The IT outsourcing market in Luxembourg is assessed to be around EUR448 million, which represents 30% of the total ICT services in Luxembourg (worth EUR1.5 billion) and appears to be one of the most common types of outsourcing activities and continues to increase every year.
Key market developments in IT outsourcing relate to the increasing use of cloud computing infrastructures. The Luxembourg regulatory authority in the financial sector, the CSSF ("Commission de Surveillance du Secteur Financier") released in 2017 a specific Cloud Circular, Circular 17/654, regarding IT outsourcing relying on a cloud computing infrastructure. In light of the release of the revised Guidelines on outsourcing arrangements by the European Banking Authority ("EBA") in February 2019, the Cloud Circular was updated by the CSSF in March 2019 with the release of Circular 19/714. The Guidelines on outsourcing arrangements from the EBA will certainly trigger a change in the CSSF regulations on (non-cloud based) outsourcing.
Furthermore, a recent survey on IT outsourcing in Luxembourg has shown that not only do IT contracts tend to be implemented for a shorter period of time, usually for a maximum of three years whereas the standard length for these contracts used to be five or seven years, but also that the average contract value of IT outsourcing agreements is decreasing and customers tend to replace single-sourcing contracts with multi-sourcing engagements.
It should be pointed out that cybersecurity and data protection are major concerns in the context of IT outsourcing. The Luxembourg government issued a National Cybersecurity Strategy in 2012 of which the latest version has been published for the 2018-2020 period.
In connection to the recent increase in outsourcing options permitted in the financial sector, we note that there is an increasing belief in and use of BP outsourcing in this sector. The BP outsourcing is mostly targeted at back-office operations, such as IT.
The Luxembourg government launched, in 2014, the Digital Lëtzebuerg programme, aiming to establish Luxembourg as a "smart nation" ready to deal with a digital society. In April 2015, the World Economic Forum awarded Luxembourg the ninth overall ranking in the Global Information Technology Report. In this context, Luxembourg established inter alia a strategic vision for artificial intelligence (AI). It acknowledges the speed at which AI technologies deliver new services and it has been based on Luxembourg's ambitions to become a digital front-runner. AI is considered to be the facilitator between data and society's most valuable products and services. However, especially if AI services rely on personal data, data privacy and cybersecurity are of critical importance and ever increasingly need to be taken into account in the context of outsourcing activities.
Furthermore, AI could facilitate internal business processes, for example in companies or hospitals. The increasing use of AI by companies can lead to the insourcing of technologies; currently the same services are outsourced. It is part of the Luxembourg's strategic vision to take efforts to connect with relevant AI solutions and to insource technology and service providers from abroad, which already occurs in the context of financial services. In this respect, the CSSF released a white paper at the end of 2018 setting forth the trends of AI in the financial sector and highlighting detected points of attention from a (financial) regulatory perspective.
In the field of blockchain and smart contracts, especially in the financial and fund sectors, are engaged in proof of concepts, some of them within the relevant professional associations. On a more general note, the Luxembourg State is also actively looking into the matter and examining which use cases can run on blockchain technology. The State has been a driver for the Infrachain project, a State sponsored non-profit organisation including service, consultancy and law firms as well as potential blockchain service clients and which builds a trustworthy infrastructure layer for blockchain applications.
There is no information applicable to this section.
There are no rules that specifically relate to outsourcing in a general manner, ie, that apply to any type of outsourcing, irrespective of the sector. That being said, for any type of outsourcing, it is strongly recommended to verify whether:
Outsourcing in the financial sector has traditionally been highly restricted due to the criminally sanctioned Luxembourg banking secrecy, ie, the obligation for Luxembourg financial institutions and their management and employees to "keep secret any information confided to them in the context of their professional activities or mandate" (Article 41(1) of the Act of 5 April 1993 on the financial sector, as amended (“the Financial Sector Act”) and Article 458 of the Luxembourg Criminal Code).
By means of the recent Luxembourg Act of 27 February 2018 ("the Financial and Insurance Sector Outsourcing Act"), which amended Article 41 of the Financial Sector Act, the outsourcing options have been significantly increased in the sense that any outsourcing (external and intra-group) to non-regulated Luxembourg companies and foreign companies is now also (explicitly) allowed, provided there is a service contract in place and there is acceptance of the clients in accordance with the law or the modalities agreed upon between the parties.
