Outsourcing 2019 Second Edition

Last Updated October 28, 2019

Luxembourg

Law and Practice

Authors



NautaDutilh is an international law firm specialising in Luxembourg, Belgian and Dutch law. More than 400 lawyers, notaries and tax advisers work at the firm's offices in Luxembourg, Brussels, Amsterdam, Rotterdam, London and New York. NautaDutilh Avocats Luxembourg is a key player in the Luxembourg legal market. Our team of 65 lawyers serves a range of national and international clients, mainly financial institutions, asset managers, large and mid-sized corporates, private equity firms, funds sponsors and IT companies. Our IP and Tech law team assists clients in all areas of intellectual property, advertising, unfair competition and trade secret disputes, as well as in IP and technology driven transactions. One of our key specialities is IT and outsourcing projects and contracts (including related litigation and preparation for litigation), with a particular focus on the financial and public sectors (eg, Luxembourg State, POST Luxembourg, Royal Bank of Canada, Mercedes pay and Microsoft).

The IT outsourcing market in Luxembourg is assessed to be around EUR448 million, which represents 30% of the total ICT services in Luxembourg (worth EUR1.5 billion) and appears to be one of the most common types of outsourcing activities and continues to increase every year.

Key market developments in IT outsourcing relate to the increasing use of cloud computing infrastructures. The Luxembourg regulatory authority in the financial sector, the CSSF ("Commission de Surveillance du Secteur Financier") released in 2017 a specific Cloud Circular,  Circular 17/654, regarding IT outsourcing relying on a cloud computing infrastructure. In light of the release of the revised Guidelines on outsourcing arrangements by the European Banking Authority ("EBA") in February 2019, the Cloud Circular was updated by the CSSF in March 2019 with the release of Circular 19/714. The Guidelines on outsourcing arrangements from the EBA will certainly trigger a change in the CSSF regulations on (non-cloud based) outsourcing.

Furthermore, a recent survey on IT outsourcing in Luxembourg has shown that not only do IT contracts tend to be implemented for a shorter period of time, usually for a maximum of three years whereas the standard length for these contracts used to be five or seven years, but also that the average contract value of IT outsourcing agreements is decreasing and customers tend to replace single-sourcing contracts with multi-sourcing engagements.

It should be pointed out that cybersecurity and data protection are major concerns in the context of IT outsourcing. The Luxembourg government issued a National Cybersecurity Strategy in 2012 of which the latest version has been published for the 2018-2020 period.

In connection to the recent increase in outsourcing options permitted in the financial sector, we note that there is an increasing belief in and use of BP outsourcing in this sector. The BP outsourcing is mostly targeted at back-office operations, such as IT.

The Luxembourg government launched, in 2014, the Digital Lëtzebuerg programme, aiming to establish Luxembourg as a "smart nation" ready to deal with a digital society. In April 2015, the World Economic Forum awarded Luxembourg the ninth overall ranking in the Global Information Technology Report. In this context, Luxembourg established inter alia a strategic vision for artificial intelligence (AI). It acknowledges the speed at which AI technologies deliver new services and it has been based on Luxembourg's ambitions to become a digital front-runner. AI is considered to be the facilitator between data and society's most valuable products and services. However, especially if AI services rely on personal data, data privacy and cybersecurity are of critical importance and ever increasingly need to be taken into account in the context of outsourcing activities.

Furthermore, AI could facilitate internal business processes, for example in companies or hospitals. The increasing use of AI by companies can lead to the insourcing of technologies; currently the same services are outsourced. It is part of the Luxembourg's strategic vision to take efforts to connect with relevant AI solutions and to insource technology and service providers from abroad, which already occurs in the context of financial services. In this respect, the CSSF released a white paper at the end of 2018 setting forth the trends of AI in the financial sector and highlighting detected points of attention from a (financial) regulatory perspective.

In the field of blockchain and smart contracts, especially in the financial and fund sectors, are engaged in proof of concepts, some of them within the relevant professional associations. On a more general note, the Luxembourg State is also actively looking into the matter and examining which use cases can run on blockchain technology. The State has been a driver for the Infrachain project, a State sponsored non-profit organisation including service, consultancy and law firms as well as potential blockchain service clients and which builds a trustworthy infrastructure layer for blockchain applications.

