Outsourcing: France overview
A Q&A guide to outsourcing in France.
This Q&A guide gives a high level overview of legal and regulatory requirements on different types of outsourcing; commonly used legal structures; procurement processes; formalities required for transferring or leasing assets; data protection issues; customer remedies and protections; contracting parties' remedies; dispute resolution; and the tax issues arising on an outsourcing.
To compare answers across multiple jurisdictions, visit the Outsourcing Country Q&A tool.
This Q&A is part of the global guide to outsourcing. For a full list of jurisdictional Q&As, visit www.practicallaw.com/outsourcing-guide.
For the rules relating to transferring employees, visit Transferring employees on an outsourcing in France: overview.
Regulation and requirements
The regulation of outsourcing for financial services was imposed by Directive 2006/48/EC relating to the taking up and pursuit of the business of credit institutions (Banking Consolidation Directive) along with Directive 2006/49/EC on the capital adequacy of investment firms and credit institutions. Those Directives have been implemented by the Law No. 2013-672 of 26 July 2013 on the Separation and Regulation of Banking Activities.
The outsourcing of financial services is subject to:
Monetary and Financial Code.
Regulations of the French Prudential Control Authority.
Financial Markets Authority Regulations.
The relevant provisions are included in the:
Monetary and Financial Code (Articles L522-14 to L522-18 and Articles L526-27 to L526-34).
French Ministerial Order of 3 November 2014 on the internal control of credit institutions and investment firms of the French Prudential Control Authority.
The General Regulation of the Financial Markets Authority.
The institutions concerned are:
Legal persons composed of either credit institutions or investments firms.
The customer is the company that is outsourcing and the supplier is the company entering into an agreement to manage the outsourced activity.
Obligations for these institutions include that:
Information must be given to the Prudential Control Authority and parties must ensure that the Prudential Control Authority can check the institution's compliance with its legal obligations.
The customer controls the outsourced activities.
The customer remains responsible for the obligations it has regarding its own customers and partners when the activity was outsourced. This is an essential part of its service.
The outsourcing activity must be subject to a written contract between the supplier and the customer.
Termination of the outsourcing arrangement must not prejudice the continuity or quality of the service.
The customer ensures that the supplier complies with the normal use of the service, and with the protection of confidential information.
The customer must install a safety mechanism in the case of a serious threat to the continuity of service.
The supplier cannot substantially modify the service provided without the prior approval of the customer.
The supplier must comply with the processes defined by the customer regarding the organisation of control. It must allow access, when necessary, to all information on the activity outsourced and notify of every event that can have an impact on its ability to perform its task.
If the supplier is based in a country that is not a member of the European Community and outside the European Economic Area (EEA), additional conditions apply:
the supplier must be entitled or authorised to exercise outsourcing activities for third parties in its country of origin;
the supplier must allow a "prudential surveillance" by the Financial Markets Authority; and
without compliance with these two conditions, the outsourcing agreement will only be recognised if, after notification to the Bank Commission of the Prudential Control Authority, no observations have been made for a period of three months.
No specific regulations apply.
IT and cloud services
No specific regulations currently exist for IT and cloud services. However, the French Data Protection Authority (CNIL) published recommendations on how best to comply with the general regulations when cloud services are concerned:
Clearly identify the data and processing operations that will be passed to the cloud.
Define the requirements for technical and legal security.
Carry out a risk analysis to identify the security measures essential for the company.
Identify the relevant type of cloud for the planned processing.
Choose a service provider offering sufficient guarantees.
Determine the service provider's legal qualification.
Assess the level of protection given by the service provider for the data processed.
There are no specific regulations.
Specific regulations apply to outsourcing in the public sector. Limitations are implied by the necessity to follow the legal framework of public procurement. The outsourcing of public sector activities to a private company must comply with the prior tender offer system.
For every potential outsourcing of personal data collection, a statement must be made to the French Data Protection Authority (CNIL).
Every payment institution willing to outsource some of its technical function of payment services must inform the Bank Commission of the Prudential Control Authority in advance.
Description of structure. In direct outsourcing schemes, the contract is signed directly between the customer and the supplier. The supplier has its own infrastructure and employees.
Advantages and disadvantages. The advantages of this structure are:
It is fast to implement.
There are high but defined costs.
The disadvantages are:
Absence of real control.
Less control on intellectual property protection procedures.
Privacy issues because of the transmission of data.
