Providers of IT services are exposed to various liability risks, whether they develop software, are engaged in sales, as application service providers (ASP), as software as a service (SaaS) or other "cloud" providers.
The possible extent of liability is easily underestimated. A misconception is very common that liability clauses in the contract allow for substantial reduction of risks. For effective protection, much more is necessary and is also possible.
In this guide, you will learn what liability risks exist under German law and you will receive specific recommendations on how you can protect yourself as a German or foreign provider. Legal knowledge is not necessary.
Chapters and Answers
What are the providers of software and IT consultants liable for and how far does th
How can liability in standard form contracts (general terms and conditions) and individual contracts be limited under German law?
What are the pitfalls and tricks?
What must be particularly considered regarding open source software?
How can the client duties to cooperate and responsibilities of the client be governed?
What must be observed regarding products and services descriptions (statements of work) in Germany from the standpoint of liability?
What applies to marketing materials?
What liability risks are incurred by inadequate clarification and incorrect advice under German law?
How can the risk be reduced?
What special risks exist for full service pro-viders, dealers or resellers? What safeguards are there?
What is important to watch for when taking out an IT liability insurance policy?
Full Content as Website
If developers or providers of software provide poor service, German law provides a specific liability regime depending on the type of contract. For this, the term "warranty" [Gewaehrleistung] is still used, although the German Civil Code (BGB) since the reform of the law of obligations in 2001 no longer uses this term. Therefore, if contracts still state "warranty", they were probably drafted based on the old legal situation of that time.
In the case of providing defective service, the provider must first "cure" the defective service, i.e. he must still provide the service owed which means to fix, for example, the software bug. In addition, the customer has reduction claims to reduce the purchase price: the customer pays less than agreed to or he may assert a claim for recovery. In certain cases, the customer may withdraw from the contract, such as, if rectification ultimately fails. The entire contract is then reversed: Goods and money are to be returned.
Poor service must not always be the usual "bug" or software defect according to German law.
Liability may be triggered by a wide range of service defects:
- The software is not suitable for the specific purposes of the customer
- The software is not compatible, too slow or not fit for the future
- The user documentation is missing, incomplete, out of date or incomprehensible
- Interfaces do not work properly
- Data from legacy systems was not carried over fully or correctly
- The performance is insufficient under a load
- The software infringes upon third-party rights
- Certain features of the software are missing or do not work properly
- The software is infected with viruses or malicious programs
- Agreed completion dates are not observed
- The software contains secret program lockouts which were not agreed to
In addition to the above claims for supplementary performance, reduction and cancellation, the customer may assert claims for compensation due to damages.
In the case of compensation for damages, the provider must economically restore the customer in such a way, as if the provider properly performed services. If the customer cannot access the customer data due to a problem with the customer management system (CMS) and, as a result, he therefore loses business, the provider must compensate the lost profit stemming from this business. If the software is not suitable at all for the business and the customer must therefore acquire another software that is possibly more expensive, the provider must reimburse these extra costs.
A limitation of an amount or exclusion of "direct" or "indirect" damages is not a part of German law on restitution for damages. Even if the damage is much higher than the contractual value, the customer must be reimbursed for the full damage amount under German law.
- A software-related rounding error in data calculations in a bank through the large number of applications leads to high accounting losses.
- The provider incorrectly programs a time recording system. The user of the system therefore undercharges the customer.
- Incorrectly created accounting software will cause operating cost payments, reminder notices and payments by bank transfer not to be initiated or to be initiated too late.
Prerequisite for a claim for compensation, however, is that the provider is at fault (culpable) which means that he so acted willfully or due to negligence. Acting with negligence means that a duty of care was breached. Fault is however "presumed" by the law; the provider can and must therefore clear himself, i.e. prove that he acted with due diligence in the event of a dispute.
In order to escape the consequences of liability, there are a number of contract drafting options, which are described below. Some differences arise depending on whether
Some special features of different types of contracts are examined more closely with the following.
The most obvious is to contractually exclude liability in one's own standard agreements or at least limit it.
The German legislature and case law of the German courts have however set narrow limits. The requirements for appropriate clauses are complex. The limitations of liability in most general terms and conditions in circulation are not (fully) valid under German law, because provisions were copied together without legal counsel, were not brought up-to-date over a longer period of time or the drafted provisions were simply translated for use abroad.
