IT outsourcing covers several different aspects of services, such as digital workspace (often referred to as end user services), data centre services (at times referred to as application operation or IT infrastructure services), application management, application development and maintenance, SIAM services and network services.
For the majority of these services there has been no major development and services continue to be provided more or less as they have been over the last ten years.
The real development is within IT infrastructure and SIAM services.
IT infrastructure or data centre services are being revolutionised and commoditised through the use of cloud services from MS Azure, AWS and Google. This means that the number of servers in vendor specific data centres is rapidly decreasing and that the well-known data centre outsourcing model is being replaced. A data centre provider will, today, mostly serve as a “cloud broker” or manager/enabler of public cloud environment, instead of providing the infrastructure services itself.
In many agreements, the complex and risky part is the transition and transformation to a public cloud environment and securing the expected savings rather than the daily delivery of data centre services.
For some years now, SIAM was heavily hyped, but most companies would keep service integration in-house. SIAM is now becoming a service that is available through most leading global providers and which is contracted for as part of IT infrastructure outsourcing arrangements.
The Danish market has been exceptionally slow in taking up outsourced BPO services. The number of major agreements probably numbers at fewer than 15. Considering that Denmark is one of the most mature and fully penetrated markets for IT outsourcing, this may be surprising. The explanation is, to some extent, language barriers and the fact that the use of shared service centres in a captive model is exceptionally pervasive. In other words, for the BPO market to boom, major companies will need to partly or fully divest existing shared service centres in order to harvest the potential of third-party outsourcing. While the business case for such divestment and outsourcing can readily be made in most cases, the decision process, after having invested heavily in building up large shared service centres, is often difficult.
New technology is impacting how outsourced services are being provided, which services are being sold and the underlying costs of producing services.
Many outsourcing providers market AI or data driven services as separately payable, value adding services to the core outsourcing services. Mostly, these additional services require upfront investments and implementation activities. So far, the results of these initiatives, in the realm of IT infrastructure outsourcing, seem to be meagre.
Dealing with robotics remains a question of strategies. Should the customer-side license or control robotics, and thereby be able to change the operating service providers flexibly, or use the robotics offerings on an "as a service" basis offered by BPO providers, but then suffer from the associated technological lock-in. The choice of strategies will decide issues such as who is liable for the robotics, who will bear the risk of achieving expected efficiency gains and who will bear the investments.
There are no other major market trends affecting outsourced services to any significant extent.
Except for the financial industry (see 2.2 Industry Specific Restrictions), Danish law does not directly regulate outsourcing.
However, outsourcing transactions may – and will often – involve activities which are regulated under Danish law. Below, we have summarised the main areas subject to specific legislation.
Public Procurement Act
Outsourcing within the public sector will be subject to the Danish Public Procurement Act (Act no. 1564 of 15 December 2015 on public procurement, which implements directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement) as amended. The purpose of the act is to establish the practices for public procurement and to optimise use of public funds through effective competition. The default position is that any outsourcing transaction within the public sector will be subject to a public tender process in accordance with the Public Procurement Act.
Danish Data Protection Act, GDPR and the “War Rule”
As the majority of outsourcing transactions involve outsourcing of activities in which the outsourcing provider shall process personal data, most outsourcing agreements implement and are subject to GDPR. For further information, see2.5 Contractual Protections on Data and Security.
Further, Section 3(9) of the Danish Data Protection Act (Act no. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) entitles the Minister of Justice to lay down rules to the effect that personal data which is processed in specified IT systems and kept for public administrative authorities must be stored, in full or in part, exclusively in Denmark (the “war rule”). The “war rule” applies only to IT systems which are purchased by public authorities and which entail the processing of personal data.
The application of the “war rule” means that the underlying infrastructure, transformation components, databases and encryption keys of the IT solution must not leave Denmark because of the risks associated with the systems (based on the factors of the above risk assessment). The war rule thereby effectively restricts certain types of outsourcing transactions, eg, the use of cloud-based service providers such as Microsoft Azure and Amazon Web Services (AWS) for IT solutions deemed subject to the war rule.