Description of structure. The customer outsources a number of separate activities to different suppliers.
Advantages and disadvantages. The advantage is that it is very flexible. The disadvantages are:
Difficulty of management.
Risk regarding quality of service.
Potential disruption to service.
Description of structure. The customer creates a new entity through a joint venture signed with a supplier for the outsourced activity.
Advantages and disadvantages. The advantage of this structure is the control on the outsourced activity. The disadvantages are:
Build operate transfer
Description of structure. The third party supplier is independent from the customer. The supplier builds a service and starts operating it before transferring it to the customer.
Advantages and disadvantages. The advantages are that it is quick to implement. The disadvantages are:
Risk to the quality of the service and risk of business disruption during the transition.
Procurement processes are only mandatory for the public sector and are subject to specific regulations.
Request for proposal
It is possible for an outsourcing contract to be directly concluded with the customer. Often, the outsourcing contract is offered by the supplier itself. The customer can have an open bid process where he presents a request for proposal to a number of potential suppliers.
Requests for proposals and invitations to tender are common even though they are not mandatory to conclude an outsourcing contract.
Tender of offer
This is the most common method used to select a supplier of outsourced services.
Each party must communicate the information that is necessary for the other to make an informed decision. The customer must verify certain aspects such as the:
Protection of Intellectual property.
Performance by the supplier on similar projects.
Transferring or leasing assets
Formalities for transfer
Any real estate transfers must be established by a notary.
IP rights and licences
A company transferring IP rights such as a trade mark, copyright or patent must ensure that it is entitled to transfer the rights. In order for the transfer of a trade mark or patent to be valid, it must be registered with the National Institute for Industrial Property (INPI) (Articles L.131-3, L.613-9 and L.714-1, Intellectual Property Code).
No specific regulation exists regarding movable property except for vehicles for which a transfer must be registered with the police department.
Any transfer of contract requires the approval of the other party, whether included in the contract before the outsourcing or obtained during a specific negotiation.
Data and information
Transfer of data must comply with Directive 95/46/EC on data protection (Data Protection Directive) and with the national regulations on the transfer of personal data. Generally, some form of notification must be given to the Data Protection Authority (CNIL) before any transfer. The conditions are more stringent for offshore transfer (see Question 18).
Formalities for leasing or licensing
No specific formalities are required to lease or license real property in an outsourcing agreement. However, if the lease exceeds 12 months, it must be declared to the Mortgage Register, after being executed before a notary.
IP rights and licences
As with the transfer of IP rights, the licensor must ensure that he is entitled to license those IP rights. The licence or sub-licence must be written and, as for trade marks and patents, be registered with the National Institute for Industrial Property (INPI) in order to be enforceable against third parties.
No specific formalities are required to lease or license movable property.
It is not possible to lease or license a contract. A contract can only be sub-contracted or transferred.
Data and information
Transfer by operation of law
The transfer of employees is regulated by Article L1224-1 of the Labour Code and Directive 2001/23/EC on safeguarding employees' rights on transfers of undertakings, businesses or parts of businesses (Transfer of Undertakings Directive).
According to Article L.1224-1 of the Labour Code, "in the event of a change in the employer's legal situation, in particular, as a result of inheritance, sale or merger of the undertaking, a change in its legal form or its incorporation, all employment contracts in force at the date of this change continue between the new employer and the company's staff".
Four conditions must be met for this provision to apply:
The existence of assets.
Employees dedicated to an activity.
The transfer and continuation of this activity by a new entity.
Continuity in the identity of the business.
Change of supplier
The change of supplier can impose the transfer of employees, if it complies with the conditions for the initial transfer.
Article L.1224-1 of the Labour Code applies to the termination of the contract. The same conditions and obligations apply as for the initial transfer.
For more information on transferring employees on an outsourcing, including structuring employee arrangements (including any notice, information and consultation obligations) and calculating redundancy pay, see Transferring employees on an outsourcing in France: overview ( www.practicallaw.com/9-575-0652) .
Data protection and secrecy
Data protection and data security
Data protection and security are governed by Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties implementing Directive 95/46/EC on data protection (Data Protection Directive).
General requirements. Generally, if personal data related to the employees is transferred to the new employer, the new employer can become either a data controller or a data processor. Data processing is allowed under the Data Protection Directive and French law under the conditions that the data is:
Processed fairly and lawfully.
