Danish law does not separately regulate outsourcing transactions. This is aside from the exceptions in relation to the financial industry (see Question 2, Other Legal or Regulatory Requirements).

IT and Cloud Services. There are no additional general regulations specifically relevant to the outsourcing of an IT system.

However, if the outsourcing includes an IT system in which personal data is processed, and the IT system is listed in the executive order issued in accordance with section 3(9) of the Danish Data Protection Act (Act No. 502 of 23 May 2018) (DDPA), then the underlying infrastructure, transformation components, databases and encryption keys of the IT solution must not leave Denmark because of the risks associated with the system (based on the factors of the above risk assessment).

Further, if the outsourcing operations include the export of software technology, hardware or IT know-how falling within certain categories, such export may be regulated by Danish export regulations, mainly the Danish Enterprise and Construction Authority Executive Order No. 475 of 14 June 2005 on Export of Dual-Use Products and Technology (Export Executive Order) and the Ministry of Business and Industry Consolidating Act No. 474 of 14 June 2005 on the Application of Certain European Communities Acts on Economic Relations to Third Countries (Enabling Act).

Also, when outsourcing IT functions and using cloud services this will often entail a transfer of personal data to the supplier or the cloud provider.

If the outsourcing includes the processing of personal data and accounting information, the Danish personal data protection regulations and general accounting regulations apply. In respect of personal data protection regulation, the customer (the transferor) must ensure that such a transfer is possible and that the supplier has the abilities to act as a data processor (see Question 9).

Under section 10 of the Danish Accounting Act (Consolidated Act No. 648 of 15 June 2006), any accounting information must be stored and kept in Denmark for five years. It is possible to request an exemption at the Danish Commerce and Companies Agency for keeping the accounting information permanently in Denmark. However, the Danish Commerce and Companies Agency only grants such permission under special circumstances where the following minimum requirements are fulfilled:

Telecoms. There are no additional regulations specifically relevant to the outsourcing of telecommunication services such as wide area network and telephony. However, if the telecommunications outsourcing involves any transfers of spectrum licences held by the customer or relevant third parties, the Danish Act on Radio Frequencies (Act No. 151 of 27 January 2021) may be relevant. As a starting point, transfers of spectrum licences require permission from the Danish Energy Agency (Energistyrelsen). A licence holder must notify the Danish Energy Agency immediately after a transfer agreement has been concluded.

Public sector. Depending on the nature of the contract and its value, a public sector outsourcing can be subject to the Danish regulations, which implement Directives 2004/17/EC and 2004/18/EC (Public Procurement Directives), and the Danish Act on Public Procurement (Act No. 1564 of 15 December 2015). If so, the awarding authority can be required to:

The EU public procurement rules are likely to have a significant effect on the:

Even where an outsourcing by a public body falls outside public procurement legislation, the awarding authority should still generally seek to comply with the overall purpose of the legislation (OJ C179/2).

EU Directives on public procurement (Public Sector Directive (2014/24/EU) and Utilities Directive (2014/25/EC)) were adopted in February 2014 and have been implemented in Denmark. The legislation implementing the Directives imposes rules on concession contracts, under which the outsourcing provider is given the right to exploit works or services forming the subject matter of the contract. An example would be the outsourcing of the operation of a leisure centre by a public body to a private sector provider, with the latter being remunerated primarily by charging entrance fees to the public (rather than being paid a management fee by the public body). Although the new rules introduce a number of changes, their key relevance as regards outsourcing remains as stated above.

If the contract value is above DKK500,000 excluding VAT, but below the threshold values set out in the Executive Orders in the Consolidated Act on Tender Procedures for Public Work Contracts (Act No. 1410 of 7 December 2007) will apply and sets out the procedure for such procurements.

Other. Any prospective supplier or customer should always ensure that a proposed outsourcing is not subject to any additional sector specific regulatory requirements.

Financial services. Danish financial undertakings are subject to the Danish Financial Business Act (Consolidated Act No. 1146 of 11 September 2020) (Financial Business Act), as well as the specific Executive Orders issued under this legislation. The Financial Business Act imposes restrictions on the outsourcing of certain types of financial services by a financial institution (known as a "financial undertaking" under the Financial Business Act). Further, some restrictions on outsourcing follow from the general duties imposed on financial undertakings by the Financial Business Act.

A prevailing principle of the Financial Business Act is that financial undertakings' compliance with the Financial Business Act remains with the financial undertaking even after any functions have been outsourced to a third party. Any outsourcing contract must therefore include adequate provisions to ensure that the financial undertaking is at all times able to monitor and audit the activities of the supplier. Under the Financial Business Act, the main regulatory responsibilities for financial undertakings in respect of outsourcing activities are the following:

Insurance. See above, Financial services.

The European Insurance and Occupational Pension Authority (EIOPA) issued a consultation paper on 1 July 2019 on the draft guidelines for outsourcing to cloud service providers (EIOPA Guidelines). On 6 February 2020, the EIOPA issued the final report on the guidelines (EIOPA-BoS-20-002).

The EIOPA Guidelines apply to competent authorities and insurers and reinsurers (undertakings) and are intended to clarify how the outsourcing provisions in the Solvency II Directive (2009/138/EC) and Commission Delegated Regulation (EU) 2015/35 should be applied in cases of outsourcing to cloud service providers.

