Due to the use of artificial intelligence (AI) and automation, IT outsourcing is on the verge of a revolution. The “intelligent factory” will become a reality for many industries through the networking of production processes and in turn this will massively change the role of IT and IT outsourcing.
Additionally, the market for cloud computing is growing rapidly in Germany, not only due to COVID-19. According to a survey, 73% of German companies used cloud services in 2018, 7% more than in the previous year. It can be assumed that the numbers are even higher today.
The business process outsourcing (BPO) market is highly fragmented in Germany, with the top 20 BPO providers occupying less than 30% of the market share (GTAI Fact Sheet Business Services in Germany). Indeed, 70% of all service providers’ core activity is BPO (see, Call Center Profi 2018).
During the COVID-19 pandemic, many German companies not only implemented new outsourcing routines but were forced to begin a major "clean-up" of existing business processes. On this basis, it is believed that major (additional) outsourcing projects will follow in the coming years.
Most legal changes resulting from new technology are expected in the area of AI. Liability for malfunctions of AI is still unresolved under German law. On 21 April 2021, the European Commission presented a draft regulation establishing harmonised rules for artificial intelligence (the Proposal for a Regulation establishing harmonised rules for artificial intelligence) following a risk-based approach. The European Union (EU) wants to promote the development and use of AI to strengthen Europe's position as a global centre of excellence for AI. It also aims to prevent research from being hampered by inhomogeneous regulations and thereby weakening the EU's competitiveness.
Outsourcing is not specifically regulated by German Law. There are, however, multiple German laws relevant to the outsourcing process. When entering into an outsourcing contract, its legal qualification as well as questions concerning liability are generally specified by the German Civil Code (BGB or Bürgerliches Gesetzbuch). Additional legal aspects that are regulated either by the BGB and/or other acts are, for example, IP rights (including copyrights), corporate matters, tax issues and various details concerning specific regulated sectors, such as finance or insurance.
There is also a standard specification and set of guidelines, the DIN ISO 37500, describing the processes, main phases, and governance aspects of an outsourcing process. These guidelines are, however, not legally binding.
Since outsourcing is often connected to the transfer of personal data, the parties involved also will have to consider the data protection regulations. In Germany, as in any other EU member state, data protection is primarily addressed by the General Data Protection Regulation (GDPR). The GDPR is supplemented by relevant national data protection laws (the BDSG or Bundesdatenschutzgesetz).
Financial Services Industry
When outsourcing activities or processes, financial institutions have to especially consider Sections 25a and 25b of the Banking Act (KWG or Kreditwesengesetz) which require the outsourcing process to not pose any additional risks to the company’s business. Therefore, the relevant institutions are obliged to take reasonable precautions in avoiding such risks. Furthermore, financial services institutions must ensure that the German Federal Financial Supervisory Authority (BaFin or Bundesanstalt für Finanzdienstleistungsaufsicht) can continue to exercise its rights regarding information, inspection and control even in case of outsourced services and that the outsourcing does not impair these rights. Similar specifications are found in the Stock Exchange Act (BörsG or Börsengesetz), the Securities Trading Act (WpHG or Wertpapierhandelsgesetz) and the Insurance Supervision Act (VAG or Versicherungsaufsichtsgesetz).
Article 9 of the Guidelines on minimum requirements on risk management (MaRisk or Mindestanforderungen an das Risikomanagement), issued by the BaFin, documents the understanding of the BaFin regarding the rules and regulations of the KWG in the context of outsourcings and how these are to be followed in operational practice.
The MaRisk also contains the EBA Guidelines set up by the European Banking Authority (EBA) concerning specific provisions for the governance frameworks of all financial institutions controlled by EBA when it comes to their outsourcing arrangements and any related supervisory processes.
Industries Providing (Other) Critical Infrastructure
For companies considered as providers for a “critical infrastructure” (concerned are suppliers of energy, water, food, health, transport, waste disposal, IT, finance or insurance if and as far they provide their services to a certain number of people) the Act on the Federal Office for Information Security (BSIG or Bundessicherheitsgesetz), contains various organisational duties to be followed. In April of 2021, the BSIG was strengthened by the IT Security Act 2.0 (IT or Sicherheitsgesetz 2.0) with the intend to further protect all services which are of general interest.
