Large Korean companies will often outsource their Information Technology (IT) functions to one of their affiliated companies which will implement and maintain their IT systems as a whole, whereas smaller companies will often opt to outsource these functions through a subcontracting agreement with a company that specialises in IT implementation and maintenance. Based on recent developments in IT in the business sector, in addition to traditional IT support and maintenance, the scope of IT outsourcing has expanded to include cloud computing, protection of personal information and protection from virus and ransomware.
Business Process (BP) outsourcing is a continuously growing area in the Korean market. In the past, Korean companies tried to implement a complete BP system in which the BP system, from A to Z, could be managed within the company. However, due to the increasing complexities of business processes, and the need to cut down on costs, Korean companies began to outsource their BP as well. Korean companies began to outsource their ancillary functions such as customer service (eg, call centre services, etc), advertising, security, and cleaning to companies specialising in those specific areas. Thereafter, Korean companies began to outsource functions which require professional knowledge and advice such as, amongst other things, the analysis of customer and business trends, research on the status of the global market and competitors, and expansion of business.
With the introduction of new technology (eg, Artificial Intelligence (AI), robotics, blockchain, smart contracts), the market is inevitably undergoing rapid, various changes. Tasks traditionally outsourced to and handled by human workers (eg, answering customers’ phone inquiries, etc) are now being handled by AI.
Notwithstanding the foregoing, although new technology may be replacing more simple and repetitive tasks, new jobs which involve the implementation, maintenance, and creation of new technological services have been on the rise. In fact, many companies try to incorporate such new technology in their businesses in order to stay competitive. The job of installing, operating, and managing a system that enables the implementation of new technology, such as AI and blockchain, and incorporating this system into a company’s business requires sophisticated and special skills, which results in the increased need for the task to be outsourced to a third party with the requisite knowledge.
In other words, outsourcing of simple tasks in the existing industry is declining whereas outsourcing relevant to new technology is steadily on the rise. In particular, Korea’s launch of 5G technology in 2019, the first in the world, has further upgraded the data/digital communication environment, making it easier to perform tasks using AI, smart contracts, etc. As a result, incentives for outsourcing using such technology have been steadily increasing.
Companies are struggling to keep up with the increasing competition triggered by economic globalisation, and the labour market is also rapidly changing due to technological development. Companies are increasingly avoiding direct employment of workers, and are using different means to boost productivity and competitiveness. In this regard, companies have been using in-house subcontracting to increase its work force without having the burden of directly hiring workers.
An in-house subcontracting arrangement involves the company (the “primary contractor”) entering into a subcontracting agreement with another company (the “subcontracting company”) that will provide workers who will work on the primary contractor’s premises. Under this arrangement, the subcontracting company is the employer of the workers, and the primary contractor must not directly supervise or control the subcontracted workers., meaning that, any instructions or work duties must come through the subcontracting company and not the primary contractor. If this structure is not strictly followed, there is a chance that the arrangement will be viewed as an illegal dispatch, in which case, the obligations and protections under the Act on the Protection of Dispatched Workers will apply.
As a result, due to the complicated structure of in-house subcontracting, labour disputes often occur surrounding this issue, and many people have been advocating for the ban on in-house subcontracting. Recently, the courts as well as the government (Ministry of Employment & Labor) have been applying the dispatch laws more strictly on in-house subcontracting cases, and have been leaning towards protecting the employees of the in-house subcontractors more fervently.
As a result, due to the complicated structure of in-house subcontracting, labour disputes often occur surrounding this issue, and many people have been calling for the ban on in-house subcontracting. Recently, the courts as well as the government (Ministry of Employment & Labour) have been applying the dispatch laws more strictly on in-house subcontracting cases, and have been leaning towards protecting the employees of the in-house subcontractors more fervently.
In Korea, there is no law that specifically regulates outsourcing. Typically, an outsourcing arrangement involves a subcontract in which a party will agree to perform a task and the other party will compensate the performing party in return, or a mandate under which a party will entrust the other party with the management of its business, etc, and the other party consents thereto. Therefore, based on the structure of the outsourcing, it is highly likely to be subject to the Civil Act of Korea provided, however, that applicable laws and regulations may vary depending on the business location where the outsourcing takes place and the impact that the outsourcing may have on labour relations or on the personal information and data of customers.