In addition, to avoid regulatory fragmentation, the EIOPA Guidelines are intended to mirror and take account of the EBA Guidelines and the General Data Protection Regulation ((EU) 2016/679) (GDPR), which may also apply to such undertakings. The EIOPA Guidelines have applied since 1 January 2021, and undertakings should review and amend accordingly existing cloud outsourcing arrangements to ensure compliance by 31 December 2022.

The EIOPA Guidelines will not be implemented into the Danish legislative framework, as Delegated Regulated article 274 regulates outsourcing for insurance and reinsurance undertakings at an EU-level.

Financial undertakings conducting financial services must give notice to the Danish Financial Services Authority (FSA) in due time in relation to any:

Failure to give this notice to the FSA can result in a fine or in criminal liability for the registered company under Chapter 5 of the Danish Criminal Code (Act No. 1851 of 20 September 2021).

See Question 2, Other Legal or Regulatory Requirements: Financial Services.

If an outsourcing agreement falls within the scope of the EU Merger Regulation ((EC) 139/2004), it must be notified to the European Commission and implementation of the transaction must be suspended pending clearance.

The Danish Act on Competition Consolidated (Act No. 360 of 4 March 2021) regulates merger control within Denmark. A merger situation arises when both of the following occur:

The merger control rules only apply if one of the following criteria of the merger is met:

If these criteria are met, the Danish Competition and Consumer Authority must be notified after either:

See above, Merger Control.

The simplest and most common structure is a direct outsourcing (that is, an outsourcing contract between the customer and the supplier). This can comprise one or more separate contracts dealing with core issues (for example, price and duration) with detailed schedules that set out:

If the proposed supplier is not the main trading entity within its group, or does not have sufficient assets to meet its potential contractual liabilities, the customer will usually require the supplier's parent company to issue a parent company guarantee in the customer's favour.

This structure allows the supplier to integrate the provision of services and any transferred employees into its business, thereby increasing the potential for achieving cost synergies and service improvements.

Direct outsourcing arrangements allow the customer to streamline its operations and take advantage of savings achieved by a large supplier due to scaling. By retaining a third party to take care of non-core operations, the customer will be better able to focus on the core areas of its business. Many of the potential issues associated with outsourcing are dependent on the sector in which the customer operates and the activities being outsourced. For example, quality control is vital to protect against reputational damage sustained as a result of poor service in call centres. The customer may also find it has less control over the outsourced services and although the goal is to receive a better product, the customer may find itself in a position where the services are worse than before the outsourcing.

This structure is used to some extent in Denmark but requires a mature customer and mature suppliers.

The customer enters into contracts with different suppliers for separate elements of its requirements. The number of multi-sourcing arrangements is increasing due to the higher level of expertise required by the customer leading them to receive the services from different high-level suppliers. The issues are generally similar to those experienced in a direct outsourcing (see above, Direct Outsourcing) but, in addition, the customer must ensure interfaces/service integration between the different services are carefully managed to encourage the seamless provision of an overall service. This will usually involve requiring suppliers to participate in a joint governance process involving, for example, regular meetings of all parties and a procedure designed to resolve differences/disputes. The customer may also wish to impose contractual obligations on suppliers to co-operate with one another without the involvement of the customer.

The structure shares similar advantages and disadvantages to direct outsourcing, but the need for effective interfacing between the various suppliers can introduce additional costs and complexity for the customer who may have to step in and take over the service integration if the suppliers cannot agree on a joint effort within this area. One advantage can be avoiding over-reliance on a single supplier (but only where identical services are sourced from several different suppliers). Another advantage can be that it is possible to receive services that require higher level of expertise, that is, specific kinds of software from different suppliers, resulting in an end-product of a higher quality. A disadvantage of this approach is that there is a risk that the suppliers will not work constructively together.

This is similar to a direct outsourcing (see above, Direct Outsourcing), except that the customer appoints a supplier that immediately subcontracts to a different supplier. Often, the second supplier is located outside Denmark, and the first supplier is based in Denmark. This structure is used to some extent in Denmark.

The structure shares similar advantages and disadvantages to direct outsourcing, but it is potentially harder for the customer to police the activities of, and enforce its rights against, the overseas supplier. The resulting level of management and risk-sharing can erode some of the potential cost savings.

This is not a commonly used structure in Denmark. Under the joint venture model, the customer will transfer assets, employees and the service provision to a special purpose vehicle jointly owned by the customer and the supplier.

Advantages of this structure include the following:

In relation to disadvantages, the supplier will not be able to fully integrate the provision of services with its own delivery processes and delivery infrastructure which in turn will decrease the potential for achieving efficiency gains.

A captive entity is one where the company sets up a satellite business function in another jurisdiction to exploit local cost savings. Hence, the business function is not outsourced to a third party but performed by the company remotely, meaning that the company retains full control. For example, a company can create a captive entity in a lower cost region, such as Poland, to carry out software development and project management, provided the resources are available.

This structure is used to some extent in Denmark.