Regardless of their qualification as a provider of “critical infrastructure”, telecommunication companies have to comply with Section 109, paragraphs 1 to 3 of the German Telecommunication Act (TKG or Telekommunikationsgesetz), which sets up specific IT security standards.
Providers also have to consider the requirement on secrecy of telecommunications, which is stipulated in Section 88 of the TKG and further telecom-specific regulations on data protection are found in Sections 91 et seq of the TKG. These provisions in the TKG concerning data protection, however, will be replaced by the recently passed Telecommunications and Telemedia Data Protection Act (TTDSG or Telekommunikation-Telemedien-Datenschutzgesetz) in December 2021.
Outsourcing in the public sector and especially the questions of “If” and “How” are heavily regulated and restricted.
According to Article 33, paragraph 4 of the German Constitution (GG or Grundgesetz), exercises of sovereign power may only be assigned to members of the public sector. This applies to all core areas of public administration, which includes all functions for which citizens would expect a decision to be made by a public authority. Accordingly, only auxiliary tasks can be outsourced to private parties. Usually, IT services, in the terms of operating hardware and software and processing data, are considered such auxiliary functions.
Additionally, the rules of the Public Procurement Law must be strictly observed. These consist of multiple different acts, such as the Treaty of the Functioning of the European Union (TFEU), Sections 97 et seq of the German Act Against Restraints of Competition (GWB or Gesetz gegen Wettbewerbsbeschränkungen) and several other regulations. In many cases, the public sector client is required to carry out an extensive and time- and cost-consuming tender process within the European Union to attract different offers for the specific outsourcing contract.
Data Protection is mainly governed by the Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation (GDPR or Datenschutzgrundverordnung). The GDPR applies to the processing – wholly or partly by automated means – of personal data by a controller or processor established in the EU as well as by undertakings outside of the EU if the data subject lives inside the EU.
Processing means any “operation or set of operations which is performed on personal data” (Article 4, paragraph 2 of the GDPR) with personal data being defined as “any information relating to an identified or identifiable natural person” (Article 4, paragraph 1 of the GDPR). In other words, the GDPR is applicable virtually any time personal data is involved.
Principles on Data Processing
Any data processing has to be compliant with the principles laid down by the GDPR, such as the principle of lawfulness, purpose limitation and accuracy, as well as other specific regulations within the GDPR. Article 6, paragraph 1 of the GDPR lists the conditions for when processing personal data is allowed, such as the necessity to perform a contract or to comply with legal obligations.
Special categories of personal data (eg, data revealing ethnic origin, genetic data or health data) are protected by Article 9 GDPR. Processing these categories of data is generally prohibited and allowed only under special circumstances, defined by Article 9, paragraph 2 of the GDPR.
Processing in the Context of Outsourcing
In the context of outsourcing, it will usually be the case that the outsourcing provider processes personal data on behalf of its customer, creating a situation of “processing” in terms of Article 28 of the GDPR. This article stipulates several strict requirements, for instance certain provisions that have to be included in the underlying contracts. As a result, the transferring of data between customer and provider is not considered a “transmission” in the data protection sense and is, therefore, not a processing activity that needs to be justified.
The opposite scenario is the “joint control” of the outsourcing provider alongside its customer which is regulated in Article 26 of the GDPR. In this case, exchange of data between customer and provider is indeed considered a transfer of data in the sense of the GDPR and therefore needs to be justified. Additionally, customer and provider have to consider certain requirements, such as transparency obligations concerning their respective responsibilities in order to achieve GDPR compliance.
Transfer of Personal Data to Third Countries
Transferring personal data from within the EU/EEA (European Economic Area) to non-EU/non-EEA countries is regulated by Articles 44 et seq of the GDPR. Such transfers must not undermine the level of protection of personal data guaranteed by the GDPR. In its Schrems II judgment dated 16 July 2020 (C-311/18), the European Court of Justice declared the European Commission’s “EU-US Privacy Shield”-decision invalid due to invasive US surveillance programs, thereby making transfers of personal data based on the “Privacy Shield” illegal.
One remaining justified option for companies to transfer personal data to a recipient in the USA is to use the (new) Standard Contractual Clauses (SCC; also, standard data protection clauses). According to the Commission’s implementing decision of 4 June 2021 (2021/914), the standard contractual clauses are considered to provide appropriate safeguards within the meaning of Article 46, paragraph 1 and paragraph 2 lit d) of the GDPR. However, due to their nature as contractual clauses which only have a legal effect between the parties involved and not for security authorities in third countries, the new SCCs cannot conclusively resolve all conflicts of Articles 44 et seq of the GDPR with applicable laws in third countries. As a result, in many cases, a transfer of personal data to a third country cannot be based on the SCCs alone. Additional measures, such as encryption, may be required pursuant to a case-by-case analysis.
In addition to data transfers to the USA, transfers to the UK remain of high practical relevance. In respect of recipients in the UK, the above issues have been resolved since the EU Commission has published an adequacy decision in the meaning of Article 45 of the GDPR in June of 2021. This means that personal data may be transmitted from the EU/EEA to the UK without SCCs.
Data security, as the principle of “integrity and confidentiality”, is one of the fundamental principles of the GDPR laid down in its Article 5. The controller has to use appropriate technical or organisational measures to ensure the security of personal data, including protection against unauthorised processing and accidental loss. These requirements are specified by Article 32 of the GDPR which lists certain kinds of measures, such as pseudonymisation and encryption of personal data.
Additional regulations concerning data security for providers of “critical infrastructure” are set up by the Directive (EU) 2016/1148 (Network and Information Systems Directive), which is implemented into German law by the BSIG.
As of 2018 professional secrecy holders (eg, doctors, lawyers, tax advisors and family advisors) can disclose third-party secrets to other persons involved in their professional activities pursuant to Section 203, paragraph 3 of the German criminal code (StGB or Strafgesetzbuch). The explanatory memorandum to the law explicitly mentions cloud storage providers as such “other persons”.
The data protection laws mentioned above also set up the legal framework for cloud computing. In addition, the highest German data protection authorities issued a guide on cloud computing (Orientierungshilfe Cloud Computing), providing detailed instructions on how to use cloud-based services in compliance with data protection laws.
Undertakings violating the BSIG may be fined with amounts of up to EUR2 million. Infringements of the GDPR may be fined up to a maximum of EUR20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The TKG determines fines up to EUR1 million or, for companies with an average annual turnover of more than EUR50 million, up to 2% of the average worldwide annual turnover.
If a contract concerning the outsourcing of a bank does not meet the requirements stated above, the BaFin may take measures to require the bank to change the outsourcing agreement adequately. The BaFin may even prohibit the outsourcing in its entirety.
Usually, the parties address confidentiality in their outsourcing contracts by including a confidentiality clause or by agreeing on a separate confidentiality agreement. These include, in most cases, an obligation of the provider to keep the outsourcing customer's data confidential, as well as specific obligations relating to the return and deletion of data at the end of the contract term.
Breaches of confidentiality are usually sanctioned by a contractual penalty or liquidated damages clauses. Relying on compensation clauses as well as on compensations issued by law is not recommended as it is very difficult under German law to prove that a breach of confidentiality has actually led to any damages.
For the legal structure of outsourcing, the parties usually use a modular contractual framework with a framework agreement and (several) additional individual agreements. The framework agreement governs the overarching general aspects like subject matter of the contract, term and termination, liability and governance. The individual agreements specify certain specific aspects such as, for example, the service description, the service levels (eg, availability, response time or security levels), and pricing aspects. Depending on the respective outsourcing, the agreements include purchasing, leasing service and/or other contractual elements.
The ranking order of the different documents is usually determined explicitly within the contracts and may be freely chosen by the parties. If such provisions do not exist, the more specific agreement rules out the other more general agreement.
The most common contract types in an IT environment are service contracts (Dienstvertrag) and contracts for works made for hire (Werkvertrag). While in the case of a Werkvertrag, the provider owes the successful delivery of a specified result, whereas in case of a Dienstvertrag, the provider does not owe such a result but rather the mere effort. While the Dienstvertrag allows more flexibility, the customer has more control over the subject matter when opting for a Werkvertrag. It is not uncommon that the party with the greater bargaining power will specify the contract type.
