Technology Outsourcing Contracts: Key Legal Points in Spain

Technology outsourcing allows businesses to scale, control costs, and accelerate projects.
But delegating development, support, or infrastructure involves legal risks that must be anticipated in the contract.

Below are the critical points to cover — focused on Spain — and why they make all the difference.

---

1) Scope and Service Governance

- Purpose and deliverables: what is outsourced, what is excluded, delivery milestones, and written acceptance criteria (UAT).
- Service model: remote/on-site, environments (dev/test/prod), access levels, and user profiles.
- Change management (change requests): approval process, timing, and impact on pricing (fixed vs. time & materials).
- Governance: steering committee, monthly meetings, reporting, KPIs, and minutes.

📌 A precise service definition prevents disputes and makes compliance measurable.

---

2) Confidentiality and Non-Competition

- Robust NDA: protected information, permitted uses, custody measures, and post-contract duration.
- Non-compete / non-solicitation (when applicable): limited in scope, time, and territory to avoid restricting legitimate activity.

These clauses protect strategic assets (clients, code, know-how).

---

3) Personal Data Protection (GDPR / LOPDGDD)

If the provider processes data on behalf of the client, the client is the controller and the provider is the processor.
A data processing agreement (Art. 28 GDPR) must be signed, including at least:

- Purpose, duration, nature, and scope of processing.
- Types of data and categories of data subjects.
- Controller’s obligations and rights.
- Security measures.
- Rules on subprocessors (prior authorization).
- Data return or deletion upon termination.

Additionally, agree on:

- Incident notification by the processor “without undue delay.”
- Controller’s protocol to notify the authority within 72 hours (Art. 33 GDPR), when applicable.

💡 Practical tip: validate the provider’s assurances (codes of conduct or certifications) and data location (EEA or transfers with adequate safeguards).

---

4) Intellectual Property (Software and Deliverables)

Paying for a development does not automatically make you the owner of the software’s exploitation rights.
In Spain, ownership belongs to the author unless there is an express written assignment.

Include a broad assignment clause (exclusive or non-exclusive, as appropriate), covering:

- Source code, documentation, and manuals.
- Territory and duration.
- Permission to modify or create derivative works.

Recommended Best Practices

- Source code escrow clause: deposit with a third party and release under critical events (bankruptcy, service discontinuation, serious breach).
Although not specifically regulated in Spain, it’s widely used and very effective to mitigate vendor lock-in.
- Open Source Compliance: list open-source libraries, licenses, and obligations (notices, copyleft, etc.).

---

5) Service Levels (SLA), Warranties, and Penalties

Define measurable SLAs: availability, response and resolution times, backups, RPO/RTO, maintenance windows, and escalation paths.
Link service credits or penalties to non-compliance (and termination rights for repeated breaches).

Include warranty periods for defect correction and a technical review schedule.

---

6) Security and Continuity

- Minimum standards: controls aligned with ISO 27001/27002 or equivalents; environment segregation; least privilege principle; encryption in transit and at rest.
- Incident management: detection, notification, and containment timelines; logs; restoration tests.
- Exit plan and reversibility: orderly migration, open formats, cooperation, and reasonable assistance during transfer.

Such planning minimizes disruptions and dependency on the provider.

---

7) Liability, Insurance, and Indemnities

- Reasonable liability cap (e.g., contract value), with carve-outs for:
- IP infringement.
- Breach of confidentiality.
- Damages from fraud or gross negligence.
- Data protection obligations.
- Indemnity for third-party rights violations (IP, trade secrets) and fines arising from the provider’s breaches.
- Insurance: professional liability and cyber coverage with limits proportional to the risk.

---

8) Subcontracting and Sub-Vendors

Require prior written authorization to subcontract any part of the service.
Ensure subcontractors’ obligations align with those of the main provider (including data protection under Art. 28.2 GDPR).

---

9) Pricing and Payments

- Milestones vs. time & materials: link payments to accepted milