Contributed By Luther Rechtsanwaltsgesellschaft mbH (Cologne)
Market developments in IT outsourcing include an increasing tendency for service providers to position themselves as drivers of innovation. We observe increasing numbers of combinations of outsourcing and software as a service (SaaS) and/or cloud services. IT outsourcing projects also place greater focus on ancillary services such as HR management/administration, sourcing and data analytics.
In business process outsourcing, we observe that initial fixed durations tend to be shorter than in the past, which puts the provider under some pressure in terms of the amortisation of investments. Further, it seems that customers are requesting models wherein the provider works with equipment provided by the customer (the 'operator model').
Frankly, most projects seem simply to ignore new technological developments such as AI, robotics, blockchain and smart contracts, since the reasons for an outsourcing decision (first generation) are driven by other considerations. However, in Germany we expect to see more and more machine-to-machine (M2M) communication, along with the upcoming digitisation of insurance companies and banks. In other segments, such as supply chain, major parts of processes are partly or fully automated. We assume that this will lead to a significant increase of the IT-related share of projects, even in the case of those which are not expressly concerned with IT outsourcing.
New technologies such as M2M communication and the development of IT structures with flexible networked systems increase efficiency and quality. For companies, digital work means greater flexibility through the cloud, an increase in mobile applications and end devices, increasingly on a global scale and without time limits. The new technologies also have an impact on user and product searches, on research and object marketing as well as on transaction management. The increasing speed of development will mean that providers will more frequently be required to adapt their services during the term of a contract. Accordingly, careful negotiation of contracts with regard to change requests is of the essence.
In some specific markets we observe a kind of consolidation. Providers concentrate on big projects like showcases and are willing to invest in order to gain market share, irrespective of profitability. We are already seeing instances where what seems to be a comfortable situation for the customers at first glance leads in the end to quality issues and risk of premature exits from bigger projects.
Due to IT and data being a key factor for productivity, data analytic services and data management services are getting more and more important for providers.
With regard to commercial outsourcing, we observe a number of highly sophisticated remuneration models, combining an open-book approach with a bonus-malus scheme dependent on the achievement of productivity targets.
Finally, customers are trying to keep better control by providing key assets on their own, in order to make a transition to another provider easier.
Apart from specific sectors such as healthcare and banking and finance, and excepting a number of rules protecting employees’ rights, German law allows parties comparative freedom in how they choose to structure an outsourcing project. If and as far as an outsourcing concerns personal data (as is almost always the case), specific rules need to be obeyed under the data protection framework, namely the GDPR, which applies throughout the EU.
General civil law (civil code/commercial code) is relevant for fundamental aspects such as performance, consideration, warranty and liability. An outsourcing project is made up of an abundance of individual services that must be assigned to the contract types regulated in the German civil code (BGB):
If the outsourcing provider is contracted to achieve a specific goal, the law on contracts for work and services applies. If, however, it is only contracted to perform one action, ie, merely to make an effort (eg, to operate a call centre), the service is assessed in accordance with the provisions of the service contract. Accordingly, contracts should provide for clear language as to expectations and consequences in cases of poor performance or failure.
Cloud computing (the outsourcing of in-house computing processes to external service providers) is already being used by numerous financial institutions, particularly in the banking sector. Because this involves the outsourcing of sensitive information processing, financial service providers must not only comply with the legal requirements of the GPDR; in the banking sector, §25a of the German Banking Act (KWG) and §17 of the German Money Laundering Law (GWG) must also be observed. These provisions contain obligations under banking supervisory law to introduce more precisely defined security systems that guarantee security when outsourcing sensitive information processes. For IT security, a proper business organisation must be in place, in particular appropriate and effective risk management. Another legal source for the protection of information technology is the IT Security Act (BSIG). According to §8a paragraph 1 S1 of the BSIG, operators of critical infrastructure must take appropriate organisational and technical precautions to avoid disruptions to the availability and confidentiality of their information technology systems. Infrastructure from sectors such as energy, finance and insurance as well as information technology and telecommunications are regarded as potentially critical.
Apart from those relating to outsourcing in the supply chain or logistics, a number of sector-specific legal restrictions establish specific measures to be obeyed by the provider, for example in the storage of food or medicine. Since customers remain responsible for any non-compliance by the outsourcing provider, it is of utmost importance to include such measures into the contract.
When processing data, it must be taken into account whether the outsourcing involves a data transfer or whether there is only a so-called order processing. The concept of data transfer is regulated in Article 4 paragraph 2 of the GDPR. During order processing, personal data are disclosed by the responsible office to other persons or third parties. In the case that the provider undertakes data processing on behalf of the customer as data controller, it is mandatory to conclude a separate data processing agreement in accordance with Article 28 of the GDPR.
