founder's standpoint, what are some common pitfalls you see, and how can they be avoided?

Philipp: One significant pitfall is underestimating the complexity of IP ownership and commercialisation rights. When researchers develop technology within a university setting, early clarity on who owns what—and on what terms—is vital. Another pitfall is neglecting robust corporate governance, which can lead to future disputes. Lastly, founders often overlook regulatory or industry-specific compliance measures. In fields like medtech or AI, for example, certain certifications or privacy protocols may be critical for market entry. Getting these elements in place early can save a lot of complications down the road.

Thomas: What advice would you give universities that want to increase their efforts in the field of spin-offs?

Philipp: A spin-off initiative is most successful when you cultivate a culture of entrepreneurial thinking within the university. This requires administrative support, clear IP policies, and collaborations with investment partners like us who understand the complexities of early-stage tech ventures. By combining academic expertise with efficient legal structures and strategic funding avenues, universities can create an environment where meaningful innovations thrive and achieve real-world impact.

Thomas: Philipp, thank you for sharing these insights. It's clear that Noctua is positioning itself as a very interesting player in supporting university spin-offs. We at Schoenherr are proud to have advised Speedinvest in this effort, and we look forward to seeing Noctua's progress in fostering next-generation technologies.

Philipp: Thank you, Thomas. It was a pleasure discussing Noctua's vision. We appreciate the legal support from your team and are excited to see the impact these spin-offs will have on the tech sector.

If you would like further information regarding legal considerations for university spin-offs or Noctua Science Ventures, please feel free to reach out to our Schoenherr team.

1. Between incentive and insecurity: The legal challenge of vesting

Employee Stock Option Plans (ESOP) and Virtual Stock Option Plans (VSOP) have become essential tools for employee incentives, especially in the start-up sector. ESOPs provide employees with actual shares, granting them full ownership rights. In contrast, VSOP virtual options, so-called "phantom shares", reflect the value of real shares but do not involve legal ownership. Under a VSOP, employees are entitled to a cash payout only if certain contractual conditions are met, such as reaching a minimum employment duration or the occurrence of an exit event.

Both models usually follow a vesting schedule, typically over a four-year period, to promote long-term commitment. During this period, employees gradually acquire exercisable rights, often starting after a one-year cliff, with additional portions vesting on a monthly or quarterly basis thereafter. However, questions arise when an employee leaves the company before vesting is complete or during the vesting phase. Are the unvested options lost entirely? Do already vested rights remain?

Many companies include so-called "Good Leaver" and "Bad Leaver" clauses to define what happens to virtual shares when an employee leaves the company. Employees considered Good Leavers, for example due to retirement, illness or termination for operational reasons, generally keep their vested options and may exercise them under the agreed terms. Those classified as Bad Leavers, such as individuals who resign or are dismissed for misconduct, typically lose all rights, including already vested options.

Germany's Federal Labor Court (Bundesarbeitsgericht, BAG) recently addressed these questions in a landmark decision concerning ESOP forfeiture clauses. The decision may have a significant impact on how equity participation schemes are structured under German labour law in the future.

2. The case: forfeiture after resignation

On 19 March 2025 (10 AZR 67/24), the BAG ruled on a case involving virtual stock options granted to an employee under an ESOP agreement. The plan, structured through standard terms and conditions, required a four-year vesting period and an "exercise event" (such as an IPO) before the options could be cashed out.

However, when the employee resigned voluntarily, he was informed that all his vested options were forfeited simply because he had initiated the termination. In addition, a separate clause accelerated the expiration of unvested options, causing them to lapse at double the normal rate.

According to the press release from the BAG, the clause was considered unfair to the employee under Section 307(1) and (2)(1) of the German Civil Code (BGB). However, the two lower courts assessed the matter differently and did not consider it an unreasonable disadvantage. The BAG argued that vested stock options at least partly represent compensation for work that has already been performed. Therefore, allowing them to expire would conflict with the principle laid out in Section 611a(2) of the German Civil Code (BGB), which states that work must be compensated.

With this decision, the BAG expressly deviates from its previous case law on the expiry of stock options, which it had set out in its 2008 decision (10 AZR 351/07). At that time, the court had considered such clauses to be permissible, arguing that stock options were clearly speculative in nature compared to other forms of remuneration. Employees could not rely on their value and were therefore less deserving of protection. According to the press release dated 19 March 2025, this view is no longer held.