Often, outsourcing contracts cannot clearly be qualified as either a Dienstvertrag or a Werkvertrag but are rather a combination of both and may even include additional contract types such as purchasing or leasing contracts, staff provision contracts or trust management agreements. If the type of the contract is relevant, for example for the question of what statutes of the BGB apply, each service is treated following its respective type of contract. If this leads to difficulties or contradictions, the contract type prevailing the others determines the type of the outsourcing contract as a whole.
For multi-vendor cloud computing solutions, the customer can either contract with one main provider, who will then use several sub-providers, or the customer can organise its own vendor management using multiple providers. One possibility to do so is using the “SIAM”-model (Service Integration and Management). In this case, the customer has one IT provider that manages, co-ordinates and optimises the services of several service providers. While a general contractor is responsible for the services of its sub-providers, the SIAM provider is not, as the contracts with the different providers are all concluded separately with the customer.
When using the multi-vendor model, all parties have to ensure that the data transfer amongst each other is technically and especially legally possible.
Many German companies operate their own captive centres in Germany, some near their headquarters (such as Beiersdorf in Hamburg), others at other locations, such as Daimler or BASF in Berlin.
With nearly 7,000 contact centres employing around 540,000 people, the service provider market has a market volume of EUR40 billion. The volume of the business and IT service market has been growing by roughly 2.5% every year since 2014 (see, GTAI Fact Sheet Business Services in Germany).
Remedies by Law
If the service provider fails to fulfill its obligations, the remedies available to the customer depend on the type contractual agreement of the parties.
As a Dienstvertrag obliges the service provider only to perform a certain service, damages and compensations can be claimed only if the provider did not make efforts to provide the service at all.
Conversely, when agreeing on a Werkvertrag, the provider owes the specified results. Only if and when the provider achieves the defined success and the customer accepts the delivery, the customer is due to pay the remuneration. If the delivered result is inadequate – for example, not as specified by the contract – the customer has the remedies laid out in Section 634 BGB, which are, a reduction of the fees, a withdrawal from the contract and/or damage claims. As these remedies depend on the inadequacy of the delivered result, it is of utmost importance to describe and specify the owed (technical) delivery as precisely as possible.
Additionally, it is common to add further customer protections into an outsourcing agreement. These include penalties for non-compliance with, for example, service levels as well as specified termination rights in case of severe service level breaches. The parties may also agree that only the remedies and liability agreed in their contract shall apply in case of non-compliance while the respective provisions provided by law shall be excluded. The right to terminate the contract or to reduce pricing, however, may not be excluded within general terms and conditions.
In practice, it is often difficult for the customer to know whether or not the service provider meets the required service levels, because the provider is not part of the customer’s working organisation. For the customer, however, it is vital to have this knowledge since otherwise it has no basis for any claims. To ensure that the customer is properly informed of the provided services, it is common to include documentation and reporting obligations for the provider as well as monitoring and auditing rights for the customer.
Under German law, there are several options to terminate an outsourcing contract before the agreed end of the term. Those can be determined by the contract itself as well as by law.
Termination due to Non-compliance
As mentioned above, the customer has the right to terminate the contract if the provider fails to perform its contractual duties and the customer unsuccessfully requested performance within a certain period of time. Furthermore, any party may terminate the contract without notice if the other party committed a fundamental breach of the contract (Section 314, paragraph 1 of the BGB, Section 626 of the BGB for Dienstverträge). Since this term leaves plenty of space for interpretation, the parties usually specify within the contract what should be considered as such a “fundamental breach”. Insofar, the parties are free to determine any reasons that justify the termination of the contract, for example if the provider does not meet specified service levels. These reasons may, however, not contradict mandatory law. A right, for instance, to terminate the contract based on the filing of an application for the opening of insolvency proceedings is invalid as it would undermine the right of the insolvency administrator to decide whether the contract should be fulfilled or not (Section 103 of the InsO).
Termination for Convenience
Termination for convenience is also very common. The parties will typically agree on the specific terms for a termination for convenience, which usually includes an obligation of the terminating party to pay a compensation to the other party (termination fees). If termination periods are not agreed amongst the parties, statutory regulations apply. The applicable termination periods depend on the specific type of the contract. Naturally, both parties are free to agree to mutually terminate the contract at any point in time.