Advantages differ depending on what type of work is being carried out in the captive entity. Across most captive entities, the main advantages include:

The disadvantages include:

The BOT structure is similar to a captive entity, but where the process of building and stabilising the running of the entity is outsourced to a supplier, after which the entity is transferred to the company. This structure is used to some extent in Denmark.

The advantages of the BOT structure include:

The primary disadvantage is that the company does not have absolute control over the entity, meaning that the risks pertaining to data security, information security and IP rights are higher than when using a captive entity.

For first time outsourcers, a competitive procurement process is customarily used. This process will entail that the customer will have prepared a description of services to be provided, set out service levels and drafted a contract. Additionally, all relevant documentation in terms of employees, operational statistics, site information, IT architectural strategy and similar information will be made available under applicable confidentiality agreements for the suppliers to perform due diligence to assess to what extent they can provide the services.

Depending on the outsourcing, the customer may do some initial market testing where an informal dialogue is held with a number of potential suppliers to see whether they would be interested in participating in a request for proposal (RFP).

Usually, the customer provides a high-level description of what will be outsourced and then asks a number of potential suppliers to provide written information about their capabilities in providing the prospective services.

The number of suppliers vary depending on the outsourcing, but usually six to eight potential suppliers are invited to submit information.

See below, Request for Proposal.

A request for quotation is a process, where a number of suppliers, usually three to six, are asked to provide a bid for specific products and services. A request for quotation is most suitable where the products and services being outsourced are as standardised and commoditised as possible, to ensure the quotes are comparable. However, often services are not standardised and commoditised, such that a company would be better off conducting a request for information followed by a request for proposal.

Based on the request for information, a number of vendors will be invited to submit proposals. The format of the RFP prepared by the customer will include all information pertaining to the outsourced services, including the first draft of a potential contract.

After evaluation of the bids, the customer will shortlist the bidders, primarily based on the commercial items and the proposed solution. However, the customer will also consider any reservations that the bidders have raised to the legal documents while shortlisting the bidders.

The supplier conducts due diligence of the business process subject to the intended outsourcing from the customer in order for the supplier to prepare its offer. The timing of this due diligence varies from project to project. However, from a customer perspective it is not attractive that a detailed due diligence will take place after signing, as this will often lead to price increases or re-negotiation at a time when there are no competing tenders. Therefore, detailed due diligence is most often completed prior to signing as part of the negotiation process.

After evaluation of the bids, final negotiations are made with one or two vendors.

In connection with the transfer of a real property, a deed of conveyance must be completed for registration with the registration authority. The deed of conveyance must contain the following minimum information:

Transfers of registered EU trade marks and designs must be registered with the European Union Intellectual Property Office (EUIPO) to have effect against a third party. No requirements of notification of the Danish Patent and Trademark Office apply to the transfers of IP rights such as copyrights, non-EU trade marks, patents, utility models and non-EU designs, notwithstanding whether the IP right is registered with the Danish Patent and Trademark Office. However, it is recommended to enter into a transfer agreement and register the transfer if the IP right is a registered right, which will then ensure written documentation of the transfer.

Transfers of licences of registered EU trade marks and designs must be registered with EUIPO to have effect against a third party. Transfers of licences of other IP rights do not require any registrations to be undertaken to have effect against a third party. However, it is advisable to enter into a transfer agreement and the licence should be registered with the relevant authorities, if the IP right in question is a registered right.

In general, IP rights provided under a software licence agreement will not be assignable under Danish law, unless the licensor has granted the licensee such right. This means that a business looking to outsource will need to acquire consent from its software licensors, if the supplier will use the software in question to provide services to the business outsourcing. In practice, a right to assign is granted under the software licence agreement. Although this issue is not firmly settled by the courts, it is in general recognised that the mere operation of software by a third party in infrastructure outsourcing will require consent from the licensors.

Transfers of movable property do not require any formalities to be undertaken. However, the transfer of motorised vehicles must be registered with the Danish office for motorised vehicles.

Transfer of contracts to a new debtor will in general require consent from the creditor, subject to any specific agreement between the parties implying otherwise.

Danish legislation imposes controls on the export of certain goods such as technology which can be used for military or paramilitary purposes. In such cases, a licence may be required to facilitate the transfer of assets to a provider based outside Denmark. However, in practice, it is unusual for outsourcing transactions to be affected by these controls.

There are no formalities as such for the transfer of data and information, provided that the data and information does not comprise personal data, which is regulated under the GDPR and DDPA. Instead, contractual provisions are included for providing access to such data or information and regulating how it is used. If there is copyright in the data or information which is transferred, then the copyright will have to be transferred in writing (see above, Immovable Property). The transfer of personal data is restricted by data protection legislation. The transfer of personal data may be restricted due to the purpose of collecting the data, which may not justify the transfer of personal data and principles of data minimisation. For the overseas transfer of personal data, see Question 9.

In the following it is assumed that the lease of the real property is between two businesses. Such commercial leases are regulated by the Danish Business Leases Consolidated Act (Act No. 1218 of 11 October 2018) (Business Leases Act) under which a number of terms are mandatory.

A written lease is not required by law, unless a specific request is made by either the landlord or the lessee. However, it is advisable to enter into a written agreement. The written agreement must contain details on the costs payable by the lessee and the landlord.

A written lease can be registered with the Registration Authority if it contains provisions to the advantage of the lessee exceeding those provided under the Business Leases Act.

Term and termination. Usually, leases are made for an indefinite period but fixed terms can be agreed. For such time limit to be legal, the landlord must provide a sufficient reason.

Leases unlimited in time may be terminated by the lessee giving three months' notice. If the lease is time limited, it is non-terminable for either party by default. The right of termination of the landlord is restricted by the Business Leases Act under which the landlord can only effect termination for material breach by the lessee or under certain circumstances set out in the Business Leases Act, for example, the landlord needing the leasehold for its own use.

Assignment and sublease. If not otherwise agreed in the lease, the Business Leases Act entitles the lessee to assign its lease to another lessee on identical lease terms, provided that the new lessee operates within the same business area as the lessee and the landlord does not have any strong reason to oppose the assignment.

The lessee is only entitled to sublet the premises, if it is explicitly permitted under the lease.

See Question 6.

A written lease should be entered into as a matter of good practice to record the terms agreed.

Generally, the notion of leasing a contract in whole or licensing it to a third party is not known in Denmark. In practice:

Therefore, good practice dictates that the customer should:

For information on transferring employees in an outsourcing transaction in Denmark, including structuring employee arrangements (including any notice, information and consultation obligations) and calculating redundancy pay, see Country Q&A: Transferring Employees on an Outsourcing in Denmark: Overview.

For all EU member states, the GDPR applies to the processing of personal data wholly or partly by automated means, or other than by automated means, if the data forms part, or is intended to form part, of a filing system (Article 2(1)). The GDPR defines personal data as "any information relating to a data subject" (Article 4(1)). For more details on the GDPR, see Practice Note, Overview of EU General Data Protection Regulation.

General requirements. The GDPR applies directly in Denmark and is supplemented by the DDPA.

As part of an outsourcing arrangement, the customer (the data controller) often assigns the processing of personal data to the supplier (the data processor), which the supplier then processes on behalf of the customer, for example, hosting of personal data in IT outsourcing or payroll administration in relation to business process outsourcing.

The supplier can only process the transferred personal data in accordance with the GDPR and the DDPA. This means that the supplier's processing of personal data must be based on the customer's written instructions and that as part of the outsourcing arrangement, the parties must enter into a data processing agreement which meets the requirements of Article 28 of the GDPR.

Initial risk assessment and due diligence. Under Article 28 of the GDPR, the customer (data controller) can only use a supplier (data processor) who can provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects. This requirement means that the customer must conduct an initial risk assessment (that is, due diligence) of the supplier to establish whether the supplier can guarantee compliance with the requirements of the GDPR.

Typically, the initial risk assessment exercise is performed through the use of security questionnaires, in which the supplier is asked to describe in detail how processing is performed and the security measures in place.

Liability. Being the data controller, the customer remains liable towards the data subject for a breach of the data protection requirements, even if the breach is due to the fault of the supplier or the supplier's subcontractors.

However, liability for the supplier's breach of data protection requirements can be regulated in a variety of ways, including through the use of indemnification clauses and limitation of liability clauses. How the matter is regulated will depend on the bargaining power between the customer and supplier and the risks under the agreement (for example, if they process sensitive data on a large scale).

If it is not possible to obtain an indemnification from the supplier for breach of data protection requirements, the customer must be made aware of which losses are considered direct and indirect, as the supplier will usually seek to exclude liability for indirect losses.

In Denmark, it is not possible to seek an indemnity for fines, as the fine will then lose its penal effect (section 50(3), Danish Criminal Code). Thus, the customer cannot ask the supplier to indemnify the customer for a fine issued to the customer concerning an event for which the supplier is responsible.

Personal data breach. In the event of a personal data breach, the customer, being the data controller, must report the breach to the Danish Data Protection Agency without undue delay and at least within the 72-hour deadline set by Article 33 of the GDPR, unless the personal data breach is unlikely to result in a risk to the data subject(s). Therefore, in the outsourcing agreement, it is important to consider and regulate when and how the supplier must notify the customer of a personal data breach. A contract standard regulating how quickly the supplier is required to notify the customer of a breach has not become common practice yet. However, when setting the timeframe, the customer must have enough time to assess the information received by the supplier and, if necessary, ask the supplier to provide further information. From a customer perspective, the timeframe for receiving a notification of a personal data breach from the supplier should preferably not exceed 24 hours, and in no event more than 36 hours from the time the supplier becomes aware of the personal data breach.

The war-rule. Denmark has adopted a special rule known as the "war-rule", according to which the Danish Minister of Justice in consultation with the relevant minister is authorised to lay down rules to the effect that personal data processed in specified IT systems on behalf of public administrative bodies, must be stored, in full or in part, exclusively on servers located in Denmark. The war-rule, which is found in section 3(9) of the DDPA, entails that the underlying infrastructure, transformation components, databases and encryption keys of the IT solution must not leave Denmark because of the risks associated with the systems (based on the factors of the above risk assessment) (see above, Initial risk assessment and due diligence).