There is no information applicable to this section.

There are no rules that specifically relate to outsourcing in a general manner, ie, that apply to any type of outsourcing, irrespective of the sector. That being said, for any type of outsourcing, it is strongly recommended to verify whether:

  • outsourcing is likely to lead to a transfer of undertakings pursuant to Article L. 127-1 et seq. of the Luxembourg Labour Code, based on the EU Directive 2001/23/EC of 12 March 2001, and, if so, to contractually allocate the consequences thereof (refer to 5.1 Rules Governing Employee Transfers); 
  • outsourcing could constitute illegal lending of workers which is prohibited pursuant to Article L. 133 of the Luxembourg Labour Code (refer to 5.1 Rules Governing Employee Transfers); and/or
  • outsourcing will result in the processing of personal data by the outsourcee and if so, whether or not this will mean a transfer of personal data outside of the EU/EEA to a country that is not deemed by the European Commission to offer an adequate level of protection. Depending on whether the response to one or both of these questions is positive, the EU General Data Protection Regulation 2016/679 ("GDPR") will come into play and a contract must be entered into between the data controller (typically the outsourcing party) and the data processor (typically the outsourcee) which must contain a mandatory set of clauses (Article 28 of the GDPR) and/or additional safeguards must be put in place (eg, conclusion of EC standard contractual clauses, Articles 46-49 of the GDPR, etc).

Financial Sector

Outsourcing in the financial sector has traditionally been highly restricted due to the criminally sanctioned Luxembourg banking secrecy, ie, the obligation for Luxembourg financial institutions and their management and employees to "keep secret any information confided to them in the context of their professional activities or mandate" (Article 41(1) of the Act of 5 April 1993 on the financial sector, as amended (“the Financial Sector Act”) and Article 458 of the Luxembourg Criminal Code).

By means of the recent Luxembourg Act of 27 February 2018 ("the Financial and Insurance Sector Outsourcing Act"), which amended Article 41 of the Financial Sector Act, the outsourcing options have been significantly increased in the sense that any outsourcing (external and intra-group) to non-regulated Luxembourg companies and foreign companies is now also (explicitly) allowed, provided there is a service contract in place and there is acceptance of the clients in accordance with the law or the modalities agreed upon between the parties.

Such acceptance should extend to the outsourcing of the relevant services, the type of information transmitted within the context of such outsourcing and the country of establishment of the provider of the outsourced services. Furthermore, the persons having access to confidential information covered by the professional secrecy obligation must be subject to a professional secrecy obligation or be bound by a non-disclosure agreement.

The new rules allow for some flexibility in relation to the prior acceptance of the concerned clients which may be obtained – if there is no specific legal requirement – pursuant to the methods contractually agreed between the parties and, hence, implied acceptance could, under certain circumstances, be allowed. The new rules give a legal basis to the existing legal theory and position of the CSSF that outsourcing is possible if the clients of the outsourcing financial institutions have consented to the outsourcing and have thus waived the benefit of the professional secrecy.

Stakeholders in the financial sector should further pay close attention to the different CSSF Circular provisions dealing with or having an impact on (IT) outsourcing, such as:

  • Circular 17/655 updating the outsourcing provisions in Circular 12/552 on the central administration, internal governance and risk management that are applicable to credit institutions and investment firms;
  • Circular 17/656 on the outsourcing by other FSPs, payment institutions and e-money institutions (ie, alignment of the rules set out in the now repealed Circular 05/178 with the outsourcing provisions of Circular 12/552 plus specific rules on outsourcing by authorised support FSPs);
  • Circulars 17/655 and 17/656 contain similar provisions, yet Circular 17/656 in addition foresees in more specific IT outsourcing requirements regarding IT system management and operation services, consulting, development and maintenance services, hosting services and infrastructure ownership; and
  • Circular 17/654 regarding IT outsourcing relying on a cloud computing infrastructure, as amended by Circular 19/714 ("Cloud Circular"), which applies instead of the above-mentioned Circulars 17/655 or 17/656 if the criteria mentioned in the Cloud Circular for the qualification as an outsourcing based on a cloud computing infrastructure are met. This Cloud Circular reproduces many principles of former Circulars 12/552 and 05/178, yet adapts them to the cloud context and adds several important obligations in terms of governance, client information/consent, CSSF notification/authorisation, audit rights, obligatory contract clauses, etc.