Termination due to Major Changes
In case the substance of the contract has fundamentally changed in a way that at least one party would not have entered into the contract, had it known the change of circumstances beforehand, and adherence to the contract is unreasonable for this party, such party can ask for a change in the contract (Section 313 of the BGB). German courts have, for example, considered the COVID-19-pandemic as such a change of circumstances. If changing the contract is impossible or unreasonable for the other party, the deprived party is allowed to terminate the contract all together. This provision is usually integrated by the parties into the outsourcing contract by including a so-called “major change” clause.
When it comes to liability, German Civil Law distinguishes between the cause of liability and the scope of liability.
Cause of Liability
There are two kinds of liability under German Law: fault-based liability and absolute liability. Most common, especially in outsourcing contracts, is fault-based liability. According to this, any damage which has been caused by one party and that can be attributed to such party’s behaviour has to be compensated, unless such party was not at fault, for example if the damage was caused by an independent third party or by force majeure.
Absolute liability, as the name indicates, means a liability independent of fault.
Scope of Liability
The scope of liability is determined by the principle of restitution in kind (Naturalrestitution, Sections 249 et seq of the BGB). The damaged party has to be reconciled in a way as if the damaging event did never happen. This means that both direct and indirect damages and losses have to be compensated. Indirect loss especially includes lost profits (Section 252 of the BGB). As the scope of liability is wide, the service provider will have a substantial interest in limiting its liability.
Generally, the parties are free to negotiate their contract at free will. This includes the question of which liability for what kind of losses and damages should be included or excluded and to what extent. There are, however, some boundaries under German Law.
Generally, fault-based liability can be excluded by the parties to any extent, except for cases of intentional breach. This applies, however, only to exclusions of liability that were agreed upon individually. If the exclusion is part of general terms and conditions, German Law, within the Sections 305 et seq of the BGB, limits the possibility to exclude and limit liability even more, as follows: liability for damage to life, health and body of a person as well as for cases of gross negligence and intent cannot be excluded within general terms and conditions. Additionally, liability may be limited only to typically foreseeable damages resulting from the performance of essential contractual obligations. Capping the liability to a certain amount, which is the most common liability limitation, is also only allowed when agreed upon individually.
Absolute liability is usually bound by maximum limits, but cannot, in most cases, be further limited by contract. An example of absolute liability is Section 536a BGB which stipulates liability for the lessor concerning defects at the time of conclusion of the contract. As outsourcings sometimes include tenancy agreements, especially in case of cloud computing, this case of absolute liability can become relevant in respect of outsourcings. Section 536a of the BGB, however, can be excluded by general terms and conditions between two businesses.
Under German law, it is sufficient to agree only on the essential provisions of a contract, that is, in the case of a contract for works made for hire, the result that is to be delivered as well as the remuneration. Any other provisions that are relevant to perform the contract are supplemented by law, in particular the BGB.
Prior to the supplementation by law, however, the contract will have to be interpreted. If the parties did not reflect a certain scenario in the contract, a judge would try to determine – based on the existing provisions as well as the circumstances under which the contract was agreed upon – what terms the parties would have agreed upon if they would have considered these specific circumstances.
Nonetheless, as this hypothetical intent of the parties is difficult to determine and to prove in retrospect, and statutory regulations are not always adequate, the parties should always seek to determine any relevant provisions explicitly within the contract.
Transfer of Employees
The regulations concerning the transfer of employees are set out in Section 613a of the BGB. Whether these rules apply to the concerned outsourcing or not, depends on the concrete circumstances and the arrangement of the outsourcing. Section 613a of the BGB is only applicable in case of a transfer of undertakings. This requires the transfer of an operation (Betrieb) or a part of an operation (Betriebsteil). The “identity” of the operation has to be maintained. Whether this is the case or not depends, for instance, on whether tangible or intangible assets are being transferred and on how similar the products or the services are before and after the transfer. Furthermore, the outsourced employees must work predominantly in the outsourced sector.
