Outsourcing: France overview

A Q&A guide to outsourcing in France.

This Q&A guide gives a high level overview of legal and regulatory requirements on different types of outsourcing; commonly used legal structures; procurement processes; formalities required for transferring or leasing assets; data protection issues; customer remedies and protections; contracting parties' remedies; dispute resolution; and the tax issues arising on an outsourcing.

To compare answers across multiple jurisdictions, visit the Outsourcing Country Q&A tool.

This Q&A is part of the global guide to outsourcing. For a full list of jurisdictional Q&As, visit www.practicallaw.com/outsourcing-guide.

For the rules relating to transferring employees, visit Transferring employees on an outsourcing in France: overview.

Contents

Regulation and requirements

National regulations

1. To what extent does national law specifically regulate outsourcing transactions?

There are no specific laws regulating outsourcing transactions.

 

Sectoral regulations

2. What additional regulations may be relevant for the following types of outsourcing?

Financial services

The regulation of outsourcing for financial services was imposed by Directive 2006/48/EC relating to the taking up and pursuit of the business of credit institutions (Banking Consolidation Directive) along with Directive 2006/49/EC on the capital adequacy of investment firms and credit institutions. Those Directives have been implemented by the Law No. 2013-672 of 26 July 2013 on the Separation and Regulation of Banking Activities.

The outsourcing of financial services is subject to:

  • Monetary and Financial Code.

  • Regulations of the French Prudential Control Authority.

  • Financial Markets Authority Regulations.

The relevant provisions are included in the:

  • Monetary and Financial Code (Articles L522-14 to L522-18 and Articles L526-27 to L526-34).

  • French Ministerial Order of 3 November 2014 on the internal control of credit institutions and investment firms of the French Prudential Control Authority.

  • The General Regulation of the Financial Markets Authority.

The institutions concerned are:

  • Credit institutions.

  • Investment firms.

  • Legal persons composed of either credit institutions or investments firms.

  • Payment institutions.

The customer is the company that is outsourcing and the supplier is the company entering into an agreement to manage the outsourced activity.

Obligations for these institutions include that:

  • Information must be given to the Prudential Control Authority and parties must ensure that the Prudential Control Authority can check the institution's compliance with its legal obligations.

  • The customer controls the outsourced activities.

  • The customer remains responsible for the obligations it has regarding its own customers and partners when the activity was outsourced. This is an essential part of its service.

  • The outsourcing activity must be subject to a written contract between the supplier and the customer.

  • Termination of the outsourcing arrangement must not prejudice the continuity or quality of the service.

  • The customer ensures that the supplier complies with the normal use of the service, and with the protection of confidential information.

  • The customer must install a safety mechanism in the case of a serious threat to the continuity of service.

  • The supplier cannot substantially modify the service provided without the prior approval of the customer.

  • The supplier must comply with the processes defined by the customer regarding the organisation of control. It must allow access, when necessary, to all information on the activity outsourced and notify of every event that can have an impact on its ability to perform its task.

  • If the supplier is based in a country that is not a member of the European Community and outside the European Economic Area (EEA), additional conditions apply:

    • the supplier must be entitled or authorised to exercise outsourcing activities for third parties in its country of origin;

    • the supplier must allow a "prudential surveillance" by the Financial Markets Authority; and

    • without compliance with these two conditions, the outsourcing agreement will only be recognised if, after notification to the Bank Commission of the Prudential Control Authority, no observations have been made for a period of three months.

Business process

No specific regulations apply.

IT and cloud services

No specific regulations currently exist for IT and cloud services. However, the French Data Protection Authority (CNIL) published recommendations on how best to comply with the general regulations when cloud services are concerned:

  • Clearly identify the data and processing operations that will be passed to the cloud.

  • Define the requirements for technical and legal security.

  • Carry out a risk analysis to identify the security measures essential for the company.

  • Identify the relevant type of cloud for the planned processing.

  • Choose a service provider offering sufficient guarantees.

  • Determine the service provider's legal qualification.