The above-mentioned CSSF Outsourcing Circulars set out specific requirements of central administration and internal governance that must be met in the event of an outsourcing, such as making sure that the outsourcing:

  • is based on a risk assessment and is consistent with a predefined policy based on a risk assessment and validated by the board of directors;
  • is formalised in an agreement including service levels and specifications; and
  • is strictly controlled by a professional of the financial sector which ensures its quality and guarantees the protection of the customer’s confidential information.

At EU level, the above-mentioned CSSF Outsourcing Circulars are complemented by the revised Guidelines on outsourcing arrangements of the EBA which were released on 25 February 2019 and which revise and replace both the current guidelines on outsourcing arrangements, which date back to 2006, and the EBA guidelines for the use of cloud service providers by financial institutions dating back to 2017. The EBA outsourcing guidelines form a significant layer of requirements on top of the CSSF Outsourcing Circulars requirements.

For reasons of completeness, we lastly point out that companies in the financial sector must also comply with Directive 2014/65/EU of 15 May 2014 (MiFID II) and its Luxembourg implementation law of 30 May 2018 when outsourcing call-recording.

Insurance Sector

A similar, criminally sanctioned, professional secrecy obligation exists for insurance companies (Article 300 of the Luxembourg Act of 7 December 2015 on the insurance sector, as amended (“the Insurance Sector Act”) and Article 458 of the Luxembourg Criminal Code). The Financial and Insurance Sector Outsourcing Act foresees a similar enlargement of the exceptions to the professional secrecy obligation for insurance companies. Contrary to the CSSF, the Commissariat aux Assurances ("CAA") which supervises and regulates the insurance sector, has not, however, issued any outsourcing regulations. This might change in the near future as the European Insurance and Occupational Pension Authority (EIOPA) launched a consultation on guidelines on outsourcing to cloud service providers in July 2019, which may result in more detailed regulations.

Firstly, to the extent that the outsourcing results in the processing of personal data, meaning any information relating to an identified or identifiable natural person, by the outsourcee, the GDPR will come into play and a contract must be entered into between the data controller (typically the outsourcing party) and the data processor (typically the outsourcee) which must contain a mandatory set of clauses (Article 28 of the GDPR). The mandatory set of clauses includes a clause that requires the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk as set out in Article 32 of the GDPR. Measures should, as appropriate, include:

  • pseudonymisation and encryption;
  • measures ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • measures ensuring the timely restoration of availability and access to personal data after an incident; and
  • measures ensuring a process for regularly auditing the effectiveness of the security measures.

In this context, it is commendable to adhere to the norms of the ISO27000 family.

To the extent that outsourcing implies a transfer of personal data outside of the EU/EEA to a country that is not deemed by the European Commission to offer an adequate level of protection, the third country transfer will, in principle, be prohibited unless adequate safeguards are provided (Articles 44 to 50 of the GDPR), such as:

  • the use of the so-called "standard contractual clauses" issued by the European Commission;
  • the conclusion of intra-group binding corporate rules (which requires a prior authorisation from the Luxembourg Data Protection Authority); or
  • for recipients situated in the United States, the Privacy Shield certification (Article 46 of the GDPR).

A number of exceptions can also be relied upon to justify a third country transfer, including, without limitation:

  • the unambiguous, explicit consent of the data subject;
  • the transfer being necessary for the execution of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject's request;
  • the conclusion or execution of a contract concluded in the interest of the data subject between the data controller and a third party; or
  • the establishment, exercise or defence of legal claims (Article 49 of the GDPR).

Secondly, in respect of outsourcing in the financial sector in particular, we point out that the following CSSF (Outsourcing) Circulars contain specific requirements on data processing and security:

  • Circulars 17/655 and 17/656 which have a different personal scope but contain similar provisions, with Circular 17/656 foreseeing more specific IT outsourcing requirements. These Circulars, for instance, require that institutions implement both a security monitoring process allowing them to be informed promptly of new vulnerabilities and a patch management procedure allowing timely correction of significant vulnerabilities. Furthermore, they require that the outsourcing contract contains a set of mandatory clauses in respect to data processing and security, such as relevant provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data with a particular requirement that access to data and systems shall fulfil the principles of "need to know" and "least privilege".
  • The Cloud Circular, which applies instead of the abovementioned Circulars 17/655 or 17/656 if the criteria mentioned in the Cloud Circular for the qualification as an outsourcing based on a cloud computing infrastructure are met. The Cloud Circular contains even more stringent conditions and, for instance, also requires that all data and systems of the outsourcee have to be erased definitively if the contract is terminated and that the financial institution must always be able to recover its data and systems in order to be able to continue its activities for reasons of business continuity in case of exceptional events or crisis.
  • Circular 11/504 regarding fraud and incidents due to external computer attacks. This Circular requires all establishments supervised by the CSSF to report as soon as possible to the CSSF any frauds and any incidents due to external computer attacks.

For reasons of completeness, we lastly point out that, in respect of operators of so-called "essential services" such as providers of digital infrastructures, credit institutions and entities active in the transport, health and energy sector, the Luxembourg NIS Act of 28 May 2019 ("the NIS Act"), implementing the EU Directive 2016/1148 on the Security of Network and Information Systems, sets out requirements in terms of security measures (for preventing risk, ensuring security of network and information systems and handling incidents) and mandatory notification of serious incidents to the relevant authorities.

Penalties for Breaches of Financial and Insurance Sector Outsourcing Regulations

Infringements of Luxembourg banking secrecy and professional secrecy in the insurance sector are criminally sanctioned with imprisonment of eight days to six months and with a fine of EUR500 to EUR5,000, whereby such fine is to be doubled for legal persons (Article 458 of the Luxembourg Criminal Code).

Furthermore, breaches of the outsourcing laws and regulations of the CSSF may be sanctioned by the CSSF with the following penalties (Article 63(2) of the Financial Sector Act:

  • a warning;
  • a reprimand;
  • a fine between EUR250 and EUR250,000; and/or
  • one or more of the following measures: a temporary or definitive prohibition on the execution of any number of operations or activities, as well as any other restrictions on the activities of the person or entity or a temporary or definitive prohibition on the participation in the profession by the de iure or de facto directors or senior management of persons or entities subject to the CSSF supervision.

Similarly, breaches of the outsourcing laws and regulations and regulations of the CAA may be sanctioned by the CAA with an administrative fine which shall not exceed EUR250,000 for insurance and reinsurance undertakings and EUR50,000 for executives of insurance and reinsurance undertakings. Furthermore, the CAA may impose the following sanctions instead of or on top of such administrative fine (Article 303 of the Insurance Sector Act):

  • a warning;
  • a reprimand;
  • prohibition to carry out certain transactions and any other limitation on the conduct of business; and/or
  • the temporary suspension of one or more of the undertaking’s executives.

Penalties for Breaches of the GDPR

Breaches of the obligations contained in the GDPR may be sanctioned by the competent data protection authority with fines up to 4% of the total worldwide turnover of the undertaking, which according to the French Data Protection Authority is to be calculated at group level (Article 83(2) of the GDPR).

Such administrative fines can be imposed on top of or instead of the following measures (Article 58(2) of the GDPR):

  • a warning;
  • a reprimand;
  • an order of compliance with data subject's requests to exercise their rights under the GDPR;
  • an order to bring a processing operation in line with the GDPR, where appropriate, in a specified manner and within a specified time frame;
  • an order of communication of a personal data breach to the concerned data subject;
  • an order to rectify or erase certain personal data or to restrict their processing; and/or
  • an order of suspension of data flows to a recipient in a third country or to an international organisation.

Penalties for Breaches of the NIS Act

Breaches of the data security obligations contained in the NIS Act may be sanctioned with one or more of the following:

  • a warning;
  • a reprimand; and/or
  • a fine which cannot exceed EUR125,000.

Penalties for Breaches of the Luxembourg Labour Code

In the context of transfer of undertaking, breaches of the information and consultation obligations towards the legal representatives of the employees may be sanctioned with a fine between EUR251 and EUR15,000 pursuant to Article L. 417-5 of the Luxembourg Labour Code, and up to EUR30,000 for legal persons pursuant to Article 36 of the Luxembourg Criminal Code. 