In addition, outsourcing is prohibited for certain tasks prescribed by law, such as seamen's jobs (in accordance with the Seafarers Act), harmful or hazardous jobs (as prescribed by the Occupational Safety and Health Act), medical personnel or nursing assistant services (defined in the Medical Service Act) or driving services for passenger transport businesses (under the Passenger Transport Service Act). Also, if the outsourcing involves construction work, special rules pursuant to the Framework Act on the Construction Industry will apply and supersede certain provisions under the subcontract agreement which is subject to the Civil Act. For example, the contractor must provide an estimated period of time regarding the construction work and must subcontract the worker for the entire period of construction, which includes the bidding process prior to the initiation of construction work.
If a company uses an employee dispatched by an outsourcing agency, the Act on the Protection of Temporary and Part-time Workers shall be applicable. In such case, the work to be performed by the dispatched employee, the outsourcing period, etc, will be regulated by the aforementioned Act. Even if such dispatch is disguised as an outsourcing arrangement in an attempt to circumvent the restrictions of the Act, the arrangement may be recognised as a de facto dispatch arrangement.
Further, if customers’ personal information is infringed upon as a consequence of outsourcing, a wide range of regulations pursuant to the Personal Information Protection Act may apply.
If one of the parties to the outsourcing agreement is the government, the Act on Contracts to which the State is a Party (the “State Contract Act”) will be applicable. Under the State Contract Act, the outsourcing contract (or any procurement contract) must be subject to fair and open bidding. The contract should be executed by the parties on an equal footing, and each party must perform its contractual obligations according to the principle of good faith. Bidders and parties to the contract must pledge not to provide or accept illicit offers of money, valuables, entertainment, etc, and stipulate that any violations thereof may result in cancellation or termination of the accepted bid.
Fair Transactions in Subcontracting Act
Where a party entrusts another party with such tasks as manufacturing (including processing), repair, construction, etc, the Fair Transactions in Subcontracting Act (the “Subcontracting Act”) will be applicable. Under the Subcontracting Act, the principal contractor must not attach terms and conditions that unfairly violate or restrict a subcontractor’s interests to a contract. Also, a principal contractor shall not make an agreement at a price lower than the ordinary price required for the subject matter identical or similar to the subject matter of the subcontracting agreement.
Financial institutions may only use cloud computing services for processing of non-sensitive information (ie, information that does not involve personal credit report).
Medical institutions are only allowed to use cloud computing services that meet government mandated standards.
The overarching law relating to protection of personal information called the Personal Information Protection Act (PIPA) is relevant here because most data would fall under the purview of “personal information” protected under PIPA.
PIPA, in terms of its basic structure, defines “personal information” to mean information pertaining to a living individual, which contains information identifying a specific person such as a name, an individual identification/registration number, images, or other similar information (including information that does not, by itself, make it possible to identify a specific person but that which enables the recipient of the information to easily identify such person if combined with other information). In addition, “sensitive information” as well as “unique identification information” also fall under the scope of “personal information”.
“Sensitive information” is defined as personal data consisting of information relating to an individual’s thoughts or creed, history regarding membership in a political party or labour union, political views, health care and sexual life, etc, that may have been obtained through medical examinations, criminal records, etc. “Unique identification information” refers to identifying information uniquely assigned to each individual to differentiate them from others, such as social security number, passport number, driver’s license number, alien registration number, etc.
PIPA regulates the collection and use of personal information as well as the provision of such personal information to third parties who are entrusted to handle this information. Article 17(3) of PIPA prescribes that a personal information controller (data controller) must obtain the consent of the data subject in order to “provide or share” this personal information with a third party. Moreover, a personal information controller (data controller) must inform the data subject of the following matters when obtaining the data subject’s consent:
Personal Data Transfer
With respect to personal data transfer in the context of “outsourcing” (outsourcing personal information processing to a third party, including a third party overseas), Article 26(1) of PIPA requires that the personal information controller (data controller) must use a written form stating the following matters:
Further, according to Article 29 of PIPA, a personal information controller (data controller) must formulate an internal administration plan, keep access records, and take technical, administrative and physical measures necessary for ensuring safety in order to prevent personal information from loss, theft, divulgence, forgery, alteration or damage.
Medical institutions are allowed to upload medical records electronically onto an external cloud computing system, provided that the cloud computing service has security and protection measures, such as CCTV/video surveillance, etc. If electronic medical records are used without the consent of the data subject or disclosed in violation of the law, criminal penalties may be imposed. Further, under the Act on the Development of Cloud Computing and Protection of its Users, if any violation is not disclosed, additional fines may be imposed.