  • Assess the level of protection given by the service provider for the data processed.

Telecommunications

There are no specific regulations.

Public sector

Specific regulations apply to outsourcing in the public sector. Limitations are implied by the necessity to follow the legal framework of public procurement. The outsourcing of public sector activities to a private company must comply with the prior tender offer system.

 
3. What further legal or regulatory requirements (formal or informal) are there concerning outsourcing in any industry sector?

The supplier must be entitled or authorised to perform these financial activities.

 
4. What requirements (formal or informal) are there for regulatory notification or approval of outsourcing transactions in any industry sector?

For every potential outsourcing of personal data collection, a statement must be made to the French Data Protection Authority (CNIL).

Every payment institution willing to outsource some of its technical function of payment services must inform the Bank Commission of the Prudential Control Authority in advance.

 

Legal structures

5. What legal structures are commonly used in an outsourcing?

Direct outsourcing

Description of structure. In direct outsourcing schemes, the contract is signed directly between the customer and the supplier. The supplier has its own infrastructure and employees.

Advantages and disadvantages. The advantages of this structure are:

  • It is fast to implement.

  • There are high but defined costs.

  • Flexibility.

The disadvantages are:

  • Absence of real control.

  • Less control on intellectual property protection procedures.

  • Privacy issues because of the transmission of data.

Multi-sourcing

Description of structure. The customer outsources a number of separate activities to different suppliers.

Advantages and disadvantages. The advantage is that it is very flexible. The disadvantages are:

  • Difficulty of management.

  • Risk regarding quality of service.

  • Potential disruption to service.

Joint venture

Description of structure. The customer creates a new entity through a joint venture signed with a supplier for the outsourced activity.

Advantages and disadvantages. The advantage of this structure is the control on the outsourced activity. The disadvantages are:

  • Complexity.

  • Cost.

Build operate transfer

Description of structure. The third party supplier is independent from the customer. The supplier builds a service and starts operating it before transferring it to the customer.

Advantages and disadvantages. The advantages are that it is quick to implement. The disadvantages are:

  • Cost.

  • Risk to the quality of the service and risk of business disruption during the transition.

 

Procurement processes

6. What procurement processes are used to select a supplier of outsourced services?

Procurement processes are only mandatory for the public sector and are subject to specific regulations.

Request for proposal

It is possible for an outsourcing contract to be directly concluded with the customer. Often, the outsourcing contract is offered by the supplier itself. The customer can have an open bid process where he presents a request for proposal to a number of potential suppliers.

Requests for proposals and invitations to tender are common even though they are not mandatory to conclude an outsourcing contract.

Tender of offer

This is the most common method used to select a supplier of outsourced services.

Due diligence

Each party must communicate the information that is necessary for the other to make an informed decision. The customer must verify certain aspects such as the:

  • Financial stability.

  • Employee mobility.

  • Protection of Intellectual property.

  • Performance by the supplier on similar projects.

 

Transferring or leasing assets

Formalities for transfer

7. What formalities are required to transfer assets on an outsourcing?

Immovable property

Any real estate transfers must be established by a notary.

IP rights and licences

A company transferring IP rights such as a trade mark, copyright or patent must ensure that it is entitled to transfer the rights. In order for the transfer of a trade mark or patent to be valid, it must be registered with the National Institute for Industrial Property (INPI) (Articles L.131-3, L.613-9 and L.714-1, Intellectual Property Code).

Movable property

No specific regulation exists regarding movable property except for vehicles for which a transfer must be registered with the police department.

Key contracts

Any transfer of contract requires the approval of the other party, whether included in the contract before the outsourcing or obtained during a specific negotiation.

Data and information

Transfer of data must comply with Directive 95/46/EC on data protection (Data Protection Directive) and with the national regulations on the transfer of personal data. Generally, some form of notification must be given to the Data Protection Authority (CNIL) before any transfer. The conditions are more stringent for offshore transfer (see Question 18).