Act on Employees’ Rights in the Event of Transfers of Undertakings
As most outsourcing transactions involve the transfer of employees from the company to the outsourcing provider, the transfer of these employees will be subject to the Danish Act on Employees’ Rights in the event of Transfers of Undertakings (based on Act 1979 111, which was later amended by Act 2001-06-04 no 441, which implemented Council Directives 77/187/EEC of 14 February 1977 and 2001/23/EC of 12 March 2001 on the approximation of the laws of the Member States relating to the safeguarding of employees' rights in the event of transfers of undertakings, businesses or parts of businesses). For further information, see 5 HR.
The Danish Bookkeeping Act
Finally, if the outsourcing transaction involves storage of bookkeeping material, the company must ensure that the outsourcing provided complies with the Danish Booking Act (Consolidated Act no. 648 of 15 June 2006 on bookkeeping), including, in particular, that all accounting records must be kept and stored for five years.
The Danish Executive Order on Outsourcing of Significant Areas of Activities
If a financial undertaking (including also a provider of insurance services) decides to outsource a significant area of activity to an outsourcing provider, the financial undertaking must ensure that the outsourcing undertaking complies with the Danish Act on Financial Business (Consolidated Act no. 457 of 24 April 2019 on Financial Business), including the Danish Executive Order on outsourcing of significant areas of activities (the “Outsourcing Order”) (Consolidated Act no. 1304 of 25 November 2010 on outsourcing of significant obligations of a financial undertaking, as amended with Consolidated Act no. 1737 of 19 December 2017 and no. 23 of 4 January 2019).
The Outsourcing Order sets out specific requirements to the outsourcing agreement and outsourcing provider. The main purpose of the Outsourcing Order is to ensure that the financial undertaking remains liable for the activities subject to the outsourcing, and to ensure that the outsourcing provider possesses the right abilities and capabilities to deliver the outsourced services, including that the outsourcing provider complies with all relevant legislation relating to the outsourced services.
According to the Outsourcing Order, the financial undertaking shall – on a continuous basis – check that the outsourcing provider complies with its obligations under the outsourcing contract and any relevant legislation.
If the outsourcing provider fails to comply with its obligations under the outsourcing contract or relevant legislation, the financial entity shall exercise all relevant steps in order to ensure that the outsourced activities are provided in a manner which complies with all relevant legislation. This may include insourcing of the outsourced activities to the financial undertaking, or a transition of the outsourced activities to a new outsourcing provider.
In order for the financial undertaking to be able to monitor the outsourcing provider’s compliance with its obligations under the outsourcing agreement and applicable law, the Outsourcing Order requires that the outsourcing provider shall report and notify the financial undertaking on any matter which may affect the outsourcing provider’s ability to continue its provision of the outsourcing activities in compliance with applicable law.
The regulatory restrictions on data processing and data security are set out in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of this data, and repealing Directive 95/46/EC) (the “GDPR”) and the Danish Data Protection Act, which sets out specific national rules on processing of personal data, supplements the GDPR.
Transfer of Personal Data
In Denmark, the transfer of personal data outside of the EU/EEA is regulated by the GDPR. Thus, in an outsourcing context, transfers of personal data between a Danish customer and a supplier or sub-contractor that processes personal data outside of the EU/EEA is generally made in accordance with the GDPR by the use of the European Commission’s standard contractual clauses, to be entered into between a data controller (the data exporter) and a data processor (the data importer) (Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)).
The War Rule
The Danish Data Protection Act provides an option for the Danish Minister of Justice, in consultation with the competent minister, to lay down rules to the effect that personal data processed in specified IT systems and kept for public administrative authorities must be stored, in full or in part, exclusively in Denmark. This right is known as the “war rule", which was also part of the previous Danish act on processing of personal data. It must be noted that this rule only applies to public sector customers and not for private entities.
The Danish Minister of Justice, in June 2019, sent out a draft executive order on the war rule and the relevant parties were invited to provide their comments by 30 August 2019. We are, therefore, expecting that the executive order will soon enter into force. According to the executive order, a few named IT systems will be covered by the war rule, requiring that the IT system must be hosted on servers located in Denmark. Further, when making new purchases or re-purchases, the public sector must assess the risks of national security associated with the processing of personal data in the system and potentially ask the Danish Minister of Justice to make a final assessment of whether the system must be added to the list of systems covered by the war rule.
The penalties for non-compliance with the GDPR in respect of transferring personal data to a country outside of the EU/EEA without complying with the requirements of the GDPR for the transfer is an administrative fine of up to EUR20 million, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Noncompliance with the war rule under the Danish Data Protection Act is subject to fine.
