Outsourcing 2019 Second Edition

Last Updated October 28, 2019


Law and Practice


Luther Rechtsanwaltsgesellschaft mbH has more than 400 lawyers and tax advisers in ten national and six international offices, of whom 16 specialise in outsourcing in the offices in Cologne, Frankfurt, Essen, Berlin and Stuttgart. The firm's key areas of practice are technology, media and telecommunications, data protection law, IT security, and public procurement law in the field of IT.

Service Providers still tend to position themselves as innovation drivers and we observe in-creasing numbers of combinations of outsourcing and SaaS and/or cloud services. IT outsourcing projects seems to focus also on ancillary services such as HR management/administration, sourcing and data analytics.

We observe that initial fixed duration tends to be shorter than in the past, which puts provider under some pressure in terms of amortisation of investments. Additionally, it seems that customers request models, in the course of which provider work with equipment provided by the customer (“operator model”). Further, provider strive for vendor-lock-in by special know-how and USPs.

Even though the reasons for an outsourcing decision (first generation) are driven by other considerations, customers appreciate when providers are able to show efficiency by new technology. Recent projects in Germany showed more and more M2M (Machine-to-Machine) communication and increasing digitisation in all industry sectors. Thus, ownership of data is a major issue. In some segments, such as the supply chain, major parts of processes are already partly or fully automated. We assume that this will lead to a significant increase in the IT-related share of projects, which are not IT outsourcing.

New technologies, such as M2M-communication, and the development of IT structures with flexible networked systems increase efficiency and quality. For companies, digital work means greater flexibility through the cloud, the increase in mobile applications and end devices, which are increasingly available globally and without time limits. The new technologies also have an impact on user and product searches and research and object marketing, as well as on transaction management. The increasing speed of development will make it very demanding for providers to adopt their services during the term of a contract. Accordingly, careful negotiation of contracts with regard to change requests is of essence.

The combination of market consolidation on the one hand and upcoming start-ups on the other is a development customers' have to face. Providers concentrate on big projects, seeing them as showcases, and are willing to invest in order to gain market share, irrespective of profitability. Some projects showed a lack of professionalism of new providers in implementation. Thus, eager start-ups may seem to be a comfortable situation for the customers at a first glance, but sometimes lead to quality issues and risk of premature exits of bigger projects.

Due to IT and data being a key factor for productivity, data analytic services and data management services are getting more and more important for the providers. Ownership of data and technical knowledge are quite often part of intensive negotiations.

With regard to commercials and transparent remuneration models, combining an open-book approach with a bonus-malus-scheme, depending on achievement of productivity targets, are an option however, customers tend to be reluctant. Customers significantly improved in transition management, but anyhow transition to a new provider is still a challenge and contract should address this.

Except for specific sectors such as healthcare and banking and finance, etc, which are expected to adhere to a number of rules protecting the employee’s rights, under German law parties are comparably free in how to structure an outsourcing project. As far as outsourcing comprises personal data, which is almost always, specific rules under data protection framework need to be obeyed, namely GDPR, which applies throughout the European Union.

General civil law (Civil Code/Commercial code) is relevant for fundamental aspects such as performance, consideration, warranty and liability. An outsourcing project is made up of an abundance of individual services that must be assigned to the contract types regulated in the German Civil Code (BGB):

  • Purchase contract §§ 433 et seq. Civil Code (eg, purchase of hardware and software, purchase of network components, but also transfer of assets from customer to provider);
  • Rental agreement §§ 535 et seq. Civil Code (eg, for IT services hosting, cloud computing, rental of computer centre space, rental of hardware and software, leasing of software and hardware);
  • Service or work contract §§ 611 et seq., 631 et seq. Civil Code (eg, support, software maintenance, network services); and
  • Warehousing and transportation services §§ 407 et seq. Commercial Code.

If the outsourcing provider owes a specific success, the law on contracts for work and services applies. If, however, only one action, ie, a mere effort, is owed (eg, also in the operation of a call centre), the service is assessed in accordance with the provisions of the service contract. Accordingly, contracts should provide for clear language as to expectations and consequences in case of malperformance.

Criminal law provides for further restrictions based on § 203 German Criminal Code (StGB), for example with regard to the data of patients in the healthcare sector.