 

Formalities for leasing or licensing

8. What formalities are required to lease or license assets on an outsourcing?

Immovable property

No specific formalities are required to lease or license real property in an outsourcing agreement. However, if the lease exceeds 12 months, it must be declared to the Mortgage Register, after being executed before a notary.

IP rights and licences

As with the transfer of IP rights, the licensor must ensure that he is entitled to license those IP rights. The licence or sub-licence must be written and, as for trade marks and patents, be registered with the National Institute for Industrial Property (INPI) in order to be enforceable against third parties.

Movable property

No specific formalities are required to lease or license movable property.

Key contracts

It is not possible to lease or license a contract. A contract can only be sub-contracted or transferred.

Data and information

See Questions 7 and 18.

 

Transferring employees

Transfer by operation of law

9. In what circumstances (if any) are employees transferred by operation of law?

Initial outsourcing

The transfer of employees is regulated by Article L1224-1 of the Labour Code and Directive 2001/23/EC on safeguarding employees' rights on transfers of undertakings, businesses or parts of businesses (Transfer of Undertakings Directive).

According to Article L.1224-1 of the Labour Code, "in the event of a change in the employer's legal situation, in particular, as a result of inheritance, sale or merger of the undertaking, a change in its legal form or its incorporation, all employment contracts in force at the date of this change continue between the new employer and the company's staff".

Four conditions must be met for this provision to apply:

  • The existence of assets.

  • Employees dedicated to an activity.

  • The transfer and continuation of this activity by a new entity.

  • Continuity in the identity of the business.

Change of supplier

The change of supplier can impose the transfer of employees, if it complies with the conditions for the initial transfer.

Termination

Article L.1224-1 of the Labour Code applies to the termination of the contract. The same conditions and obligations apply as for the initial transfer.

For more information on transferring employees on an outsourcing, including structuring employee arrangements (including any notice, information and consultation obligations) and calculating redundancy pay, see Transferring employees on an outsourcing in France: overview ( www.practicallaw.com/9-575-0652) .

 

Data protection and secrecy

10. What legal or regulatory requirements and issues may arise on an outsourcing concerning data protection?

Data protection and data security

Data protection and security are governed by Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties implementing Directive 95/46/EC on data protection (Data Protection Directive).

General requirements. Generally, if personal data related to the employees is transferred to the new employer, the new employer can become either a data controller or a data processor. Data processing is allowed under the Data Protection Directive and French law under the conditions that the data is:

  • Processed fairly and lawfully.

  • Collected for specific, explicit and legitimate purposes.

  • Adequate, relevant and not excessive in relation to the purposes for which it is collected.

  • Accurate and kept up-to-date.

Security requirements. The supplier must offer warranties to ensure data security. A contract must be signed between the customer and the supplier specifying the instructions under which the supplier can process personal data. The data processor can only act under the conditions set in the contract. The customer remains as data controller, liable for any breach of data protection laws caused either by the data controller or the data processor.

Transfer of data to a non-EU member and a non-European Economic Area (EEA) country that is not recognised by the European Commission as offering an adequate level of data protection, requires additional conditions to be fulfilled. The most common way is the conclusion of a contract establishing measures of data protection, based on the European Commission Model Clauses and approved by the Data Protection Authority (CNIL).

Mechanisms to ensure compliance. Specific notification processes must be implemented with the CNIL.

Sanctions for non-compliance. Typically, sanctions for non-compliance of data protection provisions are a fine of up to EUR300,000 and a five year prison term.

 

Service specification and levels

11. How is the service specification typically drawn up and by whom?

The service specification is usually drawn up by the customer if he is at the origin of the outsourcing. Where the supplier started the idea of outsourcing, the service specification is usually written by him. The service specification must be negotiated and inserted in the contract. It must indicate the means put in place to ensure continuity of service and data protection measures.

 
12. How are the service levels and the service credits scheme typically dealt with in the contract documentation?

A description of service levels must be inserted in the contract through a service level agreement. Service levels must be described in an objective and precise manner and indicate the expected results and how those results are reported to the customer.

