Dawn raids in Serbia - a switch to digital mode


In an increasingly digital world, the collection and analysis of different types of evidence about alleged anticompetitive practices has become more complex. Competition authorities must be able to gather all the relevant evidence from vast quantities of information stored digitally and exchanged through e-mail accounts, mobile phones, and social networks. The task of collecting evidence has become further complicated by the increasing number of companies moving their IT infrastructure and business operations to a cloud computing environment.

Digital Search

The Serbian Commission for Protection of Competition (“Commission“) carried out its first dawn raid (unannounced inspection) in 2015 and since then it has raided over 15 companies. Since the first raid, the Commission has been willing to search for information stored on digital devices. Being aware of digital trends, the Commission has also invested heavily in strengthening its forensic capacities for gathering credible digital evidence and hence its ability to prove antitrust infringements.[1]

The Commission has wide-ranging investigative powers that include digital searches. With a valid search order, Commission investigators may enter and search a business’s premises, interview its employees and search its records, regardless of whether they are stored in physical or electronic form.

In practice, investigators use IT forensic tools (hardware and software) to search the company’s electronic environment and storage media (e.g. smartphones, desktop computers, tablets, DVDs, USB-keys, etc.). Digital forensics not only allows investigators to review and copy electronic documents and e-mails in bulk, which is sometimes more than justified, but also to recover deleted files.

Investigators may search the company’s electronic devices as well as devices belonging to its employees. The Commission may also search employees’ personal devices if it suspects they are being used for business purposes.

The location of the server where electronic information is stored raises many jurisdictional issues. However, many competition authorities, including the European Commission,[2] have an intrusive approach and deem the location of the information to be irrelevant if the company's employees normally have access to it from the raided premises. This issue is not regulated in Serbia, but we assume that the Commission’s approach does not vary considerably from EU practice.

Keyword search

The Commission will usually start an IT search by asking a company IT specialist to provide technical assistance by blocking individual e-mail accounts,[3] disabling the internal network or providing administrator rights.[4] The company staff may also be asked to disclose passwords or to provide access to any personal electronic devices being used for business purposes.

After gaining access to electronic devices, investigators start mirroring or duplicating data stored on the company’s hard drives. This is also known as the creation of a forensic copy (image). The forensic copy is stored on the Commission’s hard drives so that it can be investigated using keywords searches.[5] This, however, is not considered to be a seizure.

The purpose of the keyword searches is to identify all electronic documents that have probative value. However, keyword searches should not interfere with the company’s right of defence. Investigators should not go on a “fishing expedition”, using search terms and keywords that are not within the terms of the search order. This would be the case if investigators used very broad or irrelevant search terms that led to a large number of hits that had no relevance for the investigation or used search terms that refered to markets not specified as being affected by the alleged infringement in the search order.[6]

In the same vein, as a rule the Commission should not take more than a cursory look at any document that lies outside the search order to confirm such a fact. For privileged documents, the Commission should only look at the headings and not the contents of electronic documents.

The company should object to Commission searches with terms that fall outside the scope of search order or those for privileged documents. The searched terms must be disclosed to the company and specified in the record of inspection.

The documents relevant as evidence are listed in the record of inspection and added to the case file in physical or electronic form. The Commission should delete from its hard drives all other documents copied onto its devices that are not considered relevant at the end of the inspection. As this is not regulated, the company should exercise caution and insist on written confirmation that the Commission has permanently deleted non-relevant files from its hard drives.

Off-site search

Since investigators can produce authentic digital copies, they can inspect the mirrored files and communication after they leave the searched premises. In other words, the raid can be continued at the Commission’s premises (off-site search).[7] In order to prevent the Commission from going into a “fishing expedition” during the off-site search, the company should insist that, upon being created at the raided premises, the forensic copy is sealed in a protective envelope. The company should further insist that its legal advisors are present during the off-site search of forensic images at the Commission’s premises.

Once the review is complete and the selected documents are added to the case file, the forensic copy should be deleted. However, as already mentioned, this matter is not regulated, so the company should demand written confirmation from the Commission that the copy has been destroyed.

Tips for digital searches

One way for companies to prepare for a dawn raid is to organise basic training on dawn raid defence best practices for their IT specialists and other employees. It is also advisable to create a data map and inventory of hardware, so that the cooperation with investigators is smooth and fast. Here is a list of practical tips companies should follow in the event of a dawn raid:


  • Contact their legal advisor and ask the Commission not to begin the inspection before the advisor is present;
  • Check the terms of the search order and the decision on opening the investigation, particularly for details of the products and markets concerned, the type of behaviour and the time period under investigation;
  • Insist that the investigators review and copy only as much of the electronic information stored on the company's devices as seems likely to be relevant for the investigation;
  • Object if the search terms used lie outside the terms of the search order;
  • Insist that your legal advisors are present during the offsite search at the Commission’s premises; and
  • Insist on all electronic documents not added to the case file being returned or deleted.


To bring companies up to speed with digital trends in competition authorities’ dawn raids, CMS has created a unique mobile app “CMS Dawn Raid Assistant” designed to help companies deal with dawn raids.[8] This app offers instructions and guidelines for dealing with dawn raids in 27 European countries, in both English and the local language, and adapted to the particularities of national competition and dawn raid regimes.

[1] For the purpose of digital forensics, the Commission is using EnCase forensic software. To read more about the Commission’s IT forensic capacities see: http://www.kzk.gov.rs/kzk/wp-content/uploads/2015/10/KZK-Konkursna-dokumentacija-NABAVKA-OPREME.pdf

[2] For more detailed information, read the Explanatory note on European Commission inspections pursuant to Article 20(4) of Council Regulation No 1/2003, para. 10.

[3] For an example of this, see the case T-272/12 - Energetický a průmyslový and EP Investment Advisors v Commission, in which the European Commission fined two Czech energy companies because the persons responsible for IT assistance did not follow the instructions concerning the blocking of email accounts.

[4] The Commission allows legal counsel to be present during on-site inspections; however, their presence is not a precondition for the validity of dawn raids.

[5] The forensic image is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders, and unallocated, free and slack space. The forensic software supplies a digital image with a digital fingerprint to verify image authenticity, i.e. a HASH number. For example, two files that appear to be the same but differ at bit level will have different hash values. This also means that a file copied from the company’s hard disk and its forensic copy on the Commission's storage device should have the same hash value. The process of creating a forensic image during a dawn raid is finished only upon generating the hash values.

[6] For an example of this, see the case T135/09 Nexans France SAS and Nexans SA v Commission (GC, 14 November 2012), para 64.

[7] There is an ongoing debate in the EU on the legality of off-site searches as well as of mirroring of the company's storage media including entire servers, since that would allow the European Commission to look at documents outside the legitimate scope of the decision. For a more detailed discussion on this subject, see John Lang Temple, ‘Legal problems of digital evidence’, Journal of Antitrust Enforcement 2(1) (2014), pp. 44–68.
[8] To learn more about the CMS Dawn Raid Assistant app, visit: https://cms.law/en/INT/Online-Services/CMS-Client-Services/CMS-Dawn-Raid-App.