In outsourcing contracts, we see that ownership of data is now being regulated more tightly than was previously the case. Additionally, many suppliers are requesting the right to use data to further develop products, etc, without continually ensuring that this data does not contain any personal data (or are at least anonymised in accordance with any instructions given by the customer to ensure the supplier does not have any responsibility as data controller towards the data subjects).
With the entering into force of the GDPR, audit rights have become an increasingly important topic and customers are looking for a way to easily audit their suppliers. Thus, suppliers are often met with a requirement to provide sufficient audit reports to document GDPR compliance (especially on implementation of sufficient security measures), such as an ISAE3000 report.
In Denmark, there are only agreed documents (or quasi-agreed standards) for public procurement contracts. So far, there has been no standard contract for computer management or IT infrastructure/data centre services. However, a data centre contract, referred to as “K4” is currently in the hearing process and is expected to be released in the autumn of 2019. This contract will be used by public authorities and may affect terms and conditions used on the private market.
From time to time, there have been various initiatives to establish a standard data centre contract. An example is the template available at www.d17.dk. However, this template is not widely used and is rarely used for large-scale business critical outsourcing.
When major companies outsource large and complex IT or BPO services, it is almost uniform practice that the contract bundle, as such, is provided by external law firms, while service descriptions, service levels and price books are provided by consultancies.
The most normal sourcing model remains single sourcing contracts, in which a customer outsources, for example, all its IT infrastructure services to a single service provider. The contracts will typically include transfer of various assets and employees.
During the last ten years, we have seen a trend towards shorter contract terms. In the past, the contract terms would be around five to eight years with an opportunity to extend for a further 12–24 months. Currently, it is more common to see a contract term of three to five years (or even shorter), however, there remains the opportunity to extend for a further 12–24 months.
The most normal commercial models are still a combination of fixed fees (for one-time services such as, for example, the transition services) and a base charge model combining fixed charge elements (eg, cross functional services) and unit prices for all consumption based services. We normally see ARC/RRC models with pre-agreed discount levels.
In respect of termination service charges, we have experienced a shift from trying to include these charges in the base charges (and thereby reduce the cost as much as possible during a tender process) to a model where most of the termination services are based on a time and material fee model. This shift is likely triggered by the customer’s acknowledgement of the fact that the supplier should be kept incentivised to perform such termination services once the agreement has been terminated or has expired.
We see various models being used ranging from single vendor sourcing, simple multi-vendor sourcing to the emerging multi-vendor sourcing model with complex service integration between tailored solutions and commodity services:
During the last five years, we have seen a shift from the traditional single sourcing vendor contracts to multi-vendor sourcing set-ups.
We see that customers are requiring flexible multi-sourcing vendor set-ups, where it is possible – with short notice – to replace services (and the applicable supplier) with services provided by another supplier.
Captives have dominated the BPO for the last 20 years in Denmark, and Danish companies have built a large presence in Poland, other parts of Eastern Europe and in India. As most large companies already have established shared service centres on a captive basis, the growth potential is limited. Today, there may be a slight tendency that companies will closely evaluate hybrid or Global Business Services options before enlarging current operations or establishing new captives. The divestment of shared service centre operations has occurred but has yet to become a market trend.
The customer will – in respect to an outsourcing agreement – normally have a number of protection mechanisms or remedies available to them, in addition to the normal remedies, eg, termination rights and rights to claim damages. Some of the most common “additional” remedies will be described below.Today, it has become standard to include “fix first, settle later” provisions in the sourcing agreements where the customers are within the private sector. A fix first, settle later provision gives the customer the right to require the supplier to first deliver a service, resolve defects, perform a change proposal, etc, in order to support the customer’s business needs, regardless of whether or not the parties are in agreement. Any disagreements shall then be settled afterwards. Potential disagreements could include whether a service was included in the scope of the agreement or whether the supplier should remedy a defect which the supplier claims is caused by the customer. By introducing a fix first, settle later provision, the supplier will not be able to misuse the customer’s dependence on the continued service provisions as a way to force the customer to accept payment in respect of disputed services.
Further, we often see that the supplier waives its right to suspend the services. In some instances, the waiver of the suspension right will be subject to a maximum amount, subject to dispute. Once the maximum amount has been reached, the supplier can impose suspension of the services. Such compromise is to ensure that the customer does not take advantage of a provision to force the supplier to provide ongoing credits by holding back its payments and forcing the supplier to keep delivering the services.