Cloud computing, the outsourcing of in-house computing processes to external service providers, is already being used by numerous financial institutions, particularly in the banking sector. Because this involves the outsourcing of sensitive information processing processes, financial service providers must not only comply with the legal requirements of the GPDR. In the banking sector in particular, § 25a German Banking Act (KWG) and § 17 German Money Laundering Law (GWG) must be observed. These provisions contain obligations under banking supervisory law to introduce more precisely defined security systems that guarantee security when outsourcing sensitive information processes.

For IT security, a proper business organisation must be in place, in particular, the inclusion of appropriate and effective risk management. Another legal source for the protection of information technology is the IT Security Act (BSIG). According to § 8a para. 1 S.1 BSIG, operators of critical infrastructures must take appropriate organisational and technical precautions to avoid disruptions to the availability and confidentiality of their information technology systems. Infrastructures from sectors such as energy, finance and insurance as well as information technology and telecommunications are regarded as potentially critical.

Apart from those for outsourcing in the supply chain or logistics, there are a number of sector-specific legal restrictions which lead to specific measures to be obeyed by the provider, for example for storage of food or medicines. Since customers remain responsible for any non-compliance by the outsourcing provider, it is of utmost importance to include those measures in the contract.

When processing data, it must be taken into account whether the outsourcing involves a data transfer or whether there is only a so-called order processing. The concept of data transfer is regulated in Article 4 paragraph 2 GDPR. During order processing, personal data is disclosed by the responsible office to other persons or third parties. In a case where the provider undertakes data processing on behalf of the customer as a data controller, it is mandatory to conclude a separate data processing agreement in accordance with Article 28 GDPR.

For the legality of data transfer outside the EU or EEA, the general principles of Article 44 GDPR must be observed. If data leaves the scope of EU data protection law, there is a risk of unrestricted use of the data in the country of the recipient as well as uncontrolled return to the EU area. For the transfer of personal data to a recipient in a third country, the transfer must not only comply with other provisions of the GDPR (eg, an appropriate level of protection), but at least one of the conditions of authorisation in Article 45 - 49 GDPR must also subsist.

According to Article 84 GDPR, sanctions for violations of the data protection framework must be effective, proportionate and dissuasive. Depending on the circumstances of the individual case, fines are imposed in addition to, or instead of, measures pursuant to Article 58 paragraph 2 GDPR. Measures include, for example, reprimands, instructions to adapt data processing to legal requirements and temporary or definitive prohibition of data processing. There is a catalogue of criteria in Article 83 paragraph 2 a - k GDPR for the assessment of sanctions. The maximum fine amounts to up to EUR20 million or up to 4% of the total annual turnover achieved worldwide in the previous financial year, whichever is the higher.

In practice, authorities are more frequently starting investigations and issuing orders for penalties. It is worth noting that it is the annual turnover of the entire group and not that of the individual legal entity that applies. Furthermore, it needs to be noted that a breach of data protection law will commonly be interpreted as unfair competition entitling competitors to take legal action (including compensation for damages). 

On the one hand, the provider must undertake to comply with specific technical and organisational measures and tolerate audits with regard to compliance. Contracts need to provide for detailed descriptions of the deliverables of the provider. On the other hand, customers are often unable to clearly define their demands, which sometimes leads to conflicts in practice.

Due to new legal framework (the new Act on Trade Secrets, based on EU legislation), this issue needs to be carefully evaluated. This is necessary as the new law requires certain measures to benefit from legal protection of trade secrets. Where a party does not obey the requirements, the party runs the risk of losing the legal protection of its trade secrets. Accordingly, internal concepts for protection of trade secrets need to be implemented within outsourcing contracts.

Generally, a framework agreement is made, which is kept very general and regulates the basic rights and obligations of the parties involved, such as general principles for the provision of services and the obligation to co-operate in general, warranty, liability, contract and conflict management for the duration of the agreement. In a statement of works or service description, the individual services and the phases and/or milestones of the outsourcing are specified in detail. Service level agreements and detailed key performance indicators provide a means to measure the quality of the service, ensuring their quality, reliability and availability for the duration of the framework agreement.