For the legality of data transfer outside the EU or EEA, the general principles of Article 44 of the GDPR must be observed. If data leaves the scope of EU data protection law, there is a risk of unrestricted use of the data in the country of the recipient as well as uncontrolled return to the EU. For the transfer of personal data to a recipient in a third country, the transfer must not only comply with other provisions of the GDPR (eg, an appropriate level of protection), but at least one of the conditions of authorisation in Articles 45 to 49 of the GDPR must also subsist.
According to Article 84 of the GDPR, sanctions for violations of the data protection framework must be effective, proportionate and dissuasive. Depending on the circumstances of the individual case, fines are imposed in addition to or instead of measures pursuant to Article 58 paragraph 2 of the GDPR. Such measures may include, for example, reprimands; instructions to adapt data processing to legal requirements; and/or temporary or definitive prohibition of data processing. There is a catalogue of criteria in Article 83 paragraph 2 a-k of the GDPR for the assessment of sanctions. The maximum fine amounts to up to EUR20 million, or up to 4% of the total annual turnover achieved worldwide in the previous financial year, whichever is the higher. Here it is worthy of note that the annual turnover of the entire group and not that of the individual legal entity applies. Further, it should be noted that breach of data protection law will commonly be interpreted as unfair competition, entitling competitors to take legal action (including compensation of damages).
On the one hand, the provider must undertake to comply with specific technical and organisational measures and tolerate audits with regard to compliance. Contracts need to provide for detailed descriptions of the deliverables of the provider. On the other hand, customers are often unable to clearly define their demands, which sometimes leads to conflicts in practice.
In a standard supplier customer model of outsourcing, a framework agreement is often agreed which is kept very general and regulates the basic rights and obligations of the parties, such as general principles for the provision of services and the obligation to co-operate in general, warranty, liability, contract and conflict management, and duration. In statements of work or service descriptions, the individual services and the phases/milestones of the outsourcings are specified in detail. Service level agreements with detailed key performance indicators are used to measure the quality of the service, and to ensure the quality, reliability and availability of the contractually agreed services.
The classic model of a service agreement with a remuneration based on unit prices (sometimes with some fixed components or minimum units to be paid by the customer in any case) still seems to be the standard model. However, the latest developments show an increasing use of the joint-venture model, in order to ensure the customer’s control and influence as well as transparency. As stated above, one major trend is the use of innovative remuneration models combining demand for increased productivity and continuous improvement on the one hand with a requirement for costs coverage and margin on the other.
In some sectors, such as logistics/supply chain, '4PL models' have been used in some projects. In the course of these, the provider does not necessarily perform the services on its own or by means of sub-contractors, but rather organises, manages and improves the structure a number of third-party providers. Joint-venture structures also continue to be used for complex outsourcing projects.
In regard to remuneration, there are still models in place according to which the provider receives a percentage share of the net sales of the customer. However, such share is strictly bound to certain assumptions and in the end may produce more uncertainty than intended.
In most cases, indirect areas or service departments that provide internal services are bundled in a shared service centre. This is still the case, for example, in the areas of personnel administration (payroll, travel expenses, sourcing), accounting or IT services. However, it can be observed that in recent years the wish to save costs has seen a downward trend in the use of captives and offshore shared service centres, due to the fact that costs can also be saved onshore through the use of IT and digitisation. Overall, we expect that customers will be more reluctant with captives, and will instead increasingly choose to bundle services in onshore shared service centres.
To list all the possible measures for customer protection would go beyond the scope of this contribution. Some typical measures are:
In practice, we observe that some customers tend to push too hard in this regard, resulting in a provider making losses and accordingly decreasing service quality. The key to effective customer protection seems to be a good balance and understanding of both parties’ needs.
IT outsourcing contracts usually have a fixed initial term, due to the initial investment that the IT outsourcing provider has to make for the implementation. In the long term, an automatic extension of the contract is often provided for, unless one party terminates the contract at a certain point in time. Typical fixed terms are three to five years in duration, in larger projects five to seven years, with break options (against compensation of non-amortised investments).