Breach of the prohibition of illegal lending of workers may be sanctioned with:

  • a fine between EUR500 and EUR10,000 pursuant to Article L. 134-3 of the Luxembourg Labour Code, and up to EUR20,000 for legal persons pursuant to Article 36 of the Luxembourg Criminal Code; and/or
  • in case of recidivism, imprisonment of two to six months and/or a fine between EUR1,250 and EUR12,500 pursuant to Article L. 134-3 of the Luxembourg Labour Code, and up to EUR25,000 for legal persons pursuant to Article 36 of the Luxembourg Criminal Code.

To the extent that outsourcing results in the processing of personal data by the outsourcee, meaning any information relating to an identified or identifiable natural person, the contract will at least impose upon the outsourcee, as processor, the obligations set out in Article 28 of the GDPR and detail the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller/outsourcing party.

In the event that personal data is intrinsic to the outsourcing, the outsourcing party may even want to consider contractually imposing further data security requirements such as a detailed list of security measures to be respected by the outsourcee, a data recovery plan, an unlimited liability for data protection breaches, etc.

Additional contractual clauses might be mandatory in the context of outsourcing in the financial sector. The following Circulars of the CSSF, read together with the 2019 Guidelines on outsourcing arrangements of the EBA, require the inclusion of mandatory clauses on data processing and security.

The Circulars 17/655 and 17/656 which have a different personal scope but contain similar provisions, with Circular 17/656 foreseeing more specific IT outsourcing requirements and includes the following mandatory clauses:

  • security of data and systems: where relevant provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data with a particular requirement that access to data and systems shall fulfil the principles of "need to know" and "least privilege";
  • access to data: provisions that ensure that the data that are owned by the outsourcing institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the outsourcee;
  • transfer of outsourced function specification of the treatment of data by the current outsourcee in the event of transfer of the outsourced function; and
  • data location: in the event of outsourcing of a critical or important function, the location(s) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the outsourcing party if the outsourcee proposes to change the location(s).

The Cloud Circular 17/654 which applies instead of the above-mentioned Circulars 17/655 or 17/656 if the criteria mentioned in the Cloud Circular for the qualification as an outsourcing based on a cloud computing infrastructure are met, and includes the following mandatory clauses:

  • data location: contract must provide for a resiliency of the cloud services in the EU (limited derogation options); and
  • termination: commitment of the outsourcee to definitively erase all data and systems within a reasonable time.

There is currently no standard supplier customer model in the jurisdiction of Luxembourg. However, for outsourcing agreements in the financial sector, cloud service providers tend to use standardised templates of addenda for outsourcing agreements in order to comply with the CSSF and EBA outsourcing requirements (especially when it comes to the grant of extra audit rights). Currently, the European Commission is looking into the issue of standard contractual clauses (SCC) for cloud outsourcing by financial institutions but it will probably take some years before there is a final draft in this respect.

The outsourcing contract models that are typically being used in Luxembourg as an alternative to the conclusion of a service contract with a third party consist of:

Service Contract with a Subsidiary

The customer is part of a group of companies and outsources certain activities to one of the subsidiaries or one of the other group entities which already exists or is specifically set up for this purpose.

Advantages

  • control in particular over the employees providing the services;
  • control in implementing procedures for the handling of intellectual property and confidential information;
  • specialisation in the specific fields of services; and
  • ability to manage day-to-day operations.

Disadvantages

  • time to implement;
  • start-up (sunk costs) and recurring costs need to be carefully calculated; and
  • lack of flexibility.

Joint Venture or Partnership

The customer sets up a joint venture or partnership with the supplier for the outsourced activity.

Advantages

  • control on the outsourced activity;
  • improvement of quality; and
  • possibility to provide services to third parties.

Disadvantages

  • complex to implement;
  • time to implement;
  • start-up (sunk costs) and recurring costs need to be carefully calculated;
  • lack of flexibility; and
  • complex exit.

Build-Operate-Transfer (“BOT”) Structure

This structure is a mixture of the above structures. The third party service provider, an independent contractor, initially establishes a dedicated team to build a service and starts operating it before transferring the service to the customer.

Advantages

  • quick implementation.

Disadvantages

  • possible complicated transition process; and
  • cost.