As of now, only the press release is available. The court's full written opinion, including detailed legal reasoning, is still pending.

3. Questioning the "devesting" clause

The court also examined the clause of the ESOP agreement that aimed to reduce the value of unvested options after the end of employment. Specifically, it stipulated that virtual shares would expire twice as quickly after departure as they had vested during employment.

While this may have been intended to reflect the employee's diminishing influence on company value after leaving, the court found it unreasonably one-sided. Given the four-year vesting period with a one-year cliff, the employee had already made a substantial contribution. Accelerating the forfeiture failed to account for this work, and since the employer did not offer a compelling reason for such a short post-termination window, the clause was deemed unfair.

4. A shift in judicial perspective?

This ruling suggests a growing judicial awareness of power imbalances in employment relationships, particularly when it comes to incentive plans. The BAG appears to be taking a more employee-protective stance, especially when such plans are unilaterally drafted by employers and embedded in standard agreements.

The message is clear: once rights have vested, they carry a certain legal weight. They can't be taken away by default, especially not through one-sided provisions that ignore the employee's prior contributions. In essence, courts are beginning to treat these plans with the same rigour as core contractual terms, especially at the moment of exit.

5. What lies ahead

While the full judgment is still to come, companies with ESOP structures, especially those operating internationally, should begin reassessing their contracts now. Clauses that strip vested rights or accelerate forfeiture post-termination may no longer hold up in court unless they are very carefully drafted and justified.

The takeaway is simple but powerful: fairness doesn't end when employment does. As participation plans become more widespread and complex, they also need to become more legally sound—and more balanced.

Importantly, the ruling does not address unvested rights. It is also important to note that internationally active corporate groups may continue to structure stock option plans through foreign entities, separate from the employment relationship. If properly drafted, such plans may fall under foreign law and thus avoid the strict requirements of German contract law.

The end of secrecy? Austrian Beneficial Owners Register Act (WiEReG) goes all-in on trust transparency

1. The stage is set: FATF triggers rapid reform

Austria's latest amendments to the Beneficial Owners Register Act (WiEReG) are anything but routine. Triggered by the looming on-site evaluation by the Financial Action Task Force (FATF), the Austrian legislator moved with urgency to address long-standing transparency gaps, especially in the realm of trust and nominee arrangements. This article provides an overview of the latest changes to disclosure requirements for such trust structures.

In late 2024, Austria passed its latest amendment to the WiEReG as part of the Financial Market Anti-Money Laundering Alignment Act (FM-GwG-Anpassungsgesetz), with the core objective of aligning the domestic regulatory framework with the FATF's latest "Guidance on Beneficial Ownership for Legal Persons". Central to this alignment is the introduction of comprehensive disclosure requirements for nominee agreements, long seen as a vehicle for obscuring true ownership.

2. Trust but verify: new obligations for relevant trust arrangements (BGBl I 2023/97)

Before turning to the most recent amendment, it is important to first consider the 2023 legislative changes, which introduced the initial reporting duties for "relevant trust arrangements" (1 Section 5 para. 1 item 3a WiEReG). A trust arrangement qualifies as relevant—and therefore subject to mandatory reporting—if:

• the trustee or trustor qualifies as a beneficial owner of the reporting legal entity; or
• the trustee or trustor qualifies as a beneficial owner of the ultimate parent entity; or
• the trust relationship establishes the control chain at an intermediate level; or
• the trust arrangement alters the nature and/or extent of a beneficial owner's interest.

A preliminary condition for the new reporting obligation regarding "relevant trust arrangements" is the identification of the actual direct or indirect beneficial owners. Consequently, this requirement is never met in cases of subsidiary reporting concerning members of the highest management bodies of a reporting entity.

The situation is different when a trust arrangement exists at an intermediate level of the ownership structure, for example between two legal entities, and results in a natural person qualifying as a beneficial owner. Under the previous legal framework, such arrangements did not have to be disclosed. Following the recent amendment to the WiEReG, however, they must now be reported as relevant trust arrangements.

Moreover, as of 1 July 2024, such trusts must be reported in the register, reflecting a legislative intent to enhance transparency in private asset structures.

This reform also anticipates core elements of the EU AML package, particularly regarding trust function-holders and abstract beneficiary classes (Begünstigtenkreise)—a requirement that Austria is implementing well ahead of the EU's 2027 deadline.