Such acceptance should extend to the outsourcing of the relevant services, the type of information transmitted within the context of such outsourcing and the country of establishment of the provider of the outsourced services. Furthermore, the persons having access to confidential information covered by the professional secrecy obligation must be subject to a professional secrecy obligation or be bound by a non-disclosure agreement.
The new rules allow for some flexibility in relation to the prior acceptance of the concerned clients which may be obtained – if there is no specific legal requirement – pursuant to the methods contractually agreed between the parties and, hence, implied acceptance could, under certain circumstances, be allowed. The new rules give a legal basis to the existing legal theory and position of the CSSF that outsourcing is possible if the clients of the outsourcing financial institutions have consented to the outsourcing and have thus waived the benefit of the professional secrecy.
Stakeholders in the financial sector should further pay close attention to the different CSSF Circular provisions dealing with or having an impact on (IT) outsourcing, such as:
The above-mentioned CSSF Outsourcing Circulars set out specific requirements of central administration and internal governance that must be met in the event of an outsourcing, such as making sure that the outsourcing:
At EU level, the above-mentioned CSSF Outsourcing Circulars are complemented by the revised Guidelines on outsourcing arrangements of the EBA which were released on 25 February 2019 and which revise and replace both the current guidelines on outsourcing arrangements, which date back to 2006, and the EBA guidelines for the use of cloud service providers by financial institutions dating back to 2017. The EBA outsourcing guidelines form a significant layer of requirements on top of the CSSF Outsourcing Circulars requirements.
For reasons of completeness, we lastly point out that companies in the financial sector must also comply with Directive 2014/65/EU of 15 May 2014 (MiFID II) and its Luxembourg implementation law of 30 May 2018 when outsourcing call-recording.
A similar, criminally sanctioned, professional secrecy obligation exists for insurance companies (Article 300 of the Luxembourg Act of 7 December 2015 on the insurance sector, as amended (“the Insurance Sector Act”) and Article 458 of the Luxembourg Criminal Code). The Financial and Insurance Sector Outsourcing Act foresees a similar enlargement of the exceptions to the professional secrecy obligation for insurance companies. Contrary to the CSSF, the Commissariat aux Assurances ("CAA") which supervises and regulates the insurance sector, has not, however, issued any outsourcing regulations. This might change in the near future as the European Insurance and Occupational Pension Authority (EIOPA) launched a consultation on guidelines on outsourcing to cloud service providers in July 2019, which may result in more detailed regulations.
Firstly, to the extent that the outsourcing results in the processing of personal data, meaning any information relating to an identified or identifiable natural person, by the outsourcee, the GDPR will come into play and a contract must be entered into between the data controller (typically the outsourcing party) and the data processor (typically the outsourcee) which must contain a mandatory set of clauses (Article 28 of the GDPR). The mandatory set of clauses includes a clause that requires the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk as set out in Article 32 of the GDPR. Measures should, as appropriate, include:
In this context, it is commendable to adhere to the norms of the ISO27000 family.
To the extent that outsourcing implies a transfer of personal data outside of the EU/EEA to a country that is not deemed by the European Commission to offer an adequate level of protection, the third country transfer will, in principle, be prohibited unless adequate safeguards are provided (Articles 44 to 50 of the GDPR), such as:
A number of exceptions can also be relied upon to justify a third country transfer, including, without limitation:
Secondly, in respect of outsourcing in the financial sector in particular, we point out that the following CSSF (Outsourcing) Circulars contain specific requirements on data processing and security:
For reasons of completeness, we lastly point out that, in respect of operators of so-called "essential services" such as providers of digital infrastructures, credit institutions and entities active in the transport, health and energy sector, the Luxembourg NIS Act of 28 May 2019 ("the NIS Act"), implementing the EU Directive 2016/1148 on the Security of Network and Information Systems, sets out requirements in terms of security measures (for preventing risk, ensuring security of network and information systems and handling incidents) and mandatory notification of serious incidents to the relevant authorities.
Penalties for Breaches of Financial and Insurance Sector Outsourcing Regulations
Infringements of Luxembourg banking secrecy and professional secrecy in the insurance sector are criminally sanctioned with imprisonment of eight days to six months and with a fine of EUR500 to EUR5,000, whereby such fine is to be doubled for legal persons (Article 458 of the Luxembourg Criminal Code).