Financial institutions are allowed to upload only non-sensitive information (ie, information that does not involve personal credit report or unique identification information) onto an external cloud computing system, provided, however, the cloud computing service must be equipped with the necessary security and protection measures. If this information is used without the consent of the data subject or disclosed in violation of the law, criminal penalties may be imposed.
Contractors are prohibited from outsourcing all or significant portions of its construction work. In principle, a subcontractor may not re-subcontract the same work that the contractor has entrusted it with. These violations may be subject to criminal penalty.
Fair Transactions in Subcontracting Act
Under the Subcontracting Act, a principal contractor shall not attach terms or conditions that unfairly violate or restrict a subcontractor’s interests to a contract. Any violations thereof are subject to a fine of up to two times the amount of the subcontract payment. In addition, criminal penalties may be imposed.
Further, if a principal contractor makes an agreement at a price lower than the ordinary price required for the subject matter identical or similar to the subject matter of the subcontracting agreement, the principal contractor may be subject to a fine of up to two times the amount of the subcontract payment.
There is no particular law that regulates outsourcing of human resources in Korea. However, because “worker dispatch” is a highly regulated area in Korea, the outsourcing arrangement must be structured carefully to avoid the possibility of being deemed so.
The use of dispatched workers is subject to limitations under the Protection of Dispatched Workers Act (the “Dispatched Workers Act”). There is a distinction between “outsourced workers” and “dispatched workers”. Outsourced workers are those employed by an outsourcing company who are assigned to perform work for another company, but remain under the supervision and command of the outsourcing company. Outsourced workers can be distinguished from dispatched workers, who are employed by the dispatching company and perform work for another company under the supervision and command of the receiving company (and not the dispatching company). If outsourced workers are supervised by the receiving company (and not the outsourcing company), they are considered de facto dispatched workers, in which case, the Dispatched Workers Act applies.
A “dispatched worker” must be employed by a licensed dispatching company, cannot be dispatched to work in a direct production line, and can only be dispatched to engage in one of 32 specified business roles set out in Section 2 of the Enforcement Decree of the Dispatched Workers Act, such as general assistance with office work, building maintenance services and security services. Further, where a dispatched worker has worked continuously at the same company for more than two years or where a company has received the services of a dispatched worker in violation of the Dispatched Workers Act, the company is required to employ the worker as its employee, unless the worker objects to or the company has sufficient grounds for declining to employ the worker.
In addition to having to hire such workers, violation of the Dispatched Workers Act in relation to its use of outsourced workers (who may be deemed de facto dispatched workers) may be subject to a criminal fine of up to KRW30 million (or imprisonment of the relevant director or officer involved, for up to three years).
If a data breach causes a data subject’s personal data to be lost, stolen, or leaked, the data subject may seek damages from the data handler if there has been negligence or wilful misconduct on the part of the data handler. Data subjects are not required to prove the amount of damages they suffered, and the data subject may seek damages from the data handler up to KRW3 million. Further, the court can order the data handler to compensate the data subject up to three times the actual damages incurred if the data subject's personal data was lost, stolen, or leaked due to the data handler's gross negligence.
If the lost, stolen, or leaked data involves the data subject’s credit report, the court can order the credit data handler to compensate the data subject up to five times the actual damages incurred due to the data handler’s gross negligence or wilful misconduct.
In Korea, the three types of contract models mainly utilised for outsourcing include spin-off, business transfer, and asset transfer.
In order for the spin-off procedure to commence, the original company’s board and shareholders must approve a “spin-off plan” (Spin-off Plan) which sets forth all assets, rights, liabilities, obligations and relationships of any monetary value (including government licences and approvals, employment and other contractual relationships and lawsuits) associated with the business subject to the spin-off to the outsourced company. Pursuant to the Spin-off Plan, these listed assets, rights, liabilities, obligations, approvals, contracts, lawsuits, etc, relating to the business unit for spin-off, will all be succeeded automatically by law to the outsourced company (unless otherwise prohibited by applicable laws, regulations or individual contracts). Those rights, liabilities, obligations, approvals, contracts, lawsuits, etc, associated with the remaining business unit will stay with the original company.