The law governs - sometimes very abstract, some specifically - what is permissible in such AGBs and what is not. All "surprise" clauses are invalid for the customer. Any provision that "unduly disadvantages" customers is invalid. When this situation arises this is partly regulated by law; in addition, there is extensive case law. When in doubt, such as with vague or ambiguous formulations, the wording of terms and conditions of the law is always interpreted to the detriment of the user of the AGB.
The terms and conditions are thus subjected to a fair and reasonable test in Germany. In cases of dispute, a judge examines whether the clause is valid. It is often misunderstood that such a fair and reasonable test applies not only in the business-to-consumer sector (B2C), but also in the business-to-business sector (B2B). Especially for foreign lawyers, such as with the parent company in the US, this fact is often surprising.
Roughly depicted, the following illustration arises from statutory law and case law regarding limitations of liability:
Liability may neither be excluded nor limited regarding
In case of simple negligence, liability may therefore be excluded, in principle. However, German courts have also established a limit here: If the provider infringes upon particularly important obligations with simple negligence, so-called "essential contractual obligations", compensation may only be limited to the typically foreseeable damage. According to case law, essential contractual obligations are those, "whose fulfillment is essential to the proper implementation of the contract, and whose breach jeopardizes the achievement of the purpose of the contract and which the customer regularly trusts in their compliance"; in other words: all the important obligations.
Overall liability caps or complete exclusion of certain damages such as "indirect" or "consequental" damages, lost profits or business interruption losses are invalid in AGB. Also, other blanket exclusions, such as for loss of data, have no validity under German law.
And other stumbling blocks exist: In business-to-business transactions (B2B), for example, the time limitation of claims for defects on the sale of software can be limited to one year. However, the German Federal High Court of Justice also views a "limitation of liability" in such a time limitation reduction and this is invalid in the above cases, such as in cases of gross negligence.
In a disputed case, a court may not limit an invalid clause to the level still permissible. Rather, the clause is ineffective and the statutory provision, e.g. unlimited liability, applies.
One solution approach with "shaky" provisions is to isolate it in separate paragraphs of the AGB: If a court considers the provision to be invalid, it might only consider this one provision invalid..
Even large, established German providers partly include invalid provisions in their terms and conditions. This is based on an intended plan: The clause at least offers the opportunity for argumentation options in the event of an out-of-court dispute. The provider can first confront the customer with the terms and conditions. Companies must however weigh this advantage against the risk of being warned by competitors and unfair trade practices oversight associations due to the use of unlawful terms and conditions. Under German law, competitors may take action against companies using terms and conditions with illegal clauses.
Check to see if your general terms and conditions exhaust the allowable exclusions or limitations of liability while at the same time complying with the terms and conditions requirements.
Isolate critical provisions into isolated paragraphs or separate clauses of your terms and conditions, where appropriate.
Weigh the advantages and risks of possible invalid clauses against one another.
If you negotiate the contract terms with your customers individually, these are not considered terms and conditions (AGBs). You can then exclude or limit liability, except for a few cases, e.g. intent.
The German Federal High Court of Justice sets strict requirements for such an "individual negotiation". Mere negotiating is not enough. You must "genuinely make available" the contractual provisions presented by you for an individual negotiation. Mere explanations or the agreement of the customer to individual clauses is not enough. A give and take must take place. The clauses must consistently be substantially amended. If an imbalance exists between you and the customer, for example, because the customer is sparsely versed in the law or is legally inexperienced, the requirements are particularly strict.
In the event of a dispute, you must be able to prove that the provisions were negotiated individually.
If you need a limitation of liability in an individual case, e.g. with a large project, which would not be permissible in the terms and conditions (AGBs), open the regulation of liability up to negotiation. Where appropriate, allow the customer to offer a proposal. In certain circumstances, offer different provisions or maximum liability caps for different prices during the negotiations.
Document emails, records of discussions or drafts of contracts to be able to prove negotiations of clauses at a later date. File these documents along with the contracts.
In addition to a limitation of liability for damages, providers should include further clauses on liability for defects.
On the one hand, shortening of the time limitation claims are included here. It is also meaningful to govern the way of dealing with rectifying errors, e.g. the right be able to make temporary workarounds available.
Clauses have also become established in the event that a third-party goes up against a customer because use of the software infringes on rights (of the third-party). In this event, the provider can offer the customer hold harmless rights, where appropriate; in return, the customer must immediately inform the provider about third-party claims being asserted and, in so doing, allow the provider to maintain "control" of the legal dispute.
Include special provisions on liability for defects in your contract, such as shortening of time limitations.
An additional liability risk can arise when you integrate open source software in your own software, such as a component for creating PDF files or other open source libraries.
Many open source software licenses, such as the GNU General Public License, include comprehensive liability limitations. Even if much is still disputed here: These limitations of liability can - depending on the structure - also definitely be effective according to German law. Because open source software may be used free of charge under certain conditions, liability of the programmer in the event of such a "gift" is weaker.
If you are integrating open source software as an IT provider in your own offer (e.g. proprietary software), you are liable toward your customers according to the general rules which means also for the open source components. You can hardly effectively exclude your liability toward customers for defects in the open source software in standard contracts. In some circumstances, you are liable to a much greater extent toward your customers than the open source software programmer towards you. You can only avoid this, if you separate the open source software from your own.
Such a separation presents itself for another reason: Many open source licenses have a copyleft effect: Whoever creates their own software based on open source products, must also offer their own software under the open source license. And that usually means that the source code of your software - and thus the entire know-how - must be freely accessible for everyone.
If you want to use open source software for your products, carefully review the license terms in advance and separate your own software from the open source components, where appropriate.
You can also reduce liability risks by including contractual cooperation duties of the customers and clearly divide the areas of responsibility between you and the customer. In this event, if the customer does not comply with the contract, this can be considered to your benefit according to German law, such as with the question of contributory fault.
Nevertheless beware: Standard contracts are also subject to review here. For example, under a purchase agreement, the customer must examine the software in the B2B area according to the law and must contest obvious defects though he has no special duties to cooperate beyond that. If you impose all sorts of obligations on the customers in your terms and conditions, which German law does not provide with respect to the corresponding contract type, the clauses are probably unenforceable: Because all the provisions that move too far away from the legal regulations of the respective contract type in the German Civil Code, unduly disadvantage customers and are invalid in the AGBs.
A series of clauses are however customary and helpful, especially in the case the provider owes a specific work result, such as customization or creation of software, configuration of a system or migration of data. Establish which duties the customer has in such contracts and within what time period these duties must be accomplished (deadlines and activities plan). Agree in the contract, for example, on which tests the customer must perform with acceptance of service and, if necessary, what other services he must provide, e.g. making test data or system environments available.
To a certain extent, you can also write in his homework notebook that the customer must perform regular backup of his data. If loss of data due to a software error leads to data loss, you must only compensate for the damage which would occur during a regular backup by the customer, such as the cost of recovery.
Contractual clauses are also possible which oblige the customer to
Establish which duties the customer has and within what time period these duties must be accomplished in the contract (deadlines and activities plan).
Impose contractual duties on the customer, such as backup of data, creating a suitable system environment or providing information when errors occur.
Liability is triggered by defective service of the provider. Whether or not a service is "defective", results from a comparison between what is owed and what you have actually delivered as a provider.
For the question of what is contractually "owed", German law first looks at the contractually "agreed quality". Therefore, it is particularly important to contractually establish what the product can and cannot do.
In the case of software programming agreements or larger IT projects, the services are mostly described in a separate document or annex. The terminology for such “statement of work” varies [Leistungsbeschreibung, Lasten-/pflichtenheft].
Unfortunately, much is going wrong here in practice, because at the beginning of the project, the parties want to quickly conclude the contract while they are in euphoria and good spirits. The attorney or the legal department drafts a contract, but then a proper statement of work is not provided to the attorney or legal department. Often different versions of the statement of work are circulating, and it remains unclear which now is the one contractually agreed to. Statements of work are often incomplete or inaccurate and are not reviewed by someone who is contractually versed. With larger projects, customers are often not especially able to formulate in detail what the product should be able to do upon completion.
You should therefore contractually establish who has what responsibilities in the creation of the specification of services and who is responsible for completeness and correctness of the specifications.
Contractually regulate what responsibilities the customer has in creation of the statement of work for software programming agreements or major IT projects. Attach current and detailed documentation to the contract.
If standard software is sold or is provided as ASP / SaaS, a description of the software is often completely missing. Sometimes, only the product name is stated or reference is made to the webpage, online help, or a trial version. There are inherent risks: On the website or in marketing materials are often statements of praise, for example "easy to use", "use for PC, tablet or smartphone" or "export to all current file formats". You will have to allow yourself to be judged by these statements in case of dispute.
If you sell software and consequently provide permanent use for a one time payment, you must allow yourself to be additionally held to publicly made statements as seller, which is established by German Civil Code in this manner. This applies not only to your own statements, but in the distribution of third-party software also for statements of the manufacturer.
Create a neat product or service description that defines what your software can and cannot do.