On 30 June 2020, the Danish Minister of Justice issued Danish Executive Order No. 1104 of 30 June 2020, which states that the following IT systems are covered by the war-rule:

Use of sub-processors. If the supplier uses sub-contractors to process personal data under the agreement (sub-processors), the sub-processors must provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Further, a separate contract between the supplier and the sub-processor must be formed to meet the requirements of Article 28 of the GDPR. The data processing agreement with the sub-processor must be on back-to-back terms with any data processing agreement between the customer and the data processor ensuring that the same data protection obligations that are imposed on the data processor are also imposed on the sub-processor. If the sub-processor fails to fulfil its data protection obligations, the initial processor remains fully liable to the controller for the performance of the sub-processor's obligations (Article 28(4)).

Transfer of personal data to third countries. Provided the war-rule does not apply, personal data can be transferred to a service provider outside the EU if either the:

A contract with a data processor outside the EU must be approved by the Danish Data Protection Agency before transferring any data if the contract differs from the approved EU model clauses.

If the service provider has remote access to the personal data, such remote access constitutes a transfer of data to the service provider, even though the data remains on the customer's server.

Security requirements. The customer and supplier must adhere to the security requirements set out in Article 32 of the GDPR. According to Article 32, the customer and the supplier must, among other things, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and must ensure compliance with those measures on an ongoing basis.

Mechanisms to ensure compliance. Article 32(3), which refers to Article 40-42, of the GDPR points to the use of certification mechanisms and approved codes of conduct as elements in measures to demonstrate compliance with the security requirements laid down by Article 32(1) of the GDPR.

As of August 2021, no codes of conduct have been approved in Denmark.

In respect of certification mechanisms, the International Organisation for Standardization's (ISO) 27001 standard, which is the privacy extension to the international information security management standard, ISO 27001, can be used as a measure to demonstrate compliance with the security requirements laid down by Article 32(1) of the GDPR. See also below, International Standards.

Certification mechanisms and approved codes of conduct are only voluntary measures, which can be used along with other factors, to demonstrate compliance with the security requirements set out in Article 32(1) of the GDPR. Therefore, certification mechanisms and approved codes of conduct can never in themselves serve as documentation for compliance, but it is recommended to make use of both to ensure compliance and assist with demonstrating compliance.

In addition to certification mechanisms and approved codes of conduct, audit statements are also useful tools to ensure and document compliance with data protection requirements in an outsourcing arrangement. In Denmark, it is market practice that the supplier provides the customer with an audit report (for example, annually). An audit report in the form of an ISAE 3000 (the standard for assurance over non-financial information) is specifically designed to demonstrate compliance with GDPR requirements.

Sanctions for non-compliance. Failure to comply with the data protection legislation in Denmark may result in fines set under the GDPR. There are two tiers of administrative fine for non-compliance with the GDPR, depending on the type and scope of the infringement:

General requirements. Banking secrecy is regulated in Chapter 9 of the Financial Business Act, which applies to certain financial undertakings, including banks, mortgage-credit institutions, investment firms, investment management firms and insurance companies.

Under section 117, any person who receives confidential information during the performance of their duties for a financial undertaking is subject to a general duty of confidentiality. The duty of confidentiality entails that confidential information must not be used or divulged without due cause or, alternatively, without obtaining the consent of the customer.

There is no definition of the scope of "due cause". What constitutes due cause will therefore be determined on a case-by-case basis and according to the types of data being transferred. However, the FSA interprets due cause narrowly. In addition, any information on a private customer will not be divulged for the purpose of marketing or consultancy unless prior consent has been obtained from the customer according to section 121(1) of the Financial Business Act.

Further, there are only a limited number of exemptions to the duty of confidentiality. The main exemptions are:

Security requirements. From a banking legislation viewpoint, there are no specific requirements in relation to customer data. See above, Data Protection and Data Security.

Mechanisms to ensure compliance. The financial undertaking must prepare guidelines on the extent to which information can be divulged from the financial undertaking. The guidelines must be made available to the public.

Further, as part of prudent operation, financial undertakings must ensure that the recipient of confidential information is aware of the duty of confidentiality that follows from receiving the information, for example, by making the duty of confidentiality known to the recipient in an outsourcing agreement.

Sanctions for non-compliance. Breaches of the banking secrecy legislation are punishable with fines and, in more serious cases, by imprisonment for up to four months (section 373(1), Financial Business Act). More severe penalties can also be imposed under other legislation such as the Danish Criminal Code. Financial undertakings can be fined up to DKK50 million. When determining the level of the fine, the severity of the violation and the size of the financial undertaking in breach will be taken into account.

General requirements. There are no general legal requirements relating to confidentiality of customer data. However, as a market standard, the supplier must handle customer data as strictly confidential under outsourcing agreements.

The processing of customer data of natural persons (which is automatically considered personal data), will be subject to requirements set out in the data protection legislation.

Security requirements. See above, Data Protection and Data Security: Security requirements.

Mechanisms to ensure compliance. Aside from warranties and indemnities provided by the supplier relating to customer data, a breach of customer data confidentiality is considered a material breach of the outsourcing agreement, ordinarily entitling the customer to terminate the agreement for cause with immediate effect.

Sanctions for non-compliance. A breach of customer data confidentiality is usually set out as a material breach of contract, which entitles the customer to terminate the agreement for cause with immediate effect.

