Outsourcing 2019 Second Edition

Last Updated October 28, 2019

France

Law and Practice

Authors



Frieh Associés is a leading boutique law firm in Paris, comprised of lawyers who practised many years in reputed international law firms, who made their practice evolve into a Paris-based firm; this approach allows them to be more reachable for their clients, and more focused on their clients’ business and interests. The lawyers of Frieh Associés are able to rely on a solid network of foreign law firms, built over years of interaction and referrals, providing flexibility when putting together an international team. Frieh Associés represents and advises investment funds on leveraged buyout acquisition, venture capital and development capital transactions, as well as industrial and services groups on their equity operations, structuring and negotiation of management packages. The firm’s client base also includes actors of the industrial and manufacturing world, companies of the infrastructure and transport sectors, and players in the fields of life sciences, telecommunications and technology.

Due to the cost reductions it entails for companies, the IT outsourcing market has continued to grow. In particular, “multisourcing” is in development. This trend is not to entrust the entire information system to a single service provider, but rather to divide the project between several service providers according to different criteria (geographical, functional, etc). In this case, it is important to ensure the collaboration of these service providers among themselves through appropriate contractual provisions.

“Offshoring” is also a trend that persists. The consequences of this recourse must also be taken into account when drafting the contract, in particular to anticipate possible hidden cost (linked in particular to communication problems) and to deal with possible international data transfer issues.

Business Process Outsourcing (BPO) aims to outsource company support functions other than IT, such as accounting, logistics, etc. Business Process Outsourcing contracts raise the same issues as IT outsourcing contracts, such as transition and reversibility.

Indeed, outsourcing can create a situation where the client is dependent on the service provider, with a risk of abuse from the service provider. This is why the termination of the contract must be anticipated, in particular (but not only) in the event of a deterioration of the relationship between the service provider and the customer. The reversibility phase is then crucial and must be carefully planned from the outset.

The reversibility of outsourcing, whether it is "re-internalisation" (internal management by the client) or a “transferability” (operation of transfer of technical responsibility from the service provider to a new one), implies that the client regains control over his IT system. In concrete terms, this means that the client must be able to retrieve all his data as soon as possible, and in a usable format. The technical terms and conditions should therefore be specified, as some suppliers could unduly limit the volumes and throughput of information transfers in the event of reversibility, which could make it impossible in practice.

It will also be useful to clearly recall the customer's objective: to transfer its outsourced IT system to another service provider, without discontinuity of service or loss of quality. But this is not just a restoration of the status quo ante, because it will be necessary to take into account what has been produced by the provider during the performance phase of the service, and that the elements (documentation, programmes, for example) created during the reversibility phase are produced specifically to be transferred.

The implementation of reversibility will be formalised by a "reversibility plan", generally drawn up by the steering committee, when it exists, which must be validated by a series of test procedures. The "reversibility plan" should include:

  • the definition of the scope of reversibility (total or partial) and the related services;
  • an exhaustive inventory of the material and immaterial resources used by the service provider in the performance of the initial contract, the procedures implemented by the service provider (performance, security, storage, etc) and the additional measures and procedures intended for reversibility;
  • the detailed time and logistics schedule for reversibility;
  • the list of contracts relating to the performance of the service provider's obligations (software licences, hardware or maintenance contracts); and
  • the acceptance procedures, including tests, for reversibility operations that condition the transfer of risks from the system to the customer or the new service provider.

The impact of new technologies such as AI, robotics, blockchain and smart contracts is still minimal in outsourcing transactions, except in the customer relations market where artificial intelligence is growing fast.

However, regarding blockchain, it appears that the French market lacks maturity when it comes to using this new technology, which does not inspire confidence. In addition, companies seem to be unaware of how blockchain could be useful to their business. They are still looking for tasks to which they could apply blockchain outsourcing.