 

Flexibility in volumes purchased

13. What level of flexibility is allowed to adjust the volumes customers purchase?

The level of flexibility is quite high. The customer must pay attention to the potential issues under competition law.

 

Charging methods and key terms

14. What charging methods are commonly used on an outsourcing?

There are three commonly used charging methods on an outsourcing:

  • Fixed price: if the volumes are predictable.

  • Unit price (pay as you go): when the volumes are not predictable but the supplier needs a minimum of security in fees received.

  • Cost plus: the customer pays the actual service outsourced.

 
15. What other key terms are used in relation to costs, including auditing and benchmarking mechanisms?

Because outsourcing agreements are long-term based contracts, the parties must be able to terminate and update the contract.

Indexation is where the prices reflect inflation and they are typically referring to the "Syntec" index.

 

Customer remedies and protections

16. If the supplier fails to perform its obligations, what remedies and relief are available to the customer under general law?

If the supplier fails to perform its obligations, the customer can terminate the contract or seek damages before the courts.

In order for termination to be valid, the breach must be serious and justify the impossibility for the customer to remain bound by this contract.

Under the general law, the customer must prove the supplier's wrongdoings or negligence, and prove that it caused him damage.

 
17. What customer protections are typically included in the contract documentation to supplement relief available under general law?

Clauses for customer protection usually included in the contract are the:

  • Right to audit the supplier's performance.

  • Possibility for the customer to outsource the service to another supplier.

  • Insurance plan.

  • Parent company guarantee.

  • Termination for cause.

  • Penalties applying to the supplier.

 

Warranties and indemnities

18. What warranties and/or indemnities are typically included in the contract documentation?

The supplier must:

  • Comply with regulations, including regarding data protection law.

  • Ensure continuity of service: a commitment to have the human, material and financial means necessary to provide the service in compliance with the industry standards.

  • Comply with the provisions of the contract.

  • Indemnify the customer where there is an IP rights infringement claim.

 
19. What limitations are imposed by national or local law on fitness for purpose and, quality of service, or similar warranties?

The law does not impose fitness for purpose and quality of service warranties. However, those warranties can be inserted into the contract.

 
20. What other provisions may be included in the contractual documentation to protect the customer or supplier regarding any liabilities and obligations arising in connection with outsourcing?

Standard limitation of liability clauses can be inserted.

 

Insurance

21. What types of insurance are available in your jurisdiction concerning outsourcing, and to what extent are they available?

Insurance policies can notably cover:

  • Employee liability.

  • Property damage.

  • Third party liability.

  • Professional liability.

 

Term and notice period

22. Does national or local law impose any maximum or minimum term on an outsourcing? If so, can the parties vary this by agreement?

The law does not impose any maximum or minimum term on an outsourcing. However, and as for every type of contract, perpetual commitments are prohibited by the law. An outsourcing agreement can be a fixed term contract, including a tacit renewal provision (that is, the contract is renewed automatically if none of the parties object to it).

 
23. Does national or local law regulate the length of notice period required (maximum or minimum)? If so, can the parties vary this by agreement?

The law does not regulate the length of the notice period required for termination. However the termination can be deemed unfair (Article L.442-6 I 5° , Code of Commerce) if the notice is not reasonable. Case law considers that the parties must take into account the length and stability of the commercial relationship to establish the reasonable duration of notice. The minimum standard recognised by case law is six months and it increases proportionally each year. The contract must establish how the reasonable notice is calculated.

 

Termination and termination consequences

Events justifying termination

24. What events justify termination of an outsourcing without giving rise to a claim in damages against the terminating party?

Typically, no predetermined events can justify termination.

The law establishes that termination is always possible when one of the parties does not comply with its obligations. The termination of the contract can be put before a judge to obtain both the termination of the contract and damages (Article 1184, Civil Code).

Insolvency does not justify termination of a contract. However, the law establishes a specific mechanism to terminate a contract in the case of bankruptcy.

 
25. In what circumstances can the parties exclude or agree additional termination rights?

The parties can include in the agreement breaches that will automatically give the right to the other party to terminate the contract. The parties can also insert a clause allowing termination for convenience, typically with prior notice.