In Denmark, ISO 27001 has been chosen as the official information security standard applicable to all government authorities. ISO 27001 has mandatorily applied to all government authorities since January 2014. All other public authorities must comply with the principles set out in the standard.

With Denmark being a member of the EU, the FSA will follow international standards issued by the European Supervisory Authorities with respect to banking secrecy and international standards implemented through EU legislation.

An outsourcing customer may want to include compliance-related provisions in the outsourcing agreement to ensure compliance throughout the entire supply chain for various reasons, including mandatory legal obligations.

Typically, outsourcing agreements contain mandatory legal obligations ranging from data protection compliance, EU anti-money laundering and anti-bribery obligations and export control.

In recent years, the general focus on corporate social responsibility has increased, particularly among major corporations. It is market standard for an outsourcing customer to make its code of conduct an integral part of the contract and require the supplier and any sub-suppliers to comply with that code of conduct. Typically, such codes of conduct include reference to UN resolutions on for example, human rights, the use of child labour and health and safety in the workplace. Further, it is also becoming market standard to include requirements for environmental and sustainability awareness in these codes of conduct.

Another increasingly-important area of compliance is IT security, to ensure security throughout the information supply chain. Any potential weaknesses in a supplier's or sub-supplier's systems can potentially expose the outsourcing customer to security and/or data breaches (see Question 9).

The outsourcing customer may consider including provisions in the outsourcing agreement with the direct supplier requiring said supplier to introduce identical compliance requirements and similar supply chain provisions in the agreement with their sub-contractors, and their sub-sub-contractors and so on. This is to ensure that the entire supply chain complies with the initial customer's compliance related requirements. Compliance with such provisions can be ensured through direct supplier and sub-contractor audits.

Today, the delivery of outsourced services is based mostly on output requirements. This means that elaborate specification of how the services will be delivered are not made. Instead, requirements tend to take the form of:

Such process requirements will not set out in detail how a process such as service level management or availability management is conducted but will set out general requirements as to what the process in question will cover in addition to reporting requirements. For example, a specification could be that a service must be available 99% of the time, or that 95% of the produced products must be perfectly manufactured. It would then need to specify what "perfectly manufactured" means.

Such output service levels are typically designated by the customer based on existing service levels. The process requirements may be drafted by the customer or its external consultants or in co-operation with the supplier taking the benefit of the supplier's standard process documentation.

The documentation of services is usually made so that there is cohesion between and a similar structural approach in the service catalogue, the specification of service levels and the price catalogue. This way, a customer will be able to identify the price of a particular service delivered at a particular service level. Often, a number of optional service levels may apply to a certain service and the customer will make its choice of service level based on its business needs.

The service levels are either integrated in the service description or set out in a separate schedule. In both cases the service levels are an integral part of the contract documentation.

Contrary to previous practice, service levels regimes are today designed as a flexible tool. General mechanisms for introducing new service levels are agreed. Such mechanisms may include a break in period for new service levels; the performance in the break in period will form the basis of service levels to be set. Additionally, customers will generally have the right to assign service credits to agreed service levels within a total at risk amount, therefore enabling a customer to redirect service credits to areas of service where the performance is suffering.

Additionally, continued improvements may be built into a service level scheme requiring the supplier to improve the performance of service levels on a yearly basis and increase the service levels to be achieved on a contract year by contract year.

It is customary to include a range of escalation mechanisms in the contract documentation to address breaches of supplier obligations, particularly agreed service level obligations or other specified requirements for the delivery of the services.

The initial step would be to escalate through the governance set up agreed between the parties to ensure the right resources are being allocated to where attention is needed and require the supplier to conduct a root cause analysis. Further, the customer often has the right to change the weight of KPIs in respect of the at-risk amount, to encourage the supplier to improve on certain parts of the delivery of services to avoid payment of service level credits.

It is customary for the customer to introduce increased monitoring of the supplier's performance either on all or specific parts of the services provided. Such increased monitoring is typically carried out in one of the following ways:

If the supplier continues to perform poorly, the customer can exercise its right to step-in and take over the provision of services on management level either with its own personnel or through a third party acting on behalf of the customer. This step-in right is used to ensure adequate performance of the services for a limited time, that is, until the specific issue can be addressed. However, it is not very common for customers to exercise their step-in rights. In practice, merely the right for the customer to step-in is sufficient pressure on the supplier to increase the level of the performance. However, as the services are becoming more complex and as cloud services become part of the outsourcing arrangements, a step-in right may not be the most suitable remedy to exercise under the agreement.

Furthermore, it is often the case that the level of performance by the supplier for the customer to exercise its step-in rights is considered a material breach of the outsourcing agreement, and often the customer would rather have the poor performance fixed before it reached the level of material breach. In the event that the level of performance has reached a material breach (which is often pre-defined, for example, where the maximum penalties in the service level measurements have applied during the past three consecutive months), the customer is entitled to terminate for cause, which is ordinarily effective immediately. If the poor level of performance is not sufficient to terminate the agreement for material breach, outsourcing agreements in general, entitle customers to terminate agreements for convenience by providing proper termination notices. In Denmark, it is rare to see termination for breach: parties usually go far in their efforts to resolve any disputes and non-performance.