Although not yet applied much in practice, there is an increasing use of blockchain outsourcing in the agriculture and agri-food industry. This is due, in particular, to the fact that the operators in the agriculture and agri-food industry wish to ensure the traceability of production or the certification of production specifications. In this context, blockchain technologies, particularly by combining them with outsourcing, can help to bring more transparency and efficiency to the agricultural and agri-food industry, from farm data management to supply chain management. The stakes of these technologies in this industry are tremendous, the supply chain of the agri-food industry, where multiple intermediate operators follow one another, lacking transparency and having caused, in the past, numerous alimentary scandals (mad cow crisis, horse meat case, etc), as well as waste and huge losses of food.

Blockchain outsourcing is also developing in the health industry or inside of the post office department.

The outsourcing market is now developing around “full services” solutions, such as Captives and Shared Services Centres and Global Business Services (see 3.3 Captives and Shared Services Centres).

On the customer relations outsourcing market, diversification activities (such as consulting or training) are growing as outsourcers are willing to capitalise on their know-how to bring greater added value to their customers.

Specific regulations apply to outsourcing in the public sector.

Indeed, limitations to outsourcing in the public sector are implied by the necessity to follow the legal framework of public procurement. The outsourcing of public sector activities to a private company must comply with the prior tender offer system.

Besides, the so-called "sovereign" public services which implement the constitutional principle of national sovereignty can only be exercised by the State and cannot be outsourced. In several decisions rendered from 1932 to date, the State Council and the Constitutional Council specified that, because of their nature or the legislator’s will, the following services can only be directly carried out by a public authority: police activities, expropriation, responsibilities regarding public highways, strictly medical activities in hospitals, teaching activities in schools, etc.

There are restrictions in several specific areas of activity such as finance and public service.

The regulation of outsourcing for financial services was imposed by Directive 2006/48/EC relating to the taking up and pursuit of the business of credit institutions (Banking Consolidation Directive) along with Directive 2006/49/EC on the capital adequacy of investment firms and credit institutions. Those Directives have been implemented by the Law No. 2013-672 of 26 July 2013 on the Separation and Regulation of Banking Activities.

The outsourcing of financial services is subject to:

  • Monetary and Financial Code;
  • Regulations of the French Prudential Control Authority; and
  • Financial Markets Authority Regulations.

The relevant provisions are included in the:

  • Monetary and Financial Code (Articles L522-14 to L522-18 and Articles L526-27 to L526-34);
  • French Ministerial Order of 3 November 2014 on the internal control of credit institutions and investment firms of the French Prudential Control Authority; and
  • The General Regulation of the Financial Markets Authority.

The restrictive provisions governing finance industry apply to credit institutions, investment firms, legal persons composed of either credit institutions or investments firms and payment institutions.

Obligations for these institutions include that:

  • information must be given to the Prudential Control Authority and parties must ensure that the Prudential Control Authority can check the institution's compliance with its legal obligations;
  • the customer controls the outsourced activities;
  • the customer remains responsible for the obligations it has regarding its own customers and partners when the activity was outsourced. This is an essential part of its service;
  • the outsourcing activity must be subject to a written contract between the supplier and the customer;
  • termination of the outsourcing arrangement must not prejudice the continuity or quality of the service;
  • the customer ensures that the supplier complies with the normal use of the service, and with the protection of confidential information;
  • the customer must install a safety mechanism in the case of a serious threat to the continuity of service;
  • the supplier cannot substantially modify the service provided without the prior approval of the customer; and
  • the supplier must comply with the processes defined by the customer regarding the organisation of control. It must allow access, when necessary, to all information on the activity outsourced and notify of every event that can have an impact on its ability to perform its task.

If the supplier is based in a country that is not a member of the European Community and outside the European Economic Area (EEA), additional conditions apply:

  • the supplier must be entitled or authorised to exercise outsourcing activities for third parties in its country of origin;
  • the supplier must allow a "prudential surveillance" by the Financial Markets Authority and, without compliance with these two conditions, the outsourcing agreement will only be recognised if, after notification to the Bank Commission of the Prudential Control Authority, no observations have been made for a period of three months.

Finally, no specific regulations currently exist for IT and cloud services. However, the French Data Protection Authority (CNIL) published recommendations on how best to comply with the general regulations when cloud services are concerned:

  • clearly identify the data and processing operations that will be passed to the cloud;
  • define the requirements for technical and legal security;
  • carry out a risk analysis to identify the security measures essential for the company;
  • identify the relevant type of cloud for the planned processing;
  • choose a service provider offering sufficient guarantees
  • determine the service provider's legal qualification; and
  • assess the level of protection given by the service provider for the data processed.

For every potential outsourcing of personal data collection or processing, attention must be paid to compliance to the General Data Protection Regulation (GDPR), which entered into force on 25 May 2018, and deeply modifies the French and European data protection framework.

The GDPR notably modifies the liability regime between the data controller and the data processor: any and all entities involved in personal data processing will be jointly liable in the event they do not comply with the GDPR. Section 28 of the GDPR provides that the data processor shall be directly liable if he does not comply with a list of requirements contained in this section.

This provision is applicable to any service provider processing personal data, eg, notably when performing outsourced activities.

Regarding the above, it is important that in all transactions involving the transfer of personal data, the parties ensure that the legal arrangement clearly defines the data controller, the data processor, and each party’s liability and commitment towards the handling of data security and data protection.

Data processing is allowed under the GDPR and French law under the condition that the data is:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Regarding data security, Article 32 of the GDPR provides that any data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Finally, and as a principle, the transfer of personal data to non-EU Member States is prohibited if the laws of the destination country or transit of the data do not ensure an adequate level of protection of individuals, or if suitable safeguards are not in place to protect data subjects.

However, International data transfers (outside the European Union) may be grounded on a variety of mechanisms:

  • an adequacy decision issued by the European Commission (the Commission adopted on 23 January 2019 an adequacy decision on Japan);
  • implementation of Binding corporate rules;
  • signature of standard data protection clauses adopted by the European Commission or by a supervisory authority;
  • an approved code of conduct;
  • an approved certification mechanism; and
  • ad hoc contractual clauses approved by the competent supervisory authority.

Data protection and security are governed by Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties implementing the Data Protection Directive.

When processing with data, the supplier must offer warranties to ensure data security.

A contract must be signed between the customer and the supplier specifying the instructions under which the supplier can process personal data. The data processor can only act under the conditions set in the contract. The customer remains data controller, liable for any breach of data protection laws caused either by the data controller or the data processor.

Transfer of data to a non-EU member and a non-European Economic Area (EEA) country that is not recognised by the European Commission as offering an adequate level of data protection, requires additional conditions to be fulfilled. The most common way is the conclusion of a contract establishing measures of data protection, based on the European Commission Model Clauses and approved by the Data Protection Authority (CNIL).

In the event of breaches of the law, the CNIL's limited committee may pronounce:

  • a fine of up to EUR300,000 and a five-year prison term for individuals.
  • a fine up to EUR1.5 million for legal entities.

When outsourcing, the solutions to data security are based on contractual negotiation and formalisation that reduces risks such as data leakage for the customer. A "Safety Assurance Plan" can be established so that the client's expectations in this area are translated into contractual terms obligation for the service provider.

Confidentiality commitments must be made, and the client must also have means of control.

Technical and concrete measures can usefully be provided for in the contract: use of secure connections, user authentication, data replication procedures. Traceability will make it possible to verify that the service provider complies with these security and confidentiality obligations.

The purpose of providing for the possibility of an external audit is the same: the audit may identify fraudulent access or system integrity violations to ensure the effectiveness of the security procedures implemented by the service provider. When the outsourcing implies cloud computing, it seems difficult to place full responsibility for data confidentiality and security on the service provider: the respective responsibilities of each contracting partner must be considered and stipulated.

When coming to personal data, the data, the data processor can only act under the conditions set in the contract. The customer remains as data controller, liable for any breach of data protection laws caused either by the data controller or the data processor.

Generally, if personal data related to the employees is transferred to the new employer, the new employer can become either a data controller or a data processor. Data processing is allowed under the Data Protection Directive and French law under the conditions that the data is:

  • processed fairly and lawfully;
  • collected for specific, explicit and legitimate purposes;
  • adequate, relevant and not excessive in relation to the purposes for which it is collected;
  • accurate and kept up-to-date.

In its guide for processors published in September 2017, the CNIL provides the public with a template controller-to-processor data processing agreement which comply with the GDPR requirements.

Finally, the provider must undertake to comply with specific technical and organisational measures and tolerate audits with regard to compliance. Contracts need to provide for detailed descriptions of the deliverables of the provider. On the other hand, customers are often unable to clearly define their demands, which sometimes leads to conflicts in practice.

In France, an outsourcing contract will often consist of two levels of contracts: one that would be signed between the publisher and the service provider, who is granted a licence to use the software on its computer servers and to sub-license the application software, the other formalising the relationship between the service provider and the customer in order to give access to the application platform and its functionalities.

Regarding the service provider and customer contract, there are generally three common forms of outsourcing contracts. Because outsourcing is generally a complex operation that involves several customer and supplier entities or several different services, or both, it is very common to use a master agreement to define the scope of the contractual relationship. The master agreement is then implemented through a series of implementation agreements, pursuant to which the outsourcing services are ordered for certain categories of services or for certain customer affiliate or geographical locations. Consequently, the forms of outsourcing contracts vary depending on the form of agreements chosen to implement them:

  • The first model: each implementation agreement creates a unique relationship between each customer affiliate that orders the outsourced services and either the global service provider or the local affiliates of the service provider. This form is often used, for example, where services will be provided locally rather than centrally. It is complicated to manage insofar as each local relationship may be subject to local laws and local dispute resolution.
  • The second model: this is a global agreement signed between the two parent organisations. This is particularly appropriate where services are centrally managed. This type of relationship is simpler to manage than the first contract model, and can be governed by the laws of only one jurisdiction.
  • The third model: this is a combination of the two first models. The relationship is governed by various subsidiary agreements, but the resolution of any dispute will be centralised and managed by the parent companies of the customer and the service provider. This is often seen as the preferred solution.

Direct outsourcing, joint venture and multi sourcing are the legal structures used outsourcing.

In direct outsourcing schemes, the contract is signed directly between the customer and the supplier. The supplier has its own structure and employees.

The advantages of this structure are that direct outsourcing is fast to implement and flexible. Although the costs are high, they are defined.

Direct outsourcing also presents some disadvantages. Indeed, there is a lack of real control from the customer to the service provider. Furthermore, the customer has less control over intellectual property protection procedures. Finally, direct outsourcing can raise privacy issues because of the transmission of personnel data.

In joint-venture, the customer creates a new entity through a joint-venture signed with a supplier for the purpose of the outsourced activity.

The advantage of this joint-venture structure is the control of the outsourced activity. But the main disadvantage is that a joint-venture is a complex structure and can cost a lot of money.

As stated above (1.1 IT Outsourcing), in a multisourcing model, the customer outsources a number of separate activities to different suppliers, according to different criteria (geographical, functional, etc).

The advantage of this scheme is that the multisourcing is very flexible. The disadvantages are difficulty of management, risk regarding quality of service, and potential disruption to service.

Captive and Shared Service Centres (Centres de Services Partagés or CSP) continue to grow and are now becoming a source of greater opportunities for companies: improved performance, improved agility of the back-office, acceleration of digitalisation. But if there are multiple advantages of there outsourcing schemes, the transition to a CSP model remains a major transformation project and, as such, requires solid preparation upstream, as well as a good understanding of the issues specific to this model.

T current trend is the development of a new model of CSP: the Global Business Services (or GBS). It corresponds to the migration of a growing number of functions and directions to shared centres. This means that this multi-functional outsourcing solution standardises and globalises the processes, and that the management team is unique for all functions covered by the GBS.

In parallel, it is also interesting to note that the emergence of automation and robotics type technologies is resulting in a re-internalisation phenomenon of some very repetitive and highly controlled processes in terms of management rules, formerly offshored in low-wage countries.

The outsourcing contract must be the result of a substantial negotiation between the parties and should precisely reflect the intended operation.

Provisions for customer protection usually included in the contract are the:

  • right to audit the supplier's performance;
  • possibility for the customer to outsource the service to another supplier;
  • insurance plan;
  • parent company guarantee;
  • termination for cause; and
  • penalties applying to the supplier (for example under a service level agreement).

French law does not prescribe a lot with respect to the content of an outsourcing agreement. General contract law applies, except for specific matters such as intellectual Property, data transfer or employment.

In addition to the main protection provisions listed above, and pursuant to Article 1217 of French Civil Code, if the supplier fails to perform its obligations, the customer, as any contracting party, can:

  • terminate the contract;
  • suspend his payment;
  • ask for price reduction;
  • seek the enforced performance of the agreement by the supplier; and/or
  • seek damages before the courts.

If not contradictory, these remedies may be cumulated. Damages may be cumulated with any other remedies.

In order for termination to be valid, the breach must be serious and justify the impossibility for the customer to remain bound by this contract. The breach must be preceded with a registered letter sent to the breaching party except if agreed otherwise in the contract.

Under general French law, the customer must prove the supplier's wrongdoings or negligence, and prove that it caused him damage.

Termination of the contract is usually provided for in cases of expiry of term and non-extension, by mutual consent, in case of breach, or for convenience.

The parties may include in the agreement, contractual clauses provided that specific breaches will automatically give the right to the other party to terminate the contract. The parties can also insert a clause allowing termination for convenience, typically with prior notice.

The law established that termination of the contract is always possible when one of the parties does not comply with its obligations. The termination of the contract can be put before a judge to obtain remedies.

Insolvency does not justify termination of a contract. However, the law established a specific mechanism to terminate a contract in case of bankruptcy.

Sometimes the contract provides for a possibility to terminate for convenience, with compensation. Such termination generally provides for notice periods that may be lengthy. This period may be used to implement the reversibility, transfer or "re-internalisation" procedure.

Article 1231-2 of the French Civil Code provides that the innocent party can seek damages corresponding to the losses caused by the contract breach, and the benefits it was deprived of because of the breach.

However, Article 1231-3 of the same Code provides that damages are limited to the losses that were foreseen or could have been foreseen at the time of conclusion of the contract. This limitation does not apply in cases of very serious or wilful misconduct.

The claimant must prove that the damages incurred are the immediate and direct consequence of the defendant's breach, (Article 1231-4 of the same Code) this excludes indirect damages.

The parties can decide to cap, limit or exclude certain types of liability and/or damages. However, limitation and exclusion clauses are only valid if they do not empty the contract of its essential stipulations.

Additionally, a breaching party cannot invoke a limitation or exclusion clause in the case of wilful misconduct.

Further, in a contract where clauses are not freely negotiated (typically a contract between a consumer and a company), any clause that creates a “significant imbalance” between the parties' respective rights and obligations is deemed null and void pursuant to Article 1171 of the French Civil Code. This rule applies to limitation and exclusion clauses.

The parties can decide to cap, limit or exclude certain types of liability and/or damages. However, limitation and exclusion clauses are only valid if they do not empty the contract of its essential stipulations.

Additionally, a breaching party cannot invoke a limitation or exclusion clause in the case of wilful misconduct.

Last, in a contract where clauses are not freely negotiated (typically a contract between a consumer and a company), any clause that creates a “significant imbalance” between the parties' respective rights and obligations is deemed null and void pursuant to Article 1171 of the French Civil Code. This rule applies to limitation and exclusion clauses.

Under general contract law, Article 1104 of the French Civil Code imposes the principle of execution in good faith of any agreement. Aside from this general implied term in all contracts, the service provider is bound by an obligation to provide advice to the client. The outsourcing operation is often crucial for the client, who may have to change his internal organisation accordingly. The obligation to provide advice is therefore particularly important, both during the negotiation phase and during the performance of the contract (the service provided must remain in line with the client's needs). This explains why the business needs analysis carried out by the service provider is often the subject of a separate contract, and the analysis is therefore entrusted to a third party. In the event that the outsourcing offer is standardised, it is the client who will check that the services offered correspond to his needs, and that his IT environment is able to receive application services. While the service provider owes a classic duty of advice, he is mainly bound by an obligation to perform his service.

The transfer of employees is regulated by Article L1224-1 of the Labour Code which stated that "in the event of a change in the employer's legal situation, in particular, as a result of inheritance, sale or merger of the undertaking, a change in its legal form or its incorporation, all employment contracts in force at the date of this change continue between the new employer and the company's staff".

French Supreme Court (Cour de cassation) considers that this article L.1224-1 applies to outsourcing only if the outsourced activities constitute an “autonomous economic entity”, ie, an organised body of persons and tangible or intangible assets enabling the pursuit of an economic activity which pursues a specific objective.

An outsourcing transaction that has an effect on the organisation of the workplace requires prior consultation of the work council and health and safety committee.

Indeed, the Social and Economic Committee is informed and consulted on matters concerning the organisation, management and general operation of the company. In this context, it shall be informed or consulted in particular on measures likely to affect the volume or structure of the workforce, changes in its economic or legal organisation, and any conditions of employment.

Indeed, the Social and Economic Committee is informed and consulted on matters concerning the organisation, management and general progress of the company. In this context, it shall be informed or consulted in particular on measures likely to affect the volume or structure of the workforce, changes in its economic or legal organisation, and any conditions of employment.

If changes are imposed on the employee without his consent, the employer triggers its liability for unfair breach of the employment contract. Damages will vary depending on the seniority of the employee, within limits provided by Article L1235-3 of the Labour Code.

As indicated above, the employee transfer will be dealt in accordance with article 1224-1 of the Labour Code. Accordingly, it is advisable for companies to carry out a prior analysis of the situation at the pre-contractual stage in order to determine whether the outsourced activity constitutes an "autonomous economic entity".

Nowadays, we can notice that three special professions are particularly sought after, in the context of outsourcing:

  • Project management assistant: they are in high demand, as they manage the outsourcing program. The project management assistant is self-employed or employed by the service provider. He will design the customer’s project, in partnership with the customers internal project manager;
  • Architects and developers: they conceive and develop the solution according to the instructions of the project manager assistant. In most cases, they will be seconded in the customer’ premises, depending on the solutions sought; and
  • Software publisher: the software publisher would conceive the solution that best suits the customer’s needs. he conceives the solution that best suits the customer’s needs. He is generally the service provider’s employee.

What terms apply on asset transfer in outsourcing agreements in your jurisdiction?

A company transferring IP rights such as a trade mark, copyright or patent must ensure that it is entitled to transfer the rights. In order for the transfer of a trade mark or patent to be valid, it must be registered with the National Institute for Industrial Property (INPI) (Articles L.131-3, L.613-9 and L.714-7, Intellectual Property Code).

Any transfer of contract requires the approval of the other party, whether included in the contract before the outsourcing or obtained during a specific negotiation.

Since 25 May 2018, any transfer of personal data must comply the GDPR (which replaced Directive 95/46/EC) and with the national regulations on the transfer of personal data. In certain case, some form of notification to the Data Protection Authority (CNIL) might be needed before any transfer. The conditions are more stringent for offshore transfer.

Frieh Associés

9, rue Alfred de Vigny
75008 Paris
France

+33 018 413 1128

rdana@frieh.law www.frieh.law
Author Business Card

Law and Practice

Authors



Frieh Associés is a leading boutique law firm in Paris, comprised of lawyers who practised many years in reputed international law firms, who made their practice evolve into a Paris-based firm; this approach allows them to be more reachable for their clients, and more focused on their clients’ business and interests. The lawyers of Frieh Associés are able to rely on a solid network of foreign law firms, built over years of interaction and referrals, providing flexibility when putting together an international team. Frieh Associés represents and advises investment funds on leveraged buyout acquisition, venture capital and development capital transactions, as well as industrial and services groups on their equity operations, structuring and negotiation of management packages. The firm’s client base also includes actors of the industrial and manufacturing world, companies of the infrastructure and transport sectors, and players in the fields of life sciences, telecommunications and technology.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.