Furthermore, breaches of the outsourcing laws and regulations of the CSSF may be sanctioned by the CSSF with the following penalties (Article 63(2) of the Financial Sector Act:
Similarly, breaches of the outsourcing laws and regulations and regulations of the CAA may be sanctioned by the CAA with an administrative fine which shall not exceed EUR250,000 for insurance and reinsurance undertakings and EUR50,000 for executives of insurance and reinsurance undertakings. Furthermore, the CAA may impose the following sanctions instead of or on top of such administrative fine (Article 303 of the Insurance Sector Act):
Penalties for Breaches of the GDPR
Breaches of the obligations contained in the GDPR may be sanctioned by the competent data protection authority with fines up to 4% of the total worldwide turnover of the undertaking, which according to the French Data Protection Authority is to be calculated at group level (Article 83(2) of the GDPR).
Such administrative fines can be imposed on top of or instead of the following measures (Article 58(2) of the GDPR):
Penalties for Breaches of the NIS Act
Breaches of the data security obligations contained in the NIS Act may be sanctioned with one or more of the following:
Penalties for Breaches of the Luxembourg Labour Code
In the context of transfer of undertaking, breaches of the information and consultation obligations towards the legal representatives of the employees may be sanctioned with a fine between EUR251 and EUR15,000 pursuant to Article L. 417-5 of the Luxembourg Labour Code, and up to EUR30,000 for legal persons pursuant to Article 36 of the Luxembourg Criminal Code.
Breach of the prohibition of illegal lending of workers may be sanctioned with:
To the extent that outsourcing results in the processing of personal data by the outsourcee, meaning any information relating to an identified or identifiable natural person, the contract will at least impose upon the outsourcee, as processor, the obligations set out in Article 28 of the GDPR and detail the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller/outsourcing party.
In the event that personal data is intrinsic to the outsourcing, the outsourcing party may even want to consider contractually imposing further data security requirements such as a detailed list of security measures to be respected by the outsourcee, a data recovery plan, an unlimited liability for data protection breaches, etc.
Additional contractual clauses might be mandatory in the context of outsourcing in the financial sector. The following Circulars of the CSSF, read together with the 2019 Guidelines on outsourcing arrangements of the EBA, require the inclusion of mandatory clauses on data processing and security.
The Circulars 17/655 and 17/656 which have a different personal scope but contain similar provisions, with Circular 17/656 foreseeing more specific IT outsourcing requirements and includes the following mandatory clauses:
The Cloud Circular 17/654 which applies instead of the above-mentioned Circulars 17/655 or 17/656 if the criteria mentioned in the Cloud Circular for the qualification as an outsourcing based on a cloud computing infrastructure are met, and includes the following mandatory clauses:
There is currently no standard supplier customer model in the jurisdiction of Luxembourg. However, for outsourcing agreements in the financial sector, cloud service providers tend to use standardised templates of addenda for outsourcing agreements in order to comply with the CSSF and EBA outsourcing requirements (especially when it comes to the grant of extra audit rights). Currently, the European Commission is looking into the issue of standard contractual clauses (SCC) for cloud outsourcing by financial institutions but it will probably take some years before there is a final draft in this respect.
The outsourcing contract models that are typically being used in Luxembourg as an alternative to the conclusion of a service contract with a third party consist of:
Service Contract with a Subsidiary
The customer is part of a group of companies and outsources certain activities to one of the subsidiaries or one of the other group entities which already exists or is specifically set up for this purpose.
Joint Venture or Partnership
The customer sets up a joint venture or partnership with the supplier for the outsourced activity.
Build-Operate-Transfer (“BOT”) Structure
This structure is a mixture of the above structures. The third party service provider, an independent contractor, initially establishes a dedicated team to build a service and starts operating it before transferring the service to the customer.
Both outsourcing and shared services are relied upon by companies in Luxembourg. Given the higher level of investment, especially at the beginning, of shared services versus outsourcing, we note that shared services are predominantly relied upon by multinationals and mostly targeted at recurring services that are closely connected to the core services of a business and therefore the control of which is of the utmost importance. In principle, these shared services are considered to be outsourcing arrangements and as such also fall within the scope of the CSSF Outsourcing Circulars.