Collected for specific, explicit and legitimate purposes.
Adequate, relevant and not excessive in relation to the purposes for which it is collected.
Accurate and kept up-to-date.
Security requirements. The supplier must offer warranties to ensure data security. A contract must be signed between the customer and the supplier specifying the instructions under which the supplier can process personal data. The data processor can only act under the conditions set in the contract. The customer remains as data controller, liable for any breach of data protection laws caused either by the data controller or the data processor.
Transfer of data to a non-EU member and a non-European Economic Area (EEA) country that is not recognised by the European Commission as offering an adequate level of data protection, requires additional conditions to be fulfilled. The most common way is the conclusion of a contract establishing measures of data protection, based on the European Commission Model Clauses and approved by the Data Protection Authority (CNIL).
Mechanisms to ensure compliance. Specific notification processes must be implemented with the CNIL.
Sanctions for non-compliance. Typically, sanctions for non-compliance of data protection provisions are a fine of up to EUR300,000 and a five year prison term.
Service specification and levels
The service specification is usually drawn up by the customer if he is at the origin of the outsourcing. Where the supplier started the idea of outsourcing, the service specification is usually written by him. The service specification must be negotiated and inserted in the contract. It must indicate the means put in place to ensure continuity of service and data protection measures.
Flexibility in volumes purchased
Charging methods and key terms
Customer remedies and protections
If the supplier fails to perform its obligations, the customer can terminate the contract or seek damages before the courts.
In order for termination to be valid, the breach must be serious and justify the impossibility for the customer to remain bound by this contract.
Under the general law, the customer must prove the supplier's wrongdoings or negligence, and prove that it caused him damage.
Warranties and indemnities
The supplier must:
Comply with regulations, including regarding data protection law.
Ensure continuity of service: a commitment to have the human, material and financial means necessary to provide the service in compliance with the industry standards.
Comply with the provisions of the contract.
Indemnify the customer where there is an IP rights infringement claim.
Term and notice period
The law does not impose any maximum or minimum term on an outsourcing. However, and as for every type of contract, perpetual commitments are prohibited by the law. An outsourcing agreement can be a fixed term contract, including a tacit renewal provision (that is, the contract is renewed automatically if none of the parties object to it).
The law does not regulate the length of the notice period required for termination. However the termination can be deemed unfair (Article L.442-6 I 5° , Code of Commerce) if the notice is not reasonable. Case law considers that the parties must take into account the length and stability of the commercial relationship to establish the reasonable duration of notice. The minimum standard recognised by case law is six months and it increases proportionally each year. The contract must establish how the reasonable notice is calculated.
Termination and termination consequences
Events justifying termination
Typically, no predetermined events can justify termination.
The law establishes that termination is always possible when one of the parties does not comply with its obligations. The termination of the contract can be put before a judge to obtain both the termination of the contract and damages (Article 1184, Civil Code).
Insolvency does not justify termination of a contract. However, the law establishes a specific mechanism to terminate a contract in the case of bankruptcy.
IP rights and know-how post-termination
No implied rights can allow the supplier to continue to use licensed IP rights. The parties can conclude a licensing agreement outside the outsourcing contract allowing the supplier to use the IP right in exchange for a fee. The parties can also insert a clause asserting that the contract termination does not affect the IP right licence agreement.
Typically, the customer does not have any right to gain access to the supplier's know-how post-termination. Any use of the supplier's know-how amounts to an act of passing off (unfair competition). However, the customer can gain access to the supplier's know-how if the provision is inserted in the agreement.
Liability, exclusions and caps
Typically, direct damages (certain, foreseeable and that are a direct consequence of the breach) can be compensated, but not indirect damages. Indirect damages are not defined by law but the parties can define them and include this definition in the contract, for example:
Loss of profits.
Loss of revenue.
Loss of data.
The parties can agree a cap on liability in a business to business (B2B) contract. To be valid, the cap on liability must be reasonable and freely agreed. The cap on liability is typically not enforceable in the case of:
Death or injury.
The parties can agree on a cap of indemnities. However, the same limitations apply regarding the applicability of this cap. The cap is unenforceable in cases of gross negligence, wilful misconduct, death or injury.
The law did not establish a specific tax regime for outsourcing. However, Article 57 of the Tax Code can apply to an outsourcing contract. It provides a tax adjustment procedure for companies that are dependent on or that control enterprises situated outside France for profits indirectly transferred to the latter.