3. Breaking new ground: reporting even non-relevant nominee agreements (BGBl I 151/2024)

While the 2023 amendment marked a significant step forward, the most recent amendment adopted in 2024 further broadens the regulatory scope. Section 2a of the WiEReG introduces the legal term "nominee agreement", which is effectively aligned with trust-like arrangements under Austrian law. Where a trustee acts as owner or in a designated function for another party, the trustee is considered the nominee and the trustor the nominator. Section 2a(2) clarifies that a person does not qualify as a beneficial owner merely by acting as a nominee or nominee director.

Section 4a of the WiEReG establishes comprehensive obligations for nominees and nominee directors. They are required to identify the nominator and, where the nominator is a legal entity, also its beneficial owners. This information must be documented, retained and made available to the legal entity they represent and, upon request, to obliged entities and authorities.

In line with the reporting obligations for "relevant trust arrangements" introduced by the previous WiEReG amendment, the new provisions now extend these duties to "relevant nominee agreements". Nevertheless, this extension is not intended to significantly broaden the scope of the disclosure requirements that have applied since July 2024 to trust arrangements giving rise to beneficial ownership.

However, as the headline suggests, the central innovation of the reform lies in the following measure:

3.1 Key innovation under Section 5(1)(3b) of the WiEReG:

Every nominee arrangement involving an Austrian legal entity must be reported, regardless of whether it is relevant for establishing beneficial ownership.

This bold move implements the FATF's "transparency option" over alternatives such as licensing or outright prohibition of nominees.

Implications:

• Nominee arrangements must be disclosed even without economic influence.
• Detailed personal data of both nominee and nominator must be filed.
• Only nominee chains further up the ownership structure may qualify for exemption.

This represents a marked departure from prior practice and aligns Austria's framework with the FATF's 2023 expectations.

3.2 No one left behind: even exempt entities must report

Previously, certain legal entities were exempt from reporting under Section 6 of the WiEReG. This carve-out has now been narrowed significantly. In future, such entities must report if a nominee agreement exists — even if it does not give rise to beneficial ownership.

4. The stakes are high: expanded financial offences under Section 15 of the WiEReG

The latest amendment to the WiEReG also expands the existing penalty provisions under Section 15 to explicitly include nominees, nominee directors and nominators alongside beneficial owners. Depending on the financial offences (Finanzvergehen) or financial irregularities (Finanzordnungswidrigkeiten), as well as committing such violations with intent or negligence, fines of EUR 25,000 – 200,000 may be imposed.

5. Austria is making clear that breaches of the new transparency rules can have serious legal and financial consequences. Looking ahead: the age of full disclosure

Austria's rapid legislative pivot marks a transformational moment in transparency law. All trust arrangements, relevant or not, will soon be visible in the beneficial ownership register. This marks a hard shift away from discretion in private structuring toward FATF-aligned openness.

The specific details are still pending publication. Executive guidance (Erlässe) from the Ministry of Finance is expected to provide further clarification regarding practical implementation, compliance requirements and enforcement procedures.

Until then, legal entities and advisors should begin preparing for mandatory transparency by 1 October 2025 by:

• auditing existing trust and nominee structures;
• collecting required data; and
• updating compliance procedures.

Overall, Austria is stepping up as an FATF-compliant jurisdiction, signalling a clear departure from opacity in private asset structures. Given the pace and scope of reform, and no further legislative changes on the horizon, it is reasonable to expect the extended disclosure obligations to enter into force as currently drafted.

years, one might expect that, given the vast volume of personal data being processed today, there would be no ambiguity regarding the processing of personal data in everyday situations. However, as the reality shows, it is still not entirely clear how personal data should be handled in routine matters, such as when processing the personal data of a car lessee from a professional rental company.

Background

The case concerns a complaint filed by M.P. (the "Complainant") against the illegal processing of his personal data by D. sp.k. (the "Rental Company") in connection with a car rental agreement dated 11 March 2018. The Complainant alleged that the Rental Company unlawfully stores and shares copies of his ID card and driving licence. 

The Complainant tried to find out who was using his data but was unsuccessful. He sent a request to the Rental Company demanding the cessation of data processing and deletion of his data. The Rental Company responded that no scans of his documents had been made, and that only the data voluntarily provided during the signing of the contract (first and last name, address, ID number, driving licence number, phone number) were processed, and that they are used in the vehicle rental management system. 

