Contributed By Luther Rechtsanwaltsgesellschaft mbH (Cologne)
Apart from specific sectors such as healthcare and banking and finance, and excepting a number of rules protecting employees’ rights, German law allows parties comparative freedom in how they choose to structure an outsourcing project. If and as far as an outsourcing concerns personal data (as is almost always the case), specific rules need to be obeyed under the data protection framework, namely the GDPR, which applies throughout the EU.
General civil law (civil code/commercial code) is relevant for fundamental aspects such as performance, consideration, warranty and liability. An outsourcing project is made up of an abundance of individual services that must be assigned to the contract types regulated in the German civil code (BGB):
If the outsourcing provider is contracted to achieve a specific goal, the law on contracts for work and services applies. If, however, it is only contracted to perform one action, ie, merely to make an effort (eg, to operate a call centre), the service is assessed in accordance with the provisions of the service contract. Accordingly, contracts should provide for clear language as to expectations and consequences in cases of poor performance or failure.
Cloud computing (the outsourcing of in-house computing processes to external service providers) is already being used by numerous financial institutions, particularly in the banking sector. Because this involves the outsourcing of sensitive information processing, financial service providers must not only comply with the legal requirements of the GPDR; in the banking sector, §25a of the German Banking Act (KWG) and §17 of the German Money Laundering Law (GWG) must also be observed. These provisions contain obligations under banking supervisory law to introduce more precisely defined security systems that guarantee security when outsourcing sensitive information processes. For IT security, a proper business organisation must be in place, in particular appropriate and effective risk management. Another legal source for the protection of information technology is the IT Security Act (BSIG). According to §8a paragraph 1 S1 of the BSIG, operators of critical infrastructure must take appropriate organisational and technical precautions to avoid disruptions to the availability and confidentiality of their information technology systems. Infrastructure from sectors such as energy, finance and insurance as well as information technology and telecommunications are regarded as potentially critical.
Apart from those relating to outsourcing in the supply chain or logistics, a number of sector-specific legal restrictions establish specific measures to be obeyed by the provider, for example in the storage of food or medicine. Since customers remain responsible for any non-compliance by the outsourcing provider, it is of utmost importance to include such measures into the contract.
When processing data, it must be taken into account whether the outsourcing involves a data transfer or whether there is only a so-called order processing. The concept of data transfer is regulated in Article 4 paragraph 2 of the GDPR. During order processing, personal data are disclosed by the responsible office to other persons or third parties. In the case that the provider undertakes data processing on behalf of the customer as data controller, it is mandatory to conclude a separate data processing agreement in accordance with Article 28 of the GDPR.
For the legality of data transfer outside the EU or EEA, the general principles of Article 44 of the GDPR must be observed. If data leaves the scope of EU data protection law, there is a risk of unrestricted use of the data in the country of the recipient as well as uncontrolled return to the EU. For the transfer of personal data to a recipient in a third country, the transfer must not only comply with other provisions of the GDPR (eg, an appropriate level of protection), but at least one of the conditions of authorisation in Articles 45 to 49 of the GDPR must also subsist.
According to Article 84 of the GDPR, sanctions for violations of the data protection framework must be effective, proportionate and dissuasive. Depending on the circumstances of the individual case, fines are imposed in addition to or instead of measures pursuant to Article 58 paragraph 2 of the GDPR. Such measures may include, for example, reprimands; instructions to adapt data processing to legal requirements; and/or temporary or definitive prohibition of data processing. There is a catalogue of criteria in Article 83 paragraph 2 a-k of the GDPR for the assessment of sanctions. The maximum fine amounts to up to EUR20 million, or up to 4% of the total annual turnover achieved worldwide in the previous financial year, whichever is the higher. Here it is worthy of note that the annual turnover of the entire group and not that of the individual legal entity applies. Further, it should be noted that breach of data protection law will commonly be interpreted as unfair competition, entitling competitors to take legal action (including compensation of damages).
On the one hand, the provider must undertake to comply with specific technical and organisational measures and tolerate audits with regard to compliance. Contracts need to provide for detailed descriptions of the deliverables of the provider. On the other hand, customers are often unable to clearly define their demands, which sometimes leads to conflicts in practice.