From a customer perspective, the most important aspect is normally to ensure service continuation even when the customer and the supplier are in a dispute. Therefore, the customer should normally make sure that the supplier is obliged to fix a problem or to allocate additional resources upon delay, even if the problem or delay is caused by the customer, in which case the customer must pay for the remediation efforts applied by the supplier.
Needless to say, it will only be possible to persuade a supplier to accept a waiver of its suspension rights and to apply fix first, settle later provisions during a competitive tender process.
While we previously used considerable time negotiating proactive remedies (step-in rights) schemes, we now see a trend of the market turning away from proactive remedies. Although the intentions of proactive remedies were good, it is our experience that customers rarely use proactive remedies in their management of the supplier, especially since the trend of using multi-sourcing vendor set-ups. This seems to make it a simpler task for the Customer to just to replace the supplier with a new service provider rather than step into the services.
In general, service levels are still applied in most sourcing agreements, however, we see that the service level methodologies vary to a large extent – from very simple regimes to complex regimes, which allows the customer to amend the service levels by notice and to change and adjust the service level credit allocation percentage for each service level on, for example, a monthly basis. The customer should ensure that service credits are applied automatically (as a credit in the following month’s invoice) and have an audit right to verify the supplier’s compliance with the service levels.
Termination for convenience or specific cause is negotiated between the contracting parties. Under the general principles of Danish law, a contracting party can terminate for material breach (in Danish: “væsentlig misligholdelse”). Material breach generally occurs either in case of a very significant breach or a series of re-occurring breaches adding up to constitute a material breach. While a breach of an outsourcing agreement frequently occurs in practice, a significant event is required to have taken place before a material breach is deemed to have occured under the general principles of Danish law. Therefore, in practice, material breach is a rare occurrence. In outsourcing agreements, the contracting parties often specify a number of events that constitute a material breach, including, for example, continuous non-performance of key service level agreements (SLAs) over a certain period of time.
The default position under Danish law is that a party can claim full coverage of its losses (direct and indirect) provided that the party can document the loss, that there is a basis for claiming damages, eg, negligent or strict liability and that the loss is deemed foreseeable (in Danish: “adækvat”).
The vast majority of outsourcing agreements will be subject to limitation of liability provisions, setting out a total cap of damages and excluding certain types of losses, eg, indirect losses.
Although there is a distinction, under Danish law, between direct and indirect losses, there is no precise definition of indirect losses versus direct losses, and the definition of indirect losses is often subject to intense discussions, especially when a party has suffered a loss. For example, it has been subject to ongoing discussions whether internal administrative cost is to be considered a direct or indirect loss. We sometimes see that the parties try to predefine certain of losses as direct losses.
That said, loss of profit, loss of business and loss of goodwill are typically considered types of indirect losses. In general, costs directly relating to the remedy of the breach itself, or to purchase a substitute service, will normally be considered as a direct loss.
The vast majority of outsourcing agreements also include a liability cap, which is either limited to the total charges paid or payable during a period of, for example, the 12 months leading up to the default, or to the total charges paid or payable under the service order in question.
There are, however, certain situations where it will often not be possible to limit a party’s losses, eg, in terms of death or physical injury, or in cases of gross negligence or wilful misconduct. These situations will often be excluded from the limitation of liability provisions.
In addition, parties (often the customer) will normally try to exclude certain other types of losses from the limitation of liability provisions. These are normally losses based on third-party infringement claims, losses due to breach of the confidentiality obligations and claims based on GDPR breaches.
There is a general duty of loyalty between contracting parties, which entails that each contracting party must care for the other party’s interests. This is recognised as an unwritten principle of Danish law. Similarly, Danish law recognises a principle of prohibition of the abuse of rights.
The Initial Outsourcing
The Danish Act on Transfers of Undertakings (the “Transfer Act”), incorporating EC Directive 2001/23, provides for certain protections for employees in relation to transfers of undertakings.
According to the applicable rules, if the outsourcing constitutes a “transfer of a business or part of a business” within the meaning of the Transfer Act, employees will transfer automatically.