A business transfer refers to a sale of assets constituting a comprehensive, integral business. The Korean courts have interpreted a “business transfer” under the Korean Commercial Code as the transfer of a company’s business assets, generally including tangible and intangible properties and rights, customer relationships, relationships with suppliers, trade secrets, business organisation, and goodwill having an economic value according to a specific business purpose. In most business transfers, a comprehensive bulk transfer of all the assets and liabilities as well as rights to the business such as the entire goodwill and personnel of a company, is made. Further, the prevailing interpretation of the Korean courts is that all of the assets that form a part of the business must be transferred unless a specific provision exists in the relevant transfer agreement which provides otherwise.
An asset transfer involves acquisition of assets that do not amount to a business. An asset transfer is generally construed to mean a selective transfer of certain assets of the seller company as opposed to a comprehensive business transfer.
The Korean Civil Act, Commercial Act, and other laws do not separately stipulate matters concerning joint ventures, multi-sourcing, etc, and neither are there any court precedents that have defined the concept or requirements thereof.
Shared services are the consolidation of support functions from several departments into a stand-alone organisational entity while captive centres are wholly owned subsidiaries that perform work for the parent company. Organisations often use both options together. Based on the current trend in Korea, major financial groups are actively discussing these options.
However, shared services centres tend to be difficult to implement due to the possibility of opposition by the labour unions, and the operation of captive centres present difficulties such as designating salary, positions, and adjusting/transferring existing employees to subsidiaries. In fact, the implementation of the above models has not been successful in Korea due to conflicts with the labour unions and concerns regarding inefficiency. But, there is an increasing number of subsidiaries conducting IT work for affiliates in some financial groups, and there are cases where a subsidiary in charge of IT will play a leading role in independently commercialising and selling IT products developed by the financial group.
Under Korean law, there are no special protections and remedies provided to an outsourcing customer. Only general protections and remedies provided under the Civil Act (ie, the central legislation governing contractual relationships) may be utilised when an outsourcing service provider breaches its contract.
Under the Civil Act, a contract may be terminated by either party when a party “seriously” breaches the contract. “Serious” breach refers to failure to perform which causes serious harm or damage to the customer, in which case, the outsourcing contract can be terminated by the customer. However, in case the failure to perform only causes inconvenience, confusion, or temporary interruption (ie, not a serious breach), the contract may not be terminated.
The customer may also seek damages against the service provider. This remedy may be utilised even in case of a minor breach of contract. Under the Civil Act, the customer has the burden to prove actual damages suffered, such as business loss, with the exception of cases involving personal information. Under the Protection of Personal Information Act, a service provider who deals with personal information has a duty to set up security/protection measures to prevent intrusion of personal information. If the service provider fails to comply with these rules, the burden of proof lies with the service provider and the customer may seek damages of up to KRW3 million from the service provider or three times the actual damages incurred.
Outsourcing is regulated in Korea on a case by case basis. Applicable laws and regulations will vary depending on the business location where the outsourcing takes place and the impact that the outsourcing may have on the labour relations or personal information. Having said that, typically, an outsourcing arrangement involves a subcontract in which a party will agree to perform a task and the other party will compensate the party in return, or a mandate under which a party will entrust the other party with the management of its business, etc, and the other party consents thereto. Therefore, based on the structure of outsourcing, it is highly likely to be subject to the Civil Act of Korea.
As a general protection under the Civil Act, the customer or supplier may terminate the outsourcing agreement based on the other party’s breach of contract which has a material adverse effect on the maintenance of the outsourcing agreement. For example, the customer has the right to terminate the outsourcing agreement upon certain events (such as default, bankruptcy, or dissolution) which may have a material adverse effect on the supplier’s ability to provide the outsourced services.
Moreover, since “freedom of contract” is one of the fundamental principles of the Civil Act, the causes for termination of the outsourcing agreement could be decided by mutual agreement between the customer and supplier. In practice, the customer and supplier will usually stipulate to a clause regarding the causes for termination of the contract in the outsourcing agreement.
The Civil Law of Korea and the Supreme Court set forth general principles of a damage claim, and these principles are also applied to outsourcing agreements. The Korean legal system adopts a view of dividing damages into three parts, positive damages (damages stemming from loss of monetary profit), negative damages (prospective damages stemming from loss of future monetary profit), and emotional distress. A party who claims damages must demand separate compensation for each form.
The range of compensation will depend on whether such damages constitute “ordinary damages” or “special damages”. Ordinary damages are damages caused by non-performance of obligations, and a party claiming ordinary damages need to only prove the amount of damages linked to the non-performance. Ordinary damages will typically be fully compensated. However, in the case of special damages, the party seeking compensation must prove that the breaching party had foreseen or could have foreseen circumstances that such special damages would occur when breaching the contract.
Normally, loss of profit, goodwill, business, etc, would be considered a part of negative damages, and if the loss is considered as special damages, the party seeking compensation must prove that the breaching party could have foreseen the loss of profit, goodwill, business, etc. In principle, damages may not be awarded in an amount exceeding the actual damages incurred, with the exception of violations of the Personal Information Protection Act (PIPA). In order to protect and prevent violations of personal information, PIPA provides for statutory and punitive damages. A data subject whose personal data has been lost, stolen, or leaked due to a data breach can request damages of up to KRW3 million from the data handler, and the court can order a data handler to compensate the data subject up to three times the actual damages incurred if the data subject's personal data was lost, stolen, or leaked due to the data handler's gross negligence or wilful misconduct.
Although not expressly stated in writing, certain terms may be implied in an outsourcing relationship and may nevertheless become part of the contract based on custom and law. These implied terms may arise due to specific legislative provisions such as the Fair Transactions in Subcontracting Act, or as a result of general legal rules. Terms may also be implied by the circumstances surrounding the contract, for example, if there is a consistent course of dealings between the parties, or if there are customs within the industry in which the parties operate, etc. Terms may also be implied where it is apparent from the facts that the parties intended that certain terms be included in the contract.
Employee transfers involve an employee leaving the existing company and working at a new company, in which case, unless the employee objects to the transfer of their employment relationship, the employment relationship between the employer (ie, the transferor) and the employee is automatically transferred to the transferee of the business. Since employment relationships are automatically transferred, the transferee may not refuse to continue the employment of the transferred employees unless there is just cause for termination of employment, and the transferee must assume and apply substantially the same employment terms and conditions (such as employment period, wages/benefits and severance pay), as applicable to the transferred employees prior to the transfer.
In contrast, in case of an “asset transfer”, the transferee does not assume the employment relationship existing prior to the transfer. In the legal sense, the transfer of employees in an asset transfer means that the employment with transferor is terminated and a new employment is entered into with the transferee. However, even if the employment relationships are not automatically transferred in case of an asset transfer, the transferee usually will assume and apply substantially the same employment terms and conditions in order to induce the employee’s acceptance of such transfer.
In this regard, if there is uncertainty as to whether the contemplated transaction will be regarded as a business transfer or asset transfer, the usual practice is to enter into a tripartite transfer agreement among the transferor, the transferee and the transferred employee to avoid any such uncertainty.
In principle, there is no specific requirement that a trade union or workers’ council consultation be required for outsourcing. Notwithstanding, if there is a collective bargaining agreement that sets forth obligations for specific consultation or prior consent to outsourcing, then such provisions must be followed. For instance, collective bargaining agreements will often include provisions that require the company to provide notice and obtain consent of the labour union in case of spin-offs, business transfers, asset transfers, etc, and these provisions are binding on the parties to the agreement.
The practice on employee transfers will vary depending on the method of outsourcing. In case of outsourcing based on a business transfer, spin-off, etc, which constitute a comprehensive transfer of a company’s business as a whole, Korean courts have generally held that unless an employee objects to the transfer of their employment relationship, the employment relationship between the employer (ie, the transferor) and the employee is automatically transferred to the transferee of the business.
In Korea, there are no specific regulations on the assignment and acquisition of assets under an outsourcing contract, except for provisions regarding the assignment and assumption of a business under the Civil Act.
The Korean courts have interpreted a “business transfer” to mean the transfer of a company’s business as a whole, which generally includes tangible and intangible properties and rights, customer relationships, relationships with suppliers, trade secrets, business organisation, and goodwill having an economic value according to a specific business purpose. Hence, notwithstanding the name of the form of transfer, if any transaction substantially results in the transfer of a company’s business as a whole, there is always a possibility that it may be regarded as a business transfer rather than an asset transfer, by operation of law.
Certain transactions such as mergers, the transfer of a whole or a significant part of a business or the acquisition of a whole or a part of a business of another company which significantly affect the acquiring company’s business are subject to approval of a special resolution of the shareholders of the company, which requires the affirmative vote of two thirds of the shareholders at a shareholders’ meeting comprising at least one third of the total issued and outstanding shares.