Both outsourcing and shared services are relied upon by companies in Luxembourg. Given the higher level of investment, especially at the beginning, of shared services versus outsourcing, we note that shared services are predominantly relied upon by multinationals and mostly targeted at recurring services that are closely connected to the core services of a business and therefore the control of which is of the utmost importance. In principle, these shared services are considered to be outsourcing arrangements and as such also fall within the scope of the CSSF Outsourcing Circulars.

In Luxembourg, several financial institutions had recourse to a so-called “independent group of persons (IGP)”, ie, a cost-sharing VAT exemption. The Court of Justice of the European Union decided in its decisions of 21 September 2017, in three cases (C-605/15 Aviva, C-326/15 DNB BANKA and C-616/15 Commission v Germany), that this exemption is only limited to activities in the public interest and does not apply to the financial and insurance sectors. Inevitably, this had an impact on how Luxembourg VAT subject entities in the financial and insurance sectors organise shared services on an intra-group level.

The customer can rely on the remedies that are available under general Luxembourg contract law. In the event of breach of contract by the supplier, the customer can be entitled to terminate the contract and seek damages before the competent court. The supplier will only be able to escape from damages if they are in good faith and are able to prove that the non-performance was due to an external cause, or they validly limited or excluded their liability in the contract. Under Luxembourg liability law, limitation or exclusion of liability clauses are valid to the extent that they:

  • do not erode the effects of the contract nor tarnish one of its essential obligations (meaning that they do no deprive the contract of its essence);
  • do not exclude an obligation of mandatory Luxembourg law (eg, the warranty of the seller for hidden defects, which could play a role in some service agreements, eg, despite the intangible character of software it would not be excluded that Luxembourg courts would follow the position of some French courts that the sale or licensing of software products (as applicable) does indeed fall under the scope of Articles 1641 of Civil code on hidden defects); and
  • do not exclude and/or limit liability for death or bodily harm or for wilful intent or personal fraud.

Obviously, the contract could include additional protections and remedies for the customer, such as specific contractual termination rights linked to certain types of breaches (eg, qualification of a data protection breach as a material breach that entitles the customer to immediately terminate the contract) as well as specific sanctions or penalty payments (eg, when the supplier does not attain the agreed service level set forth in the Service Level Agreement (SLA)). The parties could also agree to include in the contract the right for the customer to audit and benchmark the supplier's performance and to link a negative result to compensation mechanisms.

In order to protect the customer, the contract typically contains a predefined exit arrangement (including the recovery of data), a reversibility clause and an indemnification clause in the event of an IP right infringement claim. Furthermore, a supplier can be required to have its relevant potential liabilities covered by one or more insurances, such as a professional indemnity insurance, a product liability insurance or IT liability insurance, etc.

Finally, the CSSF Outsourcing Circulars and the 2019 Guidelines on outsourcing agreements of the EBA include several requirements that aim to protect the customers of outsourcing services, such as:

  • the obligation to establish a SLA in which the parties agree on service levels including precise quantitative and qualitative performance targets for the outsourced function to allow timely monitoring and corrective (re)action;
  • the reporting obligations of the outsourcee; and
  • the obligation to mention in the contract whether sub-outsourcing by subcontractor is permitted, etc.

Given that there are, in principle, no legal minimum or maximum terms for outsourcing contracts concluded with private sector entities, the termination rights of both the outsourcing party and the outsourcee are governed by general Luxembourg contract law. Luxembourg contract law makes a distinction between contracts of a definite duration and contracts of indefinite duration.

Contracts of a definite duration, on the one hand, can, in principle, only be terminated prior to the expiry of the term upon mutual consent or if a breach of the contract occurs that is attributable to the other party, provided that there is no external cause. Often the parties will nonetheless contractually foresee in and detail such termination right for breach and/or extend it to other events (eg, bankruptcy or convenience).

Contracts of an indefinite duration on the other hand can, in addition to the termination grounds set out above (mutual consent, breach or additional contractually stipulated termination rights), always be terminated by either party for convenience if a reasonable prior notice is given. This notice period can be contractually defined or will be determined taking into account the length and stability of the commercial relationship between the parties.