After receiving the complaint from the Complainant on 6 August 2019, the President of the Personal Data Protection Office ("UODO") ordered the Rental Company to delete the Complainant's personal data (first and last name, address, document numbers), as there was no legal basis for further processing. The Rental Company referred to Article 6(1)(f) of the GDPR (legitimate interest—protection against potential claims), but the UODO concluded that no claims existed to justify this. The Complainant did not initiate any legal proceedings, nor did the Rental Company make any claims against him. 

As a result, the Rental Company appealed to the Provincial Administrative Court ("WSA"), which dismissed the appeal, ruling that processing data "just in case"—solely for potential future claims—does not meet the legality criteria under the GDPR. Since the Complainant did not consent to further processing, and the Rental Company did not provide any other legal basis, the UODO had the right to order the deletion of the data. 

Following the defeat at the first instance, the Rental Company filed a cassation complaint against the WSA judgment, challenging it in its entirety. The main allegation made by the Rental Company concerns the incorrect interpretation of Article 6(1)(f) of the GDPR. In its view, the WSA wrongly concluded that this provision does not allow the processing of personal data to protect against potential claims arising from a prior legal relationship (the rental agreement). The Rental Company argues that even if such claims only materialise in the future, there is a legitimate legal interest in processing the data for protection against them. 

Proceedings before the Supreme Administrative Court

The Supreme Administrative Court ("NSA") examined the issue of further processing the Complainant's personal data by the Rental Company after the car rental agreement had been completed. 

(i) Personal data (first and last name, address, ID number, driving licence number, phone number) were voluntarily provided when the agreement was signed. 

(ii) The data were lawfully processed based on Article 6(1)(b) of the GDPR (performance of the contract), but this basis ceased once the contract was completed. 

(iii) After receiving the Complainant's letters requesting cessation of data processing, the Rental Company also lost the legal basis for processing under Article 6(1)(a) of the GDPR (consent). 

Next, the NSA considered the possibility of further processing of the data based on Article 6(1)(f) of the GDPR (legitimate interest of the data controller), referring to Recital 50 and Article 6(4) of the GDPR. The NSA reached the following conclusions:

(i) After the completion of the car rental agreement, further processing of personal data can only be justified for a short time, needed to detect any damages that occurred during the rental period. 

(ii) In this case, no damages or claims were identified that would justify further data processing. 

(iii) The Rental Company failed to demonstrate the existence of any legitimate grounds for seeking claims against the Complainant. 

(iv) In this case, even the potential possibility of a future dispute does not justify the right to process data "just in case", especially when the relationship between the parties has ended, and no new circumstances have arisen suggesting the continuation of the relationship between the Rental Company and the Complainant. 

(v) Additionally, the limitation period for claims had long passed by the time the decision of the President of UODO was issued, in the case of a car rental. 

As a result, the NSA concluded that there were no grounds for further processing the Complainant's personal data, and the Rental Company unsuccessfully attempted to invoke Article 6(1)(f) of the GDPR.

Accessibility is not only a matter of inclusivity—it is a legal obligation with a rapidly approaching deadline. By 28 June 2025, all EU Member States must implement the provisions of the European Accessibility Act (EAA), which seeks to harmonise accessibility requirements for certain products and services across the EU. In Austria, the EAA is being transposed into national law through the Austrian Accessibility Act (Barrierefreiheitsgesetz, BaFG). This Act will enter into force on 28 June 2025, obliging businesses to comply with accessibility standards for products and services, including websites and mobile applications. This legal framework is intended to remove barriers for people with disabilities. Non-compliance may lead to legal consequences, reputational harm and financial penalties

1. Which products and services are affected by the Austrian Accessibility Act?

The Austrian Accessibility Act applies to the following products or services placed on the market or provided after 28 June 2025.

·       Affected products include: consumer general purpose computer hardware systems and operating systems (such as PCs, smartphones or tablets), certain self-service terminals (such as payment terminals, ATMs, ticket vending machines and check-in machines, as well as interactive terminals providing information), consumer equipment with interactive computing capability used for electronic communications services or for accessing audiovisual media services (such as routers and modems, smart TVs, set-top boxes and game consoles) or e-book readers.