According to EU case law, if an economic entity has been transferred while maintaining its identity after the transfer, the transfer will constitute a transfer of undertaking which will activate the above rules. This also applies in the outsourcing situation. It is crucial to determine whether a change of employer has taken place rather than a change of ownership of the relevant entity or the assets used to carry out the business.
Change of Supplier
If the criteria above are fulfilled in relation to the transfer of a business, a change of supplier might constitute a business transfer.
According to Danish law, this kind of transfer will generally be considered to be two business transfers (from the current supplier back to the transferor and then from the transferor to the supplier).
Termination of an outsourcing arrangement (irrespective of the cause), might also be considered a transfer of business in accordance with Transfer Act if the above criteria are fulfilled. In this case, employees will be transferred back to the transferor.
The Legal Consequences
Pursuant to the Transfer Act, rights and obligations under individual employment agreements and collective bargaining agreements are automatically transferred to the transferee in the event of the transfer of a business or part of a business. The transferred employees are, therefore, continuously entitled to their existing benefits.
The Transfer Act does not, however, entail the transfer of rights to old age, invalidity or survivor’s benefits. This being said, the transferee will still enter into the obligation to pay pension contributions. Although it is very uncommon in Denmark that an employer has an obligation to pay benefits, pension schemes are usually defined contributions which means that the employer is obliged to pay the pension contributions in question.
Furthermore, the transferee is considered as having adopted the transferor’s collective bargaining agreements, unless the transferee gives notice to the unions within a certain timefame after the transfer date.
If, in connection with the transfer, the employees’ working conditions are materially changed to the detriment of the employees, the employees may choose to consider themselves dismissed. Consequently, they may terminate their employment, without notice, from the date on which the change has come into effect.
According to EU case law an employee may, as part of their fundamental rights, choose not to be transferred to the transferee. In this case, the employee will be regarded as having terminated their employment as of the date of the transfer.
After the transfer, as a main rule, only the transferee is liable towards the employees for financial obligations following from the employment before the transfer.
According to the Transfer Act, the transferor must, in due time before the transfer, inform the employees’ representatives of:
In addition, employers with at least 35 employees are obliged to inform and consult the employees before a final decision on the outsourcing is made. The obligation to inform and consult are set forth in the Danish Act on Information and Consultation of Employees and/or applicable collective bargaining agreement. However, the duty to inform and consult are substantially similar.
The purpose of the act is to ensure that the employees are informed, at an appropriate point in time, of issues which are of importance to their employment, and to ensure that employees are consulted on the basis of this information.
In the event of an outsourcing arrangement, there is an obligation of consultation before the final decision on the outsourcing is made. To the extent that the transferee’s employees are also affected by the outsourcing, the transferee has a similar obligation to consult and negotiate.
The procedure above is fairly informal and consultation/information according to the different set of applicable rules may be carried out simultaneously.
Special rules will apply in case of collective dismissals (including collective dismissals as a result of constructive dismissals).
In outsourcing situations, employees are generally outsourced based on the Transfer Act, see 5.1 Rules Governing Employee Transfers. There is, furthermore, a tradition of involving unions and employee representatives throughout the process.
The terms applicable to asset transfer in outsourcing arrangements vary depending on the assets in question.
Transfer of contracts to a new debtor generally requires consent from the creditor, except where the parties have agreed otherwise. With respect to intellectual property rights under a software license agreement, the general rule is that these are not assignable unless the licensor has granted this right to the licensee. The mere operation of software in infrastructure outsourcing generally requires consent from the licensor. For a company seeking to outsource, this means that the company shall obtain consent from all licensors of software that a potential supplier will use to provide services to the company.
Transfer of EU trademarks and EU designs is subject to registration with EUIPO to have effect against a third party. This means that registration of a transfer is not a condition for the validity of the transfer, but if a transfer is not registered by the relevant authority, the successor may not invoke the rights arising from the trademark or design registration. The same is the case with Danish trademark and design registrations, which may be recorded with the Danish Patent and Trademark Office.
Transfers of other intellectual property rights such as copyrights, non-EU trademarks, patents, utility models and non-EU designs do not require any registrations to have effect against a third party. It is generally recommended that parties enter into an asset transfer agreement and ensure registration with the relevant authorities with respect to all registered rights.
Movable property is transferrable without being subject to any formalities. However, motor vehicles must be registered with the Danish Motor Vehicle Agency. For transfer of real estate, a deed of conveyance must be completed for registration with the Danish Land Registration Court.