In Luxembourg, several financial institutions had recourse to a so-called “independent group of persons (IGP)”, ie, a cost-sharing VAT exemption. The Court of Justice of the European Union decided in its decisions of 21 September 2017, in three cases (C-605/15 Aviva, C-326/15 DNB BANKA and C-616/15 Commission v Germany), that this exemption is only limited to activities in the public interest and does not apply to the financial and insurance sectors. Inevitably, this had an impact on how Luxembourg VAT subject entities in the financial and insurance sectors organise shared services on an intra-group level.
The customer can rely on the remedies that are available under general Luxembourg contract law. In the event of breach of contract by the supplier, the customer can be entitled to terminate the contract and seek damages before the competent court. The supplier will only be able to escape from damages if they are in good faith and are able to prove that the non-performance was due to an external cause, or they validly limited or excluded their liability in the contract. Under Luxembourg liability law, limitation or exclusion of liability clauses are valid to the extent that they:
Obviously, the contract could include additional protections and remedies for the customer, such as specific contractual termination rights linked to certain types of breaches (eg, qualification of a data protection breach as a material breach that entitles the customer to immediately terminate the contract) as well as specific sanctions or penalty payments (eg, when the supplier does not attain the agreed service level set forth in the Service Level Agreement (SLA)). The parties could also agree to include in the contract the right for the customer to audit and benchmark the supplier's performance and to link a negative result to compensation mechanisms.
In order to protect the customer, the contract typically contains a predefined exit arrangement (including the recovery of data), a reversibility clause and an indemnification clause in the event of an IP right infringement claim. Furthermore, a supplier can be required to have its relevant potential liabilities covered by one or more insurances, such as a professional indemnity insurance, a product liability insurance or IT liability insurance, etc.
Finally, the CSSF Outsourcing Circulars and the 2019 Guidelines on outsourcing agreements of the EBA include several requirements that aim to protect the customers of outsourcing services, such as:
Given that there are, in principle, no legal minimum or maximum terms for outsourcing contracts concluded with private sector entities, the termination rights of both the outsourcing party and the outsourcee are governed by general Luxembourg contract law. Luxembourg contract law makes a distinction between contracts of a definite duration and contracts of indefinite duration.
Contracts of a definite duration, on the one hand, can, in principle, only be terminated prior to the expiry of the term upon mutual consent or if a breach of the contract occurs that is attributable to the other party, provided that there is no external cause. Often the parties will nonetheless contractually foresee in and detail such termination right for breach and/or extend it to other events (eg, bankruptcy or convenience).
Contracts of an indefinite duration on the other hand can, in addition to the termination grounds set out above (mutual consent, breach or additional contractually stipulated termination rights), always be terminated by either party for convenience if a reasonable prior notice is given. This notice period can be contractually defined or will be determined taking into account the length and stability of the commercial relationship between the parties.
Again, the CSSF Outsourcing Circulars and the 2019 Guidelines on outsourcing agreements of the EBA include mandatory provisions relating to the termination of outsourcing agreements, such as
The concept of "indirect damages" is a common law rather than a continental law notion. Under Luxembourg liability law, only direct damages are, in principle, awarded. Luxembourg judges tend, however, to give a broad interpretation to the notion direct damages so that it may also include damages which are typically considered as "indirect damages" in other jurisdictions (and especially in Anglo-Saxon jurisdictions). As a result, from a contractual point of view it is useful to:
It is market practice in Luxembourg to contractually stipulate that loss of profit, goodwill and business qualify as indirect damages and to exclude liability for indirect damages. Furthermore, there is an increasing tendency for suppliers to contractually qualify "loss of data" as indirect damages, but depending on the type of services/products that the supplier renders this exclusion of liability may be rejected by Luxembourg judges. Under Luxembourg law, limitation or exclusion of liability clauses are only valid to the extent that they (amongst others) do not erode the effects of the contract nor tarnish one of its essential obligations (meaning that they do not deprive the contract of its essence).
Pursuant to Article 1134 of the Luxembourg Civil Code, all contracts need to be executed in good faith. The parties to an outsourcing contract have a duty to act in accordance with good faith and fair dealing throughout the entire duration of the contract. Based on this requirement of acting in good faith, courts can impose certain obligations on a contract party in order to ensure or restore a certain balance in the contractual relationship or to provide certain information. Courts can also make use of the concept to neutralise the unfair exercising of a contractual right by one of the parties.