Again, the CSSF Outsourcing Circulars and the 2019 Guidelines on outsourcing agreements of the EBA include mandatory provisions relating to the termination of outsourcing agreements, such as

  • the prohibition of a contractual termination clause because of resolution actions, reorganisation measures, winding-up and/or insolvency related proceedings applied to the financial institution (outsourcing party); and
  • the possibility for the outsourcing party to terminate the outsourcing agreement where:
    1. the outsourcee is in breach of applicable law, regulations or contractual provisions;
    2. impediments capable of altering the performance of the outsourced function are identified;
    3. there are material changes affecting the outsourcing agreement or the outsourcee (eg, sub-outsourcing or changes of sub-contractors);
    4. there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and
    5. instructions are given by the CSSF (eg, in the event that the CSSF is, caused by the outsourcing agreement, no longer in a position to effectively supervise the institution).

The concept of "indirect damages" is a common law rather than a continental law notion. Under Luxembourg liability law, only direct damages are, in principle, awarded. Luxembourg judges tend, however, to give a broad interpretation to the notion direct damages so that it may also include damages which are typically considered as "indirect damages" in other jurisdictions (and especially in Anglo-Saxon jurisdictions). As a result, from a contractual point of view it is useful to:

  • from a supplier side, not only exclude liability for indirect damages, but also define the notion precisely so as to draw the demarcation lines for the Luxembourg judge and to avoid qualification by the Luxembourg judge of such damages as direct damages; and
  • from a customer side, to avoid a definition of indirect damages so as to increase the chances that a Luxembourg judge would qualify a certain damage as a direct damage and award damages in respect thereof.

It is market practice in Luxembourg to contractually stipulate that loss of profit, goodwill and business qualify as indirect damages and to exclude liability for indirect damages. Furthermore, there is an increasing tendency for suppliers to contractually qualify "loss of data" as indirect damages, but depending on the type of services/products that the supplier renders this exclusion of liability may be rejected by Luxembourg judges. Under Luxembourg law, limitation or exclusion of liability clauses are only valid to the extent that they (amongst others) do not erode the effects of the contract nor tarnish one of its essential obligations (meaning that they do not deprive the contract of its essence).

Pursuant to Article 1134 of the Luxembourg Civil Code, all contracts need to be executed in good faith. The parties to an outsourcing contract have a duty to act in accordance with good faith and fair dealing throughout the entire duration of the contract. Based on this requirement of acting in good faith, courts can impose certain obligations on a contract party in order to ensure or restore a certain balance in the contractual relationship or to provide certain information. Courts can also make use of the concept to neutralise the unfair exercising of a contractual right by one of the parties.

Since outsourcing contracts are bilateral contracts and, thus, contain reciprocal obligations, each contracting party has the right to withhold performance of their obligations until the debtor has performed their obligations, without judicial intervention. This right does not need to be included in the contract for the creditor to be entitled to it. That being said, the contracting parties are nonetheless free to exclude this right in their outsourcing contract.

Being bilateral contracts, all outsourcing contracts also contain a tacit dissolution clause based on Article 1184 of the Luxembourg Civil Code, pursuant to which the creditor of a non-executed or inadequately executed obligation can bring an action to the court for the dissolution of the outsourcing contract. However, under certain strict conditions, the contracting parties may explicitly exclude this right in their contract.

Please note that there is, in principle, no implied or default warranty regime for most types of outsourced services unless the services result in a product (including software), in which case the default rules foreseeing a warranty for hidden defects within the meaning of Article 1641 of the Civil code could potentially apply.

Employee transfers/usage for outsourcing should comply with the rules on transfer of undertakings and the illegal lending of workers.

Transfer of Undertakings

Article L. 127-1 et seq. of the Luxembourg Labour Code, based on the EU Directive 2001/23/EC of 12 March 2001, applies to employee transfers when the outsourcing qualifies as a transfer of undertaking. The law defines a transfer of undertaking as the transfer of an economic entity, retaining its own identity and thus an organisational autonomy after the transfer, that consists of an organised grouping of resources, particularly in terms of personnel or materials and equipment, with the objective of pursuing an essential or auxiliary economic activity. Luxembourg and EU case law interprets the concept of transfer of undertaking rather broadly. Whether or not a transfer qualifies as a transfer of undertaking is to be decided by a judge based on the factual circumstances on a case-by-case basis.

The following elements can be taken into account when evaluating whether the conditions of a transfer of undertaking are met:

  • the duration of any interruption or suspension of activities;
  • the value of any transferred intangible assets;
  • the degree of similarity of activities before and after the transfer;
  • the transfer of any tangible assets; and
  • the number of transferred employees (however, this criterion is less important when the outsourcing is based on assets rather than on human resources).