Still, the classic model of a service agreement with a remuneration based on unit prices (sometimes with fixed components or minimum units to be paid by the customer) seems to be the standard model. However, recent developments show increasing numbers of joint venture models in order to ensure the customer’s control and influence as well as transparency. As stated in 1.4 Other Key Market Trends, one major trend is innovative remuneration models, combining demand for productivity increase and continuous improvement on the one hand with necessity for costs coverage and margin on the other.

In some sectors, such as logistics and supply chain, “4PL-models” were used in some projects, during the course of which the provider did not necessarily perform the services on their own or through sub-contractors, but solely organises and improves the structure and manages a number of third-party providers. Further, joint venture structures continue to be used for complex outsourcing projects.

In regard to remuneration, there are still models in place according to which the provider receives a percentage share of the net sales of the customer. However, this share is strictly bound to certain assumptions and, in the end, may produce more uncertainty than intended.

We also observed outsourcing projects where the provider took over operations, which the customer intended to ramp-down, but with the mutual aim to find a third-party business which could enable the continuation of the operations. In these projects, the main driver for the cooperation is the “win-win” option due to third-party business.

In most cases, indirect areas or service departments that provide internal services are bundled in a shared service centre. This is still the case, for example, in the areas of personnel administration (payroll, travel expenses, sourcing), accounting and IT services. However, it can be observed that the trend in recent years to save costs in the context of captives and offshore shared services centres could be declining, as costs can be saved onshore through the use of IT and digitisation. Overall, we expect that customers are more reluctant to deal with captives and will bundle services in onshore shared service centres.

To list all measures for customer protection would go beyond the scope of this contribution. To name a few, typical measures include:

  • milestone plans and definition of deliverables of provider and customer;
  • comprehensive service level agreements;
  • detailed framework for adjustments of remuneration;
  • benchmarking;
  • gain share models/continuous improvement programs;
  • governance;
  • balanced change request procedure;
  • granting of rights to customer, even after the term of the contract; and
  • transition services.

In practice, we observe that some customers tend to push too hard in this regard, resulting in a provider making losses and decreasing service quality accordingly. The key to an effective customer protection seems to be a good balance and understanding of either parties’ needs.

IT outsourcing contracts usually have an initial fixed term due to the initial investment that the IT outsourcing provider has to make for the implementation of the service. In the long term, an automatic extension of the contract is often provided for unless one party terminates the contract at a certain point in time. Typical fixed terms are three to five years, in larger projects five to seven years, with break-options (against compensation of non-amortised investments).

However, the right to terminate for cause (“aus wichtigem Grund”) cannot be excluded, even during a fixed term. According to § 314 BGB, either party may terminate for cause without observing a period of notice (extraordinary termination). According to § 314 para. 1 S. 2 BGB, such cause only exists if the terminating party cannot reasonably be expected to continue the contract until the agreed termination.

It is worth noting that, generally, a prior warning letter is mandatory, and courts require a somewhat severe breach of obligations. The customer's termination rights are frequently encountered in the event of serious violations of the service level agreements and in the event of a serious deterioration in the provider's financial situation. It is advisable to specify examples when a termination is being considered. In addition to the severity of the breach, the significance of the service level agreements for the course of business must also be taken into account. In any case, extraordinary termination must remain the last resort and sanctions in the form of contractual penalties or lump-sum damages shall take precedence. With regard to an extraordinary termination by the provider, payment default by the customer should be considered, in particular.

Under German law, a limitation of liability in terms of amount and differentiation according to the type of damage (direct and indirect damage) is contained in very few special provisions, for example, in the area of logistics. In general, German law is not aware of the Anglo-Saxon distinction. Rather, the person responsible has to compensate all damages which have arisen causally through a breach of duty. However, contributory negligence of the injured party may have to be taken into account (§ 254 BGB).

With regard to the type of damage, according to the statutory regulation (defect and consequential damages) unlimited and comprehensive damages are included. This includes, in particular, consequential damages such as loss of profit. According to legal logic, these damages are also to be compensated, eg, in the event of a standstill of the production line.

However, since this is completely out of proportion for the provider within the scope of outsourcing, limitations of liability are very common and appropriate. The provider has a legitimate interest in modifying the legal situation in such a way that a reasonable limitation of liability is agreed upon. Market practice is that there is an obligation to pay compensation for typical operating risks, such as loss of profit. Goodwill is excluded, or at least limited, whereas the limit will be calculated by way of a percentage of provider’s turnover with the business.