·        Affected services include: certain electronic communications services (such as internet access services or online messenger services), certain services providing access to audiovisual media services (such as websites and apps), certain elements of passenger transportation services by air, bus, rail and ship (such as websites, mobile applications, electronic tickets, real-time travel information and interactive self-service terminals (with exceptions)), consumer banking services, e-books and dedicated software and consumer e-commerce services (including online-booking tools)

Transition periods (Section 37 BaFG): Service providers may continue to provide their services using products that were lawfully used by them to provide similar services before 28 June 2025 for the same or similar services, until 27 June 2030. Products placed on the market before 28 June 2025 and used to provide services are exempted from the accessibility requirements, unless they are replaced during the transitional period.  Self-service terminals lawfully used by service providers before 28 June 2025 may continue to be used in the provision of similar services until 28 June 2040, but for no longer than 20 years from their initial use.

2. Who is affected?

The scope of obligations depends on the entity's role in the supply and distribution chain (see Sections 9–16 BaFG). The law primarily affects manufacturers, importers and distributors, as well as service providers, both public and private.

Micro-enterprises (fewer than 10 employees and annual turnover or balance sheet total of less than EUR 2m) are partially exempted from certain obligations.

3. What are the key requirements under the Accessibility Act?

Products and services must be accessible to people with disabilities. They must be usable in a non-discriminatory, understandable and effective manner. Specific accessibility criteria are listed in Annex I of the Austrian Accessibility Act (with non-binding examples available in Annex II of the EAA).

In addition, service providers using self-service terminals are required to provide information about the publicly accessible physical environment, for instance through their websites. 

4. Consequences of non-compliance

The Austrian social minister service (Sozialministeriumservice, an agency of the Ministry of Social Affairs) is responsible for monitoring compliance (Sections 21–33 BaFG) and initiating administrative criminal proceedings. While the principle of "guidance before sanction" will apply to first-time or minor infringements, fines of up to EUR 80,000 may be imposed (Section 36 BaFG).

Conducting a data protection impact assessment is one of the key responsibilities of a data controller when the planned processing operations are likely to result in a high risk to the rights or freedoms of natural persons. The Polish supervisory authority provides guidance on when such an assessment should be carried out, especially when using artificial intelligence.

The Polish supervisory authority notes that, due to the rapid development of technologies such as artificial intelligence and their evolving applications, the DPIA is becoming a key element of the personal data protection framework. In subsequent phases of the AI system lifecycle, personal data may be processed for various purposes and using diverse means, which may give rise to different risks for data subjects. As a result, it may be necessary to carry out a data protection impact assessment at different stages of the development or deployment of the AI system.

As the authority emphasises, an important element in the development phase of artificial intelligence systems is the creation of a training dataset and its subsequent use. If this dataset includes personal data, when assessing whether a DPIA is required, it is particularly important to consider the following criteria: processing of special categories of personal data, including the analysis of "behavioural data" and data related to criminal convictions and offences; processing of biometric data exclusively for identifying a natural person or for access control purposes; processing of genetic data; processing data on a large scale; conducting comparisons, evaluations or inferences based on data analysis obtained from various sources; and innovative use or application of technological or organisational solutions.

The need to carry out a DPIA should also be considered if the creation of a training dataset may significantly impact natural persons, especially when the data processing could lead to discrimination, pose a security breach or result in improper use of the data.

The Polish authority also provided examples of operations where conducting a DPIA will be required:

• the use of AI tools by a hospital supporting diagnostic imaging, which detects pathological changes and generates examination reports;
• assessing creditworthiness using artificial intelligence algorithms;
• the use of customer profiling systems for transport services and dynamic pricing based on the profile;
• the use of monitoring systems to manage traffic, enabling detailed oversight of the driver and their behaviour on the road, particularly systems that allow automatic vehicle identification.

The guidelines also emphasise that the processing of data for the purpose of creating and deploying high-risk AI systems, as understood under the AI Act, is likely to result in a high risk to the rights or freedoms of natural persons and therefore requires a data protection impact assessment. The entity using a high-risk artificial intelligence system when carrying out a data protection impact assessment will be able to use the information provided by the supplier of such a system in accordance with Article 13 of the AI Act.

You can review the authority's guidelines here: https://uodo.gov.pl/pl/598/3617

Here you can find list of operations requiring a DPIA: https://monitorpolski.gov.pl/M2019000066601.pdf