Organisations will usually have different types or governance models implemented depending on the type of outsourcing and the complexity. Outsourcing governance models will usually have a steering committee/executive management board set up at the highest governance level and can include, for example:

See also Question 25 to 31 regarding remedies and dispute resolution mechanisms.

It is common to provide change management procedures in outsourcing contracts. The customer will often have a right to require changes to the services during the term and the supplier will have a right to propose changes, subject to the customer's discretionary approval. In the case of disputes over whether a change would be separately payable, the customer has a right to require delivery of the change while the parties settle the dispute regarding payment under the "deliver/fix first, settle later" principle (see Question 20).

The change management procedure may also include a principle of "new services" under which a service is only separately payable if it imposes an increase in effort and cost that exceeds a materiality threshold.

If the customer's needs change in a way so higher or lower volumes from the supplier are required, the usual process would be to make a request under the procedure for change requests. In some cases, the supplier will be obliged to accept the change but this will always depend on the terms of the contract. For example, where the customer anticipates an increase in volumes, it will generally be advisable for it to negotiate a commitment from the supplier to meet such additional demand, should the customer require it. In the absence of such a contractual commitment, the level of flexibility which the supplier can offer is likely to depend on the extent to which it will need to make additional investments and how long it will take to monetise those investments. However, most suppliers are willing to invest if it is followed by a prolongation of the agreement. In contracts where the customer can request both higher and lower volumes from time to time and the price follows the volume through an agreed price schedule, it is usually structured in a way so that the customer pays a minimum amount, no matter how small the volume delivered by the supplier is.

If there are no provisions specifically addressing the issues, it is highly dependent on the nature of the contract whether each party can request changes of volume.

The parties will adopt different approaches to charging depending on, among other things:

The customer pays the supplier both:

There are usually additional provisions to ensure that:

A fixed price is often used where there will be a regular and predictable volume and scope of services (for example, payroll services), and the customer wants certainty for budgeting purposes.

The customer pays a pre-agreed unit price for specific items of service (such as volumes of data processed or deliveries made), often based on a rate card (that is, a schedule of fees for each item of service). The supplier may want to add a minimum fee. It is often used where the level and volume of services is less predictable.

Particular consideration should be taken for how (if at all) the supplier will be allowed to recover implementation costs (for example, as a specific item of charge, linked to the achievement of measurable milestones or targets, or in an agreed manner over the life of the contract).

The principal terms used in relation to costs are:

In general, indexation is not used in respect of computer management (data centre) services. Indexation based on cost-of-living adjustments or currency fluctuations is often agreed in respect of services based on man-hours, such as off-shored application development and maintenance services.

There are no statutory remedies or relief available to the customer if the supplier fails to perform its obligations, but Danish contracting law based on court practice and general principles provides a range of remedies and relief options. In most outsourcing arrangements, the parties will contract on the basis of a contractual format heavily influenced by Anglo-Saxon contractual practices. This means that rights and remedies and relief events will be explicitly crafted into the contract. The basic rights and remedies include:

Most outsourcing contracts will grant the customer additional rights, but will also limit the remedies for breach available to a customer under the law. Customer protections typically include:

Under Danish law, a party seeking to rely on a warranty will not need to demonstrate that the party in breach acted negligently.

There are no implied warranties under Danish law. However, similar to the concept known under Anglo-Saxon law as an "implied warranty", if a service or product is defective the supplier will be under a duty to remediate the defect. A "defect" will include what reasonable expectations a customer may have.

Typically, a supplier will warrant that service levels are performed and that the services will be delivered in accordance with the recognised industry practice.

Danish law does not apply the concept known under Anglo-Saxon law as "indemnities" and there are no particular legal effects associated with an "indemnity" under Danish law. Generally, when outsourcing contracts under Danish law use the term "indemnities", the effect of the "indemnity" is specifically set out. In general, the term is used for claims where the indemnifying party will compensate the indemnified party fully, irrespective of the cause of the claim, and will not be subject to liability caps or limitation of indirect losses. Such claims will frequently include compensation for infringement of IP and misappropriation of confidential information.

Danish law implies that the goods and services delivered must be fit for purpose and of satisfactory quality, and that services will be performed with reasonable skill and care.

Often contracts exclude these terms and replace them with specific wording. The overall intention is that all relevant obligations are set out expressly in the parties' written agreement.

The following types of insurance are readily available in Denmark:

However, the only compulsory insurance for a firm or an employer is industrial injury insurance, as well as motor vehicle liability insurance, if relevant.

Industrial injury insurance is compulsory for an employer who employs persons to work in Denmark. Some employers pay for additional insurance such as health insurance as an extra benefit for the employees but this is not a legal requirement.

Under the general principles of Danish law, a party can terminate for a material breach. A material breach can either be one very significant breach or a series of re-occurring minor breaches adding up to constitute a material breach. Under Danish law, material breach of an outsourcing agreement would require very significant events and while non-performance of an outsourcing agreement frequently occurs, a material breach of an outsourcing agreement is in practice a rare occurrence. In outsourcing agreements, the contracting parties often specify a number of events that constitute a material breach, including, for example, the continuous non-performance of key service levels for a number of months in a row or beach of GDPR or confidentiality.

There are no such rights under Danish law. However, it is customary to agree that change of control and the insolvency of a party qualify as causes of termination.