 
26. What remedies are available to the contracting parties?

The remedies are those established in the contract or by the law. These can either be damages or to put the other party in the situation which it should have been if the breach had not occurred.

 

IP rights and know-how post-termination

27. What, if any, implied rights are there for the supplier to continue to use licensed IP rights post-termination? To what extent can the parties exclude or include these by agreement?

No implied rights can allow the supplier to continue to use licensed IP rights. The parties can conclude a licensing agreement outside the outsourcing contract allowing the supplier to use the IP right in exchange for a fee. The parties can also insert a clause asserting that the contract termination does not affect the IP right licence agreement.

 
28. To what extent can the customer gain access to the supplier's know-how post-termination and what use can it make of it?

Typically, the customer does not have any right to gain access to the supplier's know-how post-termination. Any use of the supplier's know-how amounts to an act of passing off (unfair competition). However, the customer can gain access to the supplier's know-how if the provision is inserted in the agreement.

 

Liability, exclusions and caps

29. What liability can be excluded?

Typically, direct damages (certain, foreseeable and that are a direct consequence of the breach) can be compensated, but not indirect damages. Indirect damages are not defined by law but the parties can define them and include this definition in the contract, for example:

  • Loss of profits.

  • Loss of revenue.

  • Loss of data.

 
30. Are the parties free to agree a cap on liability and, if desirable, a cap on indemnities? If so, how is this usually fixed?

The parties can agree a cap on liability in a business to business (B2B) contract. To be valid, the cap on liability must be reasonable and freely agreed. The cap on liability is typically not enforceable in the case of:

  • Gross negligence.

  • Wilful misconduct.

  • Death or injury.

The parties can agree on a cap of indemnities. However, the same limitations apply regarding the applicability of this cap. The cap is unenforceable in cases of gross negligence, wilful misconduct, death or injury.

 

Dispute resolution

31. What are the main methods of dispute resolution used?

The most common method of dispute resolution is referring the matter to the courts. However, mediation and arbitration are sometimes inserted in agreements. Mediation can be imposed in an escalation process.

 

Tax

32. What are the main tax issues that arise on an outsourcing?

The law did not establish a specific tax regime for outsourcing. However, Article 57 of the Tax Code can apply to an outsourcing contract. It provides a tax adjustment procedure for companies that are dependent on or that control enterprises situated outside France for profits indirectly transferred to the latter.

The companies meeting those criteria must produce information on the transfers and the related companies. The tax adjustment procedure applies to companies established in a jurisdiction outside France where the tax regime is privileged (Article 238A, Tax Code), even if the company established in France does not control nor is dependent on the supplier.

Transfers of assets to the supplier

This can be subject to registration and to the payment of VAT.

Transfers of employees to the supplier

The transfer of employees can be seen as a transfer of assets.

VAT or sales tax

The ordinary rate of 20% applies to the provision of services. The VAT paid by the customer is deductible if the customer is liable to VAT.

 

Online resources

W www.legifrance.gouv.fr

Description. Official and up-to-date transcripts of the French legislation and jurisprudence.

W www.legifrance.gouv.fr/Traductions/en-English

Description. Non-binding translations of legal codes.

W www.cnil.fr/english

Description. English version of the Data Protection Authority's website. Contains up-to-date but partial information on the CNIL's regulations.

W www.amf-france.org/en_US

Description. English version of the Financial Markets Authority's website. Up-to-date and reliable. However, only the French version of the General Regulation is binding.

W https://acpr.banque-france.fr/en/home.html ( www.practicallaw.com/6-542-8305)

Description. English version of the Prudential Control Authority's website. It is up-to-date and reliable. However, only the French version of the French Ministerial Order is binding.