Assess whether your marketing statements at your website or in other marketing materials (brochures, presentations from workshops, etc.) contain marketing statements which you cannot comply with in some circumstances. Review, if necessary, marketing materials or other public statements of the software manufacturer.
Service of an IT provider is also defective according to German understanding, if the product or the service is not suitable for the "use prescribed according to the contract".
The contractually required use plays a particularly important role in major IT projects, software developments or special software. As an IT provider, you may be liable in certain circumstances, when ERP software that is complex does not allow itself to be adapted to the customer's company-specific processes or does not integrate in its system landscape, because interfaces with existing systems fail.
It can be desirable from a customer perspective, but risky for the provider according to German law, when reference is made in the contract or also in the preamble of documents to meeting protocols or presentations, in which the intended use or the objectives of an IT project are boundlessly described. In the event of a dispute, these statements may be used by a court to interpret the contract and determine the purpose.
Consider the purpose regarding large IT projects, software development or complex software, which the customer is pursuing. Clearly establish objectives and purposes. Clarify whether the software is suitable for the customer and document the warning instructions you have given the customer for this purpose.
If you give your software a guarantee for a certain quality, no contractual limitations of liability apply in actuality. In addition, you are liable under certain circumstances regardless of fault. As a provider, you should therefore not provide unwanted guarantees, if possible.
The existence and extent of a guarantee will be determined by interpretation of the contract. A guarantee must not be made explicitly, but can also be made implicitly, such as with product brochures or when certain features are highlighted or praised there. The borders are blurred. The reform of law of obligations in 2001 considerably raised the risk that declarations of a provider will be interpreted as a guarantee. If it is not just a mere description, but an obligation can be read into a statement, there is a risk of a guarantee declaration. This is especially true if you need to recognize as a provider that a certain feature is decisive for the customer or you especially highlight a certain feature of you product.
To minimize the risk of a guarantee, you should definitely avoid formulations such as "pledged", "guaranteed", "promised" or even "warranted qualities", not only in the contract, but also in the service description or in marketing materials.
The term "warranted qualities" [zugesicherte Eigenschaften] is also a relic from times before the reform of the German Civil Code (BGB) in 2001 and is an indication of outdated contract documents.
Examine contract documents, product descriptions, or marketing materials to eliminate unwanted guarantee statements. Avoid such expressions like "pledged" [zusichern], "guaranteed" [garantieren], "promised" [versprechen] or "warranted qualities" [zugesicherte Eigenschaft]. Train your staff accordingly.
From a liability perspective, it may make sense to publish a list of known errors (known bugs) and to inform the customer about this in advance. If you do provide the customer with software consisting of errors, although you are aware of them, you are acting with intent to deceive. In the event of intentional deception, you are liable to a greater extent and longer limitation periods apply.
By the way: The statement often read in Germany in terms and conditions (AGB) that software is never entirely free of errors due to its complexity, does not help. On the contrary, the wording can backfire: The customer could argue that you are acting with intentional deception, because you are distributing software known by you to have errors without informing the customer about the errors.
A provider also maliciously conceals an error, if he does not inform about program locks, registration obligations or surprising data connections to the manufacturer server (a "calling home").
Provide the customer with a list of known errors, where appropriate. Inform him or her about program locks, registration obligations or data connections to the manufacturer server.
The liability regime for software leasing, ASP and SaaS also partially deviates from that which is described above. Here you have to pay compensation for damages regardless of fault as a provider according to German law, such as for errors present at the time of entering into the contract. This means you can be liable even if you have not acted negligently at all. This liability must absolutely be contractually excluded from the standpoint of the provider, which is also permissible in terms and conditions (AGBs).
In addition, there are further particulars, because the term of defect primarily is focused on the contractually prescribed use. In addition, you must maintain the software in usable condition during the entire contract term. This may mean you must adjust the software in a timely manner without charge in the event of change of the legal framework conditions (e.g. VAT).
If you make software not permanently available for a one time payment, but for limited time (e.g. as ASP, SaaS or lease), you need separate liability provisions for this form of distribution.
The establishment of service levels is usually also included in a description of services, particularly regarding ASP or SaaS models. The software and the data is hosted here at the location of the provider and disruptions of availability can cause existence threatening damages.
You, as a provider, are additionally committed with service level agreements, to fulfill certain requirements; however, you can avoid disputes as to if and which liability consequences are a result of disruptions of your service. Therefore, weigh advantages and disadvantages of a specific service level agreement.