The companies meeting those criteria must produce information on the transfers and the related companies. The tax adjustment procedure applies to companies established in a jurisdiction outside France where the tax regime is privileged (Article 238A, Tax Code), even if the company established in France does not control nor is dependent on the supplier.
Transfers of assets to the supplier
This can be subject to registration and to the payment of VAT.
Transfers of employees to the supplier
The transfer of employees can be seen as a transfer of assets.
VAT or sales tax
The ordinary rate of 20% applies to the provision of services. The VAT paid by the customer is deductible if the customer is liable to VAT.
Description. Official and up-to-date transcripts of the French legislation and jurisprudence.
Description. Non-binding translations of legal codes.
Description. English version of the Data Protection Authority's website. Contains up-to-date but partial information on the CNIL's regulations.
Description. English version of the Financial Markets Authority's website. Up-to-date and reliable. However, only the French version of the General Regulation is binding.
Description. English version of the Prudential Control Authority's website. It is up-to-date and reliable. However, only the French version of the French Ministerial Order is binding.
Raphaël Dana, Partner
Professional qualifications. France, Avocat au Barreau de Paris, 2000
Areas of practice. Software licensing; support and maintenance agreements; outsourcing agreements; cloud; e-commerce solutions; technology transfer agreements; big data-related questions and projects; personal data audits; Data Protection Authority (CNIL) litigation; computer security; data breaches; litigation.
- Assisted a client in a tough contract negotiation for the implementation of software-as-a-service (SaaS) solutions with one of the five biggest industrial groups in France. Worked on the other party's standard terms, which were not suitable for a SaaS type of agreement. Negotiated most of the crucial IP clauses and explained to the other party why this was mandatory.
- Assisted a client in various contract negotiations (software licence agreement, maintenance and support services and bespoke IP rights transfer agreements). Their activity included the development and implementation of bank messages filtering solutions, with the biggest financial institutions in the UK, the US and France.
- Assisted and represented a client in a negotiation of complex contractual arrangements with the biggest Swiss-based outsourcing company, who in turn negotiated with the biggest local financial organisations.
- Assisted a client in a current pre-contentious matter against a Swiss bank in the implementation of a software solution where the financial organisation decided to change its internal IT organisation after having signed the licence agreement and related documentation with the client.
Languages. English, French
- Member of ITECHLAW (International Technology Law Association).
- Member of ADIJ (Association for the Development of IT Law).
- Member of AFCDP (French Data Privacy Correspondent Association).
- French chapter "E-Commerce 2015", Getting the Deal Through, Law Business Research, London, October 2014.
- French chapter "Outsourcing 2015", Getting the Deal Through, Law Business Research, London, September 2014.
- "Monitoring in the workplace", Law Business Research, London, August 2014.
- "Google Inc. ordered to pay a EUR150,000 fine by the French Data Protection Authority", January 2014.
- "The French Narrowly Escape Introduction of a Centralised Biometric Database", American Bar Association (International Law News) Information, Privacy and Security, Fall 2012, Vol. 41, No. 4, November 2012.
- In depth analysis of the biometric database developments in France, Data Protection Law and Policy, April 2012.
- "Data Protection and Privacy: Jurisdictional Comparisons" (author of the French chapter), European Lawyer Reference Series, January 2012.
- "Precisions on the contents of marketing emails and creation of an obligation to notify personal data breaches" (French version), LexisNexis JurisClasseur Communication Commerce Electronique, The Order 2011-1012 of August 24, 2011, October 2011.
- "Overview of Employment and Employee Privacy Laws and Key Trends in France", www.nymity.com, July 2011.
- "Bill on improving data privacy in the digital age: an analysis", Data Protection Law and Policy, May 2011.
- "Complying with Divergent Privacy Laws in the US, EU and Abroad", Speaker, American Conference Institute, Data Privacy Protection for Life and Health Sciences, Philadelphia, USA, October 2010.
- "Privacy Backgrounder and Hot Topics for France", www.nymity.com, August 2010.
- "Analysis of recent French case law on whistleblower systems" (English translation and original French version), LexisNexis JurisClasseur Communication Commerce Electronique, June 2010.
Clémentine Carlet, Associate
Professional qualifications. Attorney with the Paris Bar
Areas of practice. Information and communication technologies law; compliance/personal data; intellectual property law (trade marks, designs, patents, copyright).
Languages. French, English