If the outsourcing does include a transfer of undertakings, the employees are permanently transferred; the provider will be their new employer and the termination of the contract by the former or the new employer solely based on the transfer is not allowed. The former employer has to notify the employee about the date and the reason for the transfer and the legal, economic and social consequences for the employee. The rights and obligations of the existing employment relationship cannot be changed to the detriment of the employee before the expiry of one year as of the date of the transfer. In addition, the employee can object to the transfer in writing within one month.
The employee transfer is a mandatory consequence of a transfer of undertakings in line with Section 613a of the BGB, which cannot be excluded by the parties. Therefore, the parties should always consider this aspect when structuring an outsourcing to avoid a transfer of employees “by accident”.
Under certain conditions, the parties of an outsourcing can agree to a so-called labour leasing. Such labour leasing has to follow certain rules stipulated by the Temporary Employment Act (AÜG or Arbeitnehmerüberlassungsgesetz). Most important are the requirements of a permission by the authorities, the time limitation of 18 months (which can be raised to up to 24 months by collective labour agreements) and the obligation of equal treatment.
If an employee transfer leads to a substantial change in terms of Section 111 of the German Works Constitution Act (BetrVG or Betriebsverfassungsgesetz) with substantial prejudice to the staff or a large portion thereof, the workers council has to be informed. Thereupon, the employer and the workers council have to negotiate a “reconciliation of interests” (Interessenausgleich) which describes the planned measures and a social plan setting out the compensation of the employees. The obligation of the employer is, however, limited to the negotiation of the “reconciliation of interests”; if the negotiations fail, the employer is permitted to transfer the employees anyway. Conversely, if the negotiations concerning the social plan fail, the conciliation committee draws up the social plan instead.
Frequently, however, there is no substantial change in terms of Section 111 of the BetrVG during an outsourcing, as the department (Betrieb) affected by the outsourcing is transferred as a whole, not altering the organisation of the department.
Should the transfer not lead to a substantial change within the meaning of Section 111 of the BetrVG, the employer, nonetheless, has to inform the workers council according to Section 80 (2) of the BetrVG as well as the financial committee (Wirtschaftsausschuss), if established, according to Section 106 of the BetrVG.
Depending on the respective outsourcing and its impact on the outsourcing enterprise, there might be additional rights to information and participation of the workers council.
The requirements for the structuring of concrete transfers of undertakings pursuant to Section 613a of the BGB are becoming increasingly stringent. At the same time, the possibility of forecasting is decreasing in view of a sometimes surprising jurisdiction of the European Court of Justice. In 2009, the European Court of Justice clarified that a change in the organisational structure alone cannot prevent an employee transfer.
At the same time, the classic concept of a business unit within the meaning of Section 613a of the BGB is being superseded by changes such as mobile working, desk sharing and co-working spaces, so that further adjustments in the jurisdiction can be expected in the future.
The transfer of real estate requires certain formalities. The contract concerning the transfer has to be notarised. Additionally, the transfer must be registered in the German Land Register (Grundbuch).
The transfer of movable assets follows the rules of the BGB, especially Sections 929 et seq. The parties must agree on the transfer and transfer the physical ownership of the relevant assets. The transfer of ownership may take place by the owner or by a person authorised by the owner.
IP Rights and Licences
Registered trade marks, patents and designs are transferred by registration with the German Patent and Trademark Office (Deutsches Patent- und Markenamt) or, respectively, at the European Patent and Trademark Office. To ensure the transfer legally, contracts usually contain a clause obliging the providing party to support the other party with such registration.
Copyrights, however, cannot be transferred. Nonetheless, it is possible to grant (far reaching) usage rights regarding the use of a certain intellectual property. These licences can be exclusive and comprehensive and can also exclude any remaining use by the author, meaning that they factually come very close to an actual transfer. The related licence agreements should cover all important aspects of the licence, particularly the details of the licensed usage rights. If the scope of the granted usage right is unclear, it will be interpreted in favour of the author.
Any IP that is being created always belongs to its creator (Section 7 of the UrhG). This includes IP generated during the execution of outsourcing contracts. Therefore, the parties may determine by contract that any copyright-protected content created during the execution of the contract is automatically licensed to the customer.
Data and Information
For the transfer of data and information, there are no special rules under German Law. Therefore, the transfer may be agreed upon amongst the parties by way of the contract. Needless to say, that any such agreements must always be in line with the GDPR.