Very far-reaching limitations of liability can be made in contracts and it is quite common - unlike in Anglo-Saxon contracts - that liability is also limited in cases of gross negligence. In this respect, it should be pointed out that the German courts tend to assume gross negligence quite easily. However, in "General Terms and Conditions" (ie, contracts which were not negotiated) the limitations of liability are only possible within very narrow limits. In the market, however, the liability regulations are negotiated individually (for good reasons, as every project is different).

German law provides for a number of reliable implied terms, even if the parties do not explicitly agree on a contractual provision. See 2 Regulatory and Legal Environment for further information on the basic legal framework.

Aside from this, good faith is a very important implied term to be observed. In particular, where projects go into a dispute, the courts tend to evaluate the commercial and legal spirit of a contract. In this context, courts have to interpret the legal wording, bearing in mind the history of a contract or project and the balance of risks and changes. As good faith may limit and change the interpretation of a wording, parties should take care to explicitly address and explain the reasoning of specific terms, including why the parties deemed a certain clause to be fair and balanced.

As for other countries in the European Union, TUPE regulation apply for a transfer of undertakings, which has been implemented in German law in clause § 613 a German Civil Code (BGB). Notably, it depends on an individual case, whether or not there is a transfer of undertakings. German courts tend to more likely assume such a transfer rather than to reject such transfer, whereas determination is very difficult and subject to the specific structure of the project. As a consequence, if there is a transfer of undertakings, the provider automatically assumes all employment contracts for the employees involved (unless the employees object against the transfer). The economic effect may be enormous and, accordingly, TUPE needs explicit attention in the commercial and legal negotiation.

A distinction must be made between the transfer of an undertaking and the provision of temporary workers. The provision of temporary workers provides the customer with the manpower of the providers employees without the employment relationship being transferred to the customer, or the customer concluding an additional employment contract with the employees concerned. The parties regulate the instruction authority opposite the employees contractually. As a rule, however, the customer can exercise this authority without restriction. In Germany, the model of employee hiring is regulated by the Temporary Employment Act (AÜG). For example, in order to protect the employees concerned, the provider requires a permit in accordance with the Law on Temporary Employment. Using temporary workers requires a number of formal processes to be strictly obeyed by both customer and provider, and the customer may be held responsible for the provider’s default.

If an intended outsourcing led to an operational change ("Betriebsänderung") in the establishment, the employer would have to negotiate a balance of interest ("Interessenausgleich") and a social plan ("Sozialplan") with the Works Council due to section 111 of the Works Constitution Act ("Betriebsverfassungsgesetz"). An operational change could be the splitting-up of an establishment (concerning the outsourcing establishment) or the merging of establishments or parts of it (concerning the insourcing establishment). Outsourcing does not have to be negotiated with a union in every case, however, depending on the importance of the outsourcing and the potential effect on whether or not collective bargaining agreements will still be applicable to employees, it might help to involve an union.

If there is a transfer of undertakings, the provider usually takes over the personnel and, in the contract, the parties agree to treat each other accordingly. Most likely, the employees do not object against the transfer, since they would otherwise risk losing their employment. However, in practice parties sometimes try to structure the outsourcing in such a way that there is no transfer of undertakings (by changing the “identity” of processes).

If there are assets to be transferred, there are generally two models in place, either the provider takes over the assets by way of purchase (without warranties and at a purchase price usually determined by residual book value) or the customer provides the asset at their cost. One way or another, the parties need to determine how to deal with damages to the assets and costs for maintenance and later investments.

Luther Rechtsanwaltsgesellschaft mbH

Anna-Schneider-Steig 22
50678 Cologne

+49 221 9937 0

+49 221 9937 110

cologne@luther-lawfirm.com www.luther-lawfirm.com
Author Business Card

Law and Practice


Luther Rechtsanwaltsgesellschaft mbH has more than 400 lawyers and tax advisers in ten national and six international offices, of whom 16 specialise in outsourcing in the offices in Cologne, Frankfurt, Essen, Berlin and Stuttgart. The firm's key areas of practice are technology, media and telecommunications, data protection law, IT security, and public procurement law in the field of IT.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.