The main principles applying to the transfer of undertaking are, in general terms, the following:

  • all rights and obligations of the former employer are transferred to the new employer;
  • all rights of the employees on the date of the transfer must be maintained by the new employer;
  • the transfer of undertaking cannot lead, by itself, to the dismissal of an employee;
  • several information obligations are imposed on the former and new employer to notify the legal representatives of the employees before the actual transfer takes place; and
  • joint and several liability of transferor and transferee for employment obligations due before the transfer.

Illegal Lending of Workers

In accordance with Article L. 133 of the Luxembourg Labour Code, the lending of workers to a third party that exercises hierarchical authority over such worker is prohibited, save for staff provided by an authorised temporary staffing agency and exceptional circumstances, subject to ministerial approval.

In the event of illegal lending of workers, the consequences shall be the following:

  • labour agreement between the employee and the receiving undertaking;
  • joint liability of the providing and receiving undertaking for the payment of salaries and social contributions; and
  • possible imposition of fines (see 2.4 Penalties for Breach of Such Laws).

To the extent that the outsourcing leads to a transfer of undertakings in the sense of Article L. 127-1 et seq. of the Luxembourg Labour Code, both the former and new employer will need to fulfil certain information and consultation obligations towards the legal representatives of their employees before the actual transfer takes place including the date, reasons, legal, economic and social consequences of the transfer for the employees and the envisaged measures towards employees.

In the absence of employee representation (trade union or workers council), the law requires that the employees themselves are to be provided with specific preliminary and written information. The transferor must also notify the transferee of all the rights and obligations which will be transferred to the transferee, and must submit a copy of this notification to the Luxembourg Labour and Mines Inspectorate ("Inspection du Travail et des Mines").

Transfer of Undertakings

Market practice in Luxembourg is to, on the one hand, assess beforehand whether there is a risk that the outsourcing would qualify as a transfer of undertaking in the sense of Article L. 127-1 et seq. of the Luxembourg Labour Code and, if possible, to limit the risk. On the other hand, Luxembourg companies will try to limit the negative consequences of a possible requalification by inserting an indemnification clause for any prejudice resulting from a requalification.

Illegal Lending of Workers

Market practice in Luxembourg is to stipulate in the outsourcing agreement that the employees of the outsourcee remain, at all times, the employees of the outsourcee and that the outsourcing party does not exercise any hierarchical authority over these employees. This clause is then often complemented by an indemnification clause in respect of any prejudice caused by requalification as an illegal lending of workers.

General Luxembourg law applies on the transfer of movable or immovable assets or intellectual property. For any transfer of ownership of real estate, a notarial deed will, for instance, be needed. Depending on the type of intellectual property rights concerned, for instance copyright, the transfer or license of such right may require a written agreement. Usually, the outsourcing agreement will contain an intellectual property clause dealing with the ownership of the intellectual property rights owned prior to the outsourcing agreement, on the one hand, and the ownership of the rights created in the course of the outsourcing, on the other.

NautaDutilh Avocats Luxembourg

2, rue Jean Bertholet
L-1233 Luxembourg

+352 26 12 29 1

+352 26 12 29 90

ndlux@nautadutilh.com www.nautadutilh.com
Author Business Card

Law and Practice

Authors



NautaDutilh is an international law firm specialising in Luxembourg, Belgian and Dutch law. More than 400 lawyers, notaries and tax advisers work at the firm's offices in Luxembourg, Brussels, Amsterdam, Rotterdam, London and New York. NautaDutilh Avocats Luxembourg is a key player in the Luxembourg legal market. Our team of 65 lawyers serves a range of national and international clients, mainly financial institutions, asset managers, large and mid-sized corporates, private equity firms, funds sponsors and IT companies. Our IP and Tech law team assists clients in all areas of intellectual property, advertising, unfair competition and trade secret disputes, as well as in IP and technology driven transactions. One of our key specialities is IT and outsourcing projects and contracts (including related litigation and preparation for litigation), with a particular focus on the financial and public sectors (eg, Luxembourg State, POST Luxembourg, Royal Bank of Canada, Mercedes pay and Microsoft).

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.