However, the right to terminate for cause ('aus wichtigem Grund') cannot be excluded even during the fixed term. According to §314 of the BGB, either party may terminate for cause without observing a period of notice (extraordinary termination). According to §314 paragraph 1 S2 of the BGB, such cause only exists if the terminating party cannot reasonably be expected to continue the contract until the agreed termination. It is worthy of note that a prior warning letter is regularly mandatory and courts require a somewhat severe breach of obligations. The customer's termination rights are frequently encountered in the event of serious violations of service levels and in the event of a serious deterioration in the provider's financial situation. It is advisable to specify examples of when a termination can be considered. In addition to the severity of the breach, the significance of the service level for the course of business must also be taken into account. In any case, extraordinary termination must remain the last resort. Sanctions in the form of contractual penalties or lump-sum damages shall take precedence. With regard to an extraordinary termination by the provider, payment default by the customer should be considered in particular.
Under German law, a limitation of liability both in terms of amount and differentiation according to the type of damage (direct and indirect damage) is contained in very few special provisions, for example in the area of logistics. In general, German law is not aware of the Anglo-Saxon distinction. Rather, the person responsible has to compensate all damages which have arisen causally through a breach of duty. However, contributory negligence of the injured party may have to be taken into account (§254 of the BGB).
With regard to the type of damage, according to the statutory regulation (defect and consequential damages), unlimited and comprehensive damages are included. This includes in particular consequential damages such as loss of profit. According to the legal logic, those damages are also to be compensated in, eg, the event of a standstill of the production line.
Since, however, this would be completely out of proportion for the provider of the outsourcing, limitations of liability are very common and also appropriate. The provider has a legitimate interest in modifying the legal situation in such a way that a reasonable limitation of liability is agreed upon. Market practice is that the obligation to pay compensation for typical operating risks such as loss of profit or goodwill is excluded or at least limited, and that the limit will be calculated by way of a percentage of the provider’s turnover with the business.
Very far-reaching limitations of liability can be made in contracts and it is also quite common (unlike in Anglo-Saxon contracts) that liability is also limited in cases of gross negligence. In this respect, it should be pointed out that the German courts tend to assume gross negligence quite easily. In 'general terms and conditions' (ie, contracts which were not negotiated), such limitations of liability are only possible within very narrow limits. In the market, however, the liability regulations are negotiated individually (for good reasons, since every project is different).
German law provides for a number of reliable implied terms, even if the parties do not explicitly agree on a contractual provision. See 3.1 Standard Supplier Customer Model, above, regarding basic legal framework.
As is the case for other countries in the EU, TUPE regulations apply for a transfer of undertakings, which have been implemented in German law in clause §613 of the BGB. Notably, whether or not there has been a transfer of undertakings depends on the individual case. German courts tend to be more likely to assume such a transfer rather than to reject it, although determination is very difficult and subject to the specific structure of the project. As a consequence, if there is a transfer of undertakings, the provider automatically assumes all employment contracts for the employees involved (unless the employees object to the transfer). The economic effect may be enormous and accordingly the TUPE regulations need explicit attention in the commercial and legal negotiation.
A distinction must be made between the transfer of an undertaking and the provision of temporary workers. The provider provides the customer with the manpower of its employees without the employment relationship being transferred to the customer or the customer concluding an additional employment contract with the employee concerned. The parties regulate the instruction authority vis-à-vis the employees contractually. As a rule, however, the customer can exercise this authority without restriction. In Germany, the model of employee hiring is regulated by the Temporary Employment Act (AÜG). For example, in order to protect the employees concerned, the provider requires a permit in accordance with the Law on Temporary Employment. Using temporary workers requires a number of formal processes to be strictly obeyed by both customer and provider, and the customer may be held responsible for the provider’s default.
If an intended outsourcing leads to an operational change ('Betriebsänderung') in the establishment, the employer must negotiate a balance of interest ('Interessenausgleich') and a social plan ('Sozialplan') with the works council, in accordance with section 111 of the Works Constitution Act ('Betriebsverfassungsgesetz'). Such an operational change could be a splitting-up of the establishment (concerning the outsourcing establishment) or the merging of establishments or parts of it (concerning the insourcing establishment). An outsourcing does not have to be negotiated with a union in every case. However, depending on the importance of such outsourcing and the potential affect on whether or not collective bargaining agreements would still be applicable to employees, it might help to involve an union.
If there is a transfer of undertakings, the provider usually takes over the personnel and in the contract the parties agree to treat each other accordingly. Most likely the employees do not object to the transfer, since otherwise they risk losing their employment. However, in practice parties sometimes try to structure the outsourcing in such a way that there is not a transfer of undertakings (by changing the 'identity' of processes).
If there are assets to be transferred, there are generally two models in place: either the provider takes over the assets by way of purchase (without warranties and at a purchase price usually determined by residual book value) or the customer provides the assets at its own cost. In any case, parties need to determine how to deal with damages to the assets, and the costs of maintenance and later investments.