It is market standard to include termination for convenience provisions in the agreements for the customers, with specified notice periods of six to 12 months depending on the size and cruciality of the services provided. Whether the supplier has the right to terminate an outsourcing agreement for convenience also depends on how business-crucial the outsourced services are to the customer. If the services are important for the customer's daily business, the supplier will not have a right to terminate for convenience. In the rare case that the supplier is granted a right to terminate for convenience, the notice period is customarily 12 months to ensure that the customer has sufficient time to make necessary changes within its organisation and find a replacement supplier.

The main remedies available to the parties under the general law in response to a breach are:

However, since the parties are free to exclude or agree termination rights many outsourcing contracts modify and/or supplement the remedies available under the general law with some or all of the following:

In respect of a change of control, most outsourcing agreements will allow the customer to terminate the agreement if the change of control could impact supplier performance, and provided the termination is effected within a short time frame after the customer was informed of the change of control.

Agreements will almost always provide re-transfer services (termination assistance) in the case of termination or expiry of the agreement, which are used to facilitate the transfer of services and data to either a replacement supplier or back to the customer. The assistance can either be paid under a time and material model or by using an agreed fixed fee. It is common for the agreement to also include an obligation on the supplier to continue its delivery of services until the transition has been finalised (irrespective or whether agreement has been terminated or has expired).

When entering into the agreement, the parties will have to consider how IP rights are handled after termination. This will depend on the nature of services and the extent of IP created specifically for the customer.

The customer cannot gain access to the supplier's know-how post-termination unless the parties have agreed otherwise.

The parties are free to exclude liability. However, any such exclusions will be interpreted narrowly and the below mentioned restrictions will apply. It is customary to exclude indirect loss and a number of types of loss, including the consequences of not having access to lost data, lost revenues, loss of business and lost profits. It is always heavily negotiated whether reconstruction of data and lost savings will be recoverable.

Liability for wilful conduct cannot be disclaimed. Liability for gross negligence might be excluded, although no firm precedent has been established. Any exclusion of gross negligence will have to be specifically stated.

The parties are free to cap liability within the restrictions that are set out in respect of wilful conduct and gross negligence (see Question 28). Caps are customary for the following types of claim and with the following percentages:

Liability for infringement of IP rights and confidentiality is often uncapped and at times not restricted by any exclusions.

When using this approach, it is important to:

The supplier must ensure that the drafting of the cap does not restrict its right to recover for non-payment of charges that are properly due to it from the customer.

If there is a transfer of employees, the outsourcing agreement will include provisions regulating the transfer (see also Country Q&A: Transferring Employees on an Outsourcing in Denmark: Overview). Liabilities related to the employees during the term of the outsourcing will usually be borne by the supplier and liabilities related to the period before and after the outsourcing will be borne by the customer.

Furthermore, restrictions may be agreed covering a period prior to expiry of the agreement on what changes the supplier can make to the terms of the employees in scope of the transfer and which employees are providing the services.

When a dispute arises, the parties will often seek to resolve this through communication with the other party in a formalised forum. If the dispute cannot be resolved this way, the parties will usually look to either alternative dispute resolution (ADR) or fast track dispute resolution depending on the dispute at hand. Arbitration is primarily used when the co-operation between the parties has broken down and the primary purpose is to determine whether or not one of the party's actions constituted a material breach, and thereby allows the other party able to terminate the contract for cause. In Denmark, most disputes are solved commercially without moving to ARD or fast track dispute resolution.

A full description of the pros and cons of each method of dispute resolution is beyond the scope of this guide but in most cases the dispute resolution mechanism under an outsourcing arrangement will include:

The transfer of assets can trigger the following:

If the legal ownership on assets is transferred to the supplier, any capital gains on the transferred assets are taxed at a flat rate of 22% (assuming that the transferor is a corporate entity). Gains are calculated as the difference between the sales price and the "tax value" of the assets. The tax value corresponds to the purchase price less tax depreciations. The purchase price must be allocated among the assets transferred.

Transfers of employees do not cause tax implications.

The transfer of assets to the service provider will be exempt from VAT if the transferred assets constitute a business transfer. If the assets do not constitute a business transfer, they will be subject to VAT at a rate of 25%.

Whether services supplied by a service provider are subject to Danish VAT depends on the domicile of the service provider and customer, for example:

Therefore, services delivered to a Danish customer are subject to VAT, unless an exemption such as for financial services (payment transactions), applies. The business customer must be able to deduct the VAT paid. If the business customer carries out non-VATable business activities, the customer will be unable to deduct VAT. For this reason, outsourcing by companies that are not subject to VAT can create additional costs and be more expensive than managing these functions internally.

No Danish service charges or taxes at source are triggered by an outsourcing arrangement.

Under Danish law, no stamp duties are payable on the transfer of assets, except for assets registered in a public register such as real estate.

Service fees charged by the service provider qualify as deductible operating expenses for corporate income tax purposes.

Under Danish law, there are no other tax issues. However, depending on the nature and circumstances of the outsourcing, advisors may be required to report the outsourcing to the authorities under Directive (EU) 2018/822 amending Directive 2011/16/EU as regards mandatory automatic exchange of information in the field of taxation in relation to reportable cross-border arrangements.