Checklist IT - Procurement / Contract Review
The correct and careful selection of an IT provider or software is only the first step. Once a provider has been selected, it is important to monitor the implementation and, in the case of longer-term services, to repeatedly check the adherence to performance and compliance. The following checklist contains some helpful hints for the legally compliant selection of an IT provider as well as for the contract review. However, the checklist does not claim to be exhaustive, as different and individual questions arise with every IT procurement.
General points of the contract
How is the contract concluded (offline/online/orally/written)?
Are own contracts used or are the contracts taken over from the IT provider?
Do GTCs apply (additionally or alternatively)?
Is negotiation of the contract possible at all?
Is the contract structure clear enough, is the order of priority of different documents clearly defined and are all documents available?
Are any unclear terms defined so that the agreed service can be understood by a third party?
Large providers (such as cloud providers) or providers of standardised software only offer their services and products under standard contracts (mostly GTC). Negotiating the contracts is rarely possible in these cases, which is why in these cases it is only possible to check whether the conditions are acceptable for one's company.
When drafting your own contracts, model contracts or clauses should be prepared to ensure uniform contractual practice within the company. Standard solutions can be based on general terms and conditions (example SIK).
Scope of services
Are the scope of services and responsibilities for both parties clearly defined?
Is the service sufficiently and comprehensibly described (who, when, what, where)?
How are change requests regulated (change management)?
What documentation does the company receive from the provider (e.g. development documentation or operational documentation)?
Does the scope of services include access to the source code and/or are other intellectual property rights transferred or licensed?
Are the necessary interfaces disclosed?
Remuneration and licences
Is it a one-off payment (lump sum) or are recurring payments made?
Is billing based on time and effort or is a fixed price paid?
Is a flat rate (fixed price) or a user price offered as an option?
Is usage charged according to consumption?
Are there volume discounts/different tariffs depending on the amount of service purchased?
Can the provider change its tariff in the event of a significant change in the scope of use?
Is there a best price option?
Are the services billed monthly or annually?
Are any special services additionally invoiced? If so, which ones (e.g. creation of interfaces or further support)?
Do I only get a licence to use or is the intellectual property (IP) transferred to the company?
Do I need a transfer of intellectual property (IP) so that I can develop independently?
Is the proposed licensing model acceptable to the company?
Do I get a licence for group-wide use?
Acceptance, default in performance and liability
Has a contractual penalty been agreed for default or notices of defects?
Is there an acceptance procedure?
How is the procedure for notifying defects regulated?
How are service disruptions regulated in the SLA (Service Level Agreement)?
Is minimum/average availability guaranteed?
Compensation or price reduction if availability cannot be met?
Measuring period (monthly/yearly)?
Is liability limited, are there exclusions of liability?
Are the liability risks fairly distributed?
Dispute over performance/delay in payment
Is a right of retention of data, blocking of access or other restrictions on use excluded in the event of a dispute over service provision?
Can payments be withheld in the event of performance problems?
May additional or replacement services be charged?
Does the provider indemnify the company in the event of an IP infringement by the purchased service/software?
What is the contractual procedure in the event of such an IP infringement?
Cancellation
Is the agreed contract term appropriate?
What notice periods are defined for the company and the provider?
How is extraordinary termination regulated?
Is advance notice of service adjustments contractually regulated?
Can unilateral changes in performance only be placed on a termination date or do unilateral changes in performance automatically lead to a right of termination?
Are there regulations regarding the cooperation/support of the data transfer (migration) by the provider in the event of a contract termination?
Insolvency
Are there regulations in place to protect the company's data and the availability of the software in the event of the provider's insolvency?
Does a source code escrow exist?
Is the software tied to a specific technology that makes it difficult to transfer?
Are there other providers who use the technology and thus make a short-term switch possible at all?
Is the company granted a right to surrender the last data backup and the necessary documentation?
Data protection / IT security
When procuring IT, a distinction must essentially be made between data protection and security-related problem areas.
General data protection issues
Is personal data processed in the context of the use of the procured IT?
Is the procured IT used for the processing of personal data from the EU and does the GDPR therefore apply?
Can data protection be ensured internally or does the IT procured allow for data protection-compliant use?
Does data transfer take place abroad?
If data processing takes place as part of outsourcing or maintenance, it must be checked whether the software provider can meet the company's data protection requirements. If a cloud application is used, cloud-specific requirements must also be checked.
In the context of selection, instruction and control, the following points in particular must be observed. Due to the great diversity of IT solutions, the specific requirements must always be taken into account.
Internal data protection
Does the IT to be procured take data protection risks into account accordingly?
Can the necessary technical and organisational measures be taken (privacy by design)? In particular:
Is unauthorised access prevented (distribution of access rights / default settings)?
Is unlawful use or modification of data prevented?
Is it prevented that personal data can be passed on to unauthorised persons (internal/external)?
Is external attack adequately addressed?
If attention is paid to the requirement of data minimisation
Is there a logical structure to the data structure?
Is a request for information, deletion or data transfer guaranteed?
Does the software comply with the company's privacy policy?
Is the data exchange or data access permitted according to the company's privacy policy?
Requirements for the provider
What data and information is exchanged with the provider?
Is data protection regulated in a contract or other legal instrument (Art. 28 (3) GDPR)?
Does a secure transmission take place?
Does the contract indicate who has the rights to the stored data?
Under what conditions is the provider obliged to maintain confidentiality? How are the persons involved in the processing committed to secrecy and confidentiality (Art. 28 (3b) DSGVO)?
Are the provider's employees obliged to maintain confidentiality?
Does the provider process the data exclusively in accordance with the company's instructions or is further processing of data possible (Art. 28 (3a) GDPR)?
What legal requirements must the provider comply with? Can it comply with them?
Do the processed data have to be stored in one or certain countries or may they also be processed in third countries?
Does the provider take the necessary technical and organisational measures regarding data protection and data security (Art. 28 (3e) GDPR)?
Does a documentation/concept exist which technical and organisational measures the provider has to implement?
Does the provider use specific hardware for the companies?
Can the provider provide the necessary register of processing activities (Art. 30 GDPR)?
How is the information of a data breach regulated to the company (Art. 33 GDPR)?
Are subcontractors involved or used? If a subcontractor is used, does the provider have to ask the company for permission or does the company only have the right to object (Art. 28 (2) GDPR)?
To what extent will the data be encrypted? Will each data set be encrypted individually or will the data be encrypted as a whole (a risk assessment must be carried out here)?
Who is responsible for the backup?
Does the provider provide support in the event of a request for information, deletion or data transfer?
Is a data export possible?
After termination, is the provider obliged to return the data received to the company or to delete it permanently, unless there are legal obligations to the contrary (Art. 28 (3g) DSGVO)?
Is it possible to delete the data? How is the data deleted?
Does the provider have the right to prohibit access to the data or to terminate its services extraordinarily?
Is it regulated who is the contact person for the company in data protection matters?
Can the provider provide security certificates (ISO 27001 or Art. 42 GDPR)?
Has the provider taken out sufficient liability insurance?
Control options / audits
Is there a right to audit (Art. 28 (3h) GDPR)?
Does the provider commit to conducting internal audits?
Have previous audits revealed any weaknesses?
Has there already been a data breach?
Data processing abroad
Does data access or data processing take place abroad?
Is it a safe third country?
If not, in what other way is compliance with data protection and data security ensured?
This article was written by RA Yves Gogniat.
We are happy to support you in the drafting, review or negotiation of contracts. Balthasar Wicki is available as your direct contact.