Service levels agreements (SLA) typically determine the availability per calendar month or year, as well as maintenance time and include rules on how the values achieved are monitored and what rights the customer has when service levels are failed. With maintenance contracts or support hotlines you can define response times or rectification periods depending on the severity of the error.
If service levels describe the service content, they are not subject to the fair and reasonable test of the general terms and conditions (AGB) according to German law. Risky for reasons of transparency are however limitations of service through service level clauses in the AGB. It is best to place these limitations in a separate document titled "Specification of Services" [Leistungsbeschreibung] or some similar title.
Service level agreements (SLA) may also not lead to the canceling out of statutory liability claims regarding defects. A provision according to which the defect claims contained in the SLA is final, such as the granting of service credits, may be invalid.
Describe the service content in service levels, especially regarding ASP or SaaS models. In particular, regulate availability, maintenance windows, monitoring and defect claims. Do not hide service levels in AGBs, rather write them transparently in the specification of services.
Providers may also be liable in Germany due to faulty incorrect advice. In certain cases, German case law assumes a duty of the provider to give advice or clarification, such as when there is a knowledge gap between the provider and customer, when the customer asked about or considered advice to be especially important and consulting services were in actuality provided. In the German case law, there are a multitude of decisions on consulting errors and clarification duties infringed upon in the IT area.
The tricky part regarding this: In your terms and conditions, for example, regarding buying software, you may not effectively exclude liability for consulting errors committed before entering into the contract.
It may therefore be sensible to have special AGBs for consulting services available and to agree to them with the customer, as soon as - such as before a project - you provide consulting in one of the above stated cases.
Consult carefully and consider the specific customer situation and possible lack of information on the part of the customer. Document the type of documentation you used to inform the customer about risks and assumptions.
Where appropriate, conclude separate consulting agreements in advance and credit any fees to the purchase price or a use fee.
A special situation exists, when you distribute software as a dealer (reseller) or you integrate software components from third-party manufacturers in your products as a full service provider. You are then in the middle of the supply chain between manufacturer and software (end-) customers, like a tomato in a sandwich.
You are liable toward customers as a contractor for any defect even when the defect is due to an error in the manufacturer's software: The customer may then take action against you, and you must try to take recourse against the manufacturer. Pursuant to German law, a provision in the AGB is invalid according to which your customer must approach the manufacturer directly instead of you.
The liability risk consists of the customer taking action against you as the provider, and, on your part, not being able to take recourse against the manufacturer regarding the damage and consequently being "left holding the bag" concerning the damage. A case already mention is open source software. A liability gap may also arise if the contract with the manufacturer is subject to another legal system, such as US law that allows much broader limitations of liability. Your claims against the manufacturer may be barred due to time or statute of limitations while the customer is still able to take action against you.
This risk often does not allow itself to be completely eliminated, at least not in AGB. However, you can try to bring a certain synchronism between your customer contracts and the contracts with the manufacturer regarding the specification of services, known errors or the obligation to provide certain information in the case of error messages, or to use respective ticketing tools.
If you as a reseller or a user of third-party software components are in a sandwich situation between customer and manufacturer, consider the contractual terms and conditions of the manufacturer with your customer contracts and try to create synchronization of the provisions as much as possible.
Finally, liability risks can be reduced with IT liability insurance, which covers damage compensation claims by customers. Regular German business liability insurance is however not suitable for this: It will not meet the specific risks of an IT provider, because relevant areas are excluded, such liability for certain "damages stemming from the sharing, conveyance and deployment of electronic data".
You cannot limit your liability in AGBs with a general reference to coverage by your IT insurance according to German law. Therefore, it is important to carefully pay attention to the conditions of the insurance.
The coverage amount for monetary damages must be sufficiently high enough dependent on your business model and the liability risk associated. IT liability insurance should not differentiate between property and financial damages and should not include further limitations in the form of underinsured amounts, such as in the case of infringement of rights. Due to the comprehensive legal liability, insurance contracts should also not restrict coverage for consequential damage such as revenue loss and loss of profits or data recovery.
The 'Special conditions and risk descriptions for the liability insurance of IT service providers' [Besondere Bedingungen und Risikobeschreibungen für die Haftpflichtversicherung von IT-Dienstleistern - BBR IT D] include, for example, the risks arising from the operation of a full service provider business including typical additional services and also risks arising from the manufacture of and dealing in hardware as well as the risks of providing services via the internet.
Consider to have a specific IT liability insurance in addition to your regular business liability insurance. Be mindful of sufficiently high coverage for financial damages without limitations for situations of revenue and profit loss or data recovery.
Datenschutz professionell und effizient umsetzen