Since outsourcing contracts are bilateral contracts and, thus, contain reciprocal obligations, each contracting party has the right to withhold performance of their obligations until the debtor has performed their obligations, without judicial intervention. This right does not need to be included in the contract for the creditor to be entitled to it. That being said, the contracting parties are nonetheless free to exclude this right in their outsourcing contract.
Being bilateral contracts, all outsourcing contracts also contain a tacit dissolution clause based on Article 1184 of the Luxembourg Civil Code, pursuant to which the creditor of a non-executed or inadequately executed obligation can bring an action to the court for the dissolution of the outsourcing contract. However, under certain strict conditions, the contracting parties may explicitly exclude this right in their contract.
Please note that there is, in principle, no implied or default warranty regime for most types of outsourced services unless the services result in a product (including software), in which case the default rules foreseeing a warranty for hidden defects within the meaning of Article 1641 of the Civil code could potentially apply.
Employee transfers/usage for outsourcing should comply with the rules on transfer of undertakings and the illegal lending of workers.
Transfer of Undertakings
Article L. 127-1 et seq. of the Luxembourg Labour Code, based on the EU Directive 2001/23/EC of 12 March 2001, applies to employee transfers when the outsourcing qualifies as a transfer of undertaking. The law defines a transfer of undertaking as the transfer of an economic entity, retaining its own identity and thus an organisational autonomy after the transfer, that consists of an organised grouping of resources, particularly in terms of personnel or materials and equipment, with the objective of pursuing an essential or auxiliary economic activity. Luxembourg and EU case law interprets the concept of transfer of undertaking rather broadly. Whether or not a transfer qualifies as a transfer of undertaking is to be decided by a judge based on the factual circumstances on a case-by-case basis.
The following elements can be taken into account when evaluating whether the conditions of a transfer of undertaking are met:
The main principles applying to the transfer of undertaking are, in general terms, the following:
Illegal Lending of Workers
In accordance with Article L. 133 of the Luxembourg Labour Code, the lending of workers to a third party that exercises hierarchical authority over such worker is prohibited, save for staff provided by an authorised temporary staffing agency and exceptional circumstances, subject to ministerial approval.
In the event of illegal lending of workers, the consequences shall be the following:
To the extent that the outsourcing leads to a transfer of undertakings in the sense of Article L. 127-1 et seq. of the Luxembourg Labour Code, both the former and new employer will need to fulfil certain information and consultation obligations towards the legal representatives of their employees before the actual transfer takes place including the date, reasons, legal, economic and social consequences of the transfer for the employees and the envisaged measures towards employees.
In the absence of employee representation (trade union or workers council), the law requires that the employees themselves are to be provided with specific preliminary and written information. The transferor must also notify the transferee of all the rights and obligations which will be transferred to the transferee, and must submit a copy of this notification to the Luxembourg Labour and Mines Inspectorate ("Inspection du Travail et des Mines").
Transfer of Undertakings
Market practice in Luxembourg is to, on the one hand, assess beforehand whether there is a risk that the outsourcing would qualify as a transfer of undertaking in the sense of Article L. 127-1 et seq. of the Luxembourg Labour Code and, if possible, to limit the risk. On the other hand, Luxembourg companies will try to limit the negative consequences of a possible requalification by inserting an indemnification clause for any prejudice resulting from a requalification.
Illegal Lending of Workers
Market practice in Luxembourg is to stipulate in the outsourcing agreement that the employees of the outsourcee remain, at all times, the employees of the outsourcee and that the outsourcing party does not exercise any hierarchical authority over these employees. This clause is then often complemented by an indemnification clause in respect of any prejudice caused by requalification as an illegal lending of workers.
General Luxembourg law applies on the transfer of movable or immovable assets or intellectual property. For any transfer of ownership of real estate, a notarial deed will, for instance, be needed. Depending on the type of intellectual property rights concerned, for instance copyright, the transfer or license of such right may require a written agreement. Usually, the outsourcing agreement will contain an intellectual property clause dealing with the ownership of the intellectual property rights owned prior to the outsourcing agreement, on the one hand, and the ownership of the rights created in the course of the outsourcing, on the other.