Contributor profiles

Raphaël Dana, Partner

LMBE Avocats

T +33 1 43 12 80 80
F +33 1 43 12 80 99
E rdana@lmbeavocats.com
W www.lmbeavocats.com

Professional qualifications. France, Avocat au Barreau de Paris, 2000

Areas of practice. Software licensing; support and maintenance agreements; outsourcing agreements; cloud; e-commerce solutions; technology transfer agreements; big data-related questions and projects; personal data audits; Data Protection Authority (CNIL) litigation; computer security; data breaches; litigation.

Recent transactions

  • Assisted a client in a tough contract negotiation for the implementation of software-as-a-service (SaaS) solutions with one of the five biggest industrial groups in France. Worked on the other party's standard terms, which were not suitable for a SaaS type of agreement. Negotiated most of the crucial IP clauses and explained to the other party why this was mandatory.
  • Assisted a client in various contract negotiations (software licence agreement, maintenance and support services and bespoke IP rights transfer agreements). Their activity included the development and implementation of bank messages filtering solutions, with the biggest financial institutions in the UK, the US and France.
  • Assisted and represented a client in a negotiation of complex contractual arrangements with the biggest Swiss-based outsourcing company, who in turn negotiated with the biggest local financial organisations.
  • Assisted a client in a current pre-contentious matter against a Swiss bank in the implementation of a software solution where the financial organisation decided to change its internal IT organisation after having signed the licence agreement and related documentation with the client.

Languages. English, French

Professional associations/memberships

  • Member of ITECHLAW (International Technology Law Association).
  • Member of ADIJ (Association for the Development of IT Law).
  • Member of AFCDP (French Data Privacy Correspondent Association).

Publications

  • French chapter "E-Commerce 2015", Getting the Deal Through, Law Business Research, London, October 2014.
  • French chapter "Outsourcing 2015", Getting the Deal Through, Law Business Research, London, September 2014.
  • "Monitoring in the workplace", Law Business Research, London, August 2014.
  • "Google Inc. ordered to pay a EUR150,000 fine by the French Data Protection Authority", January 2014.
  • "Google's privacy policy and its compliance with European law", E-Commerce Law & Policy, November 2012.
  • "The French Narrowly Escape Introduction of a Centralised Biometric Database", American Bar Association (International Law News) Information, Privacy and Security, Fall 2012, Vol. 41, No. 4, November 2012.
  • In depth analysis of the biometric database developments in France, Data Protection Law and Policy, April 2012.
  • Google rolls out new privacy policy despite criticism from EU, E-Commerce Law and Policy, March 2012.
  • "Data Protection and Privacy: Jurisdictional Comparisons" (author of the French chapter), European Lawyer Reference Series, January 2012.
  • "Precisions on the contents of marketing emails and creation of an obligation to notify personal data breaches" (French version), LexisNexis JurisClasseur Communication Commerce Electronique, The Order 2011-1012 of August 24, 2011, October 2011.
  • "Overview of Employment and Employee Privacy Laws and Key Trends in France", www.nymity.com, July 2011.
  • "Bill on improving data privacy in the digital age: an analysis", Data Protection Law and Policy, May 2011.
  • "Complying with Divergent Privacy Laws in the US, EU and Abroad", Speaker, American Conference Institute, Data Privacy Protection for Life and Health Sciences, Philadelphia, USA, October 2010.
  • "Privacy Backgrounder and Hot Topics for France", www.nymity.com, August 2010.
  • "Analysis of recent French case law on whistleblower systems" (English translation and original French version), LexisNexis JurisClasseur Communication Commerce Electronique, June 2010.

Clémentine Carlet, Associate

LMBE Avocats

T +33 1 43 12 80 80
F +33 1 43 12 80 99
E ccarlet@lmbeavocats.com
W www.lmbeavocats.com

Professional qualifications. Attorney with the Paris Bar

Areas of practice. Information and communication technologies law; compliance/personal data; intellectual property law (trade marks, designs, patents, copyright).

Languages. French, English


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247334501307", "objName" : "Outsourcing France overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/3-501-5679?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-3b01f5d1:15b13821225:32f8", "analyticsSessionCookie" : "2-3b01f5d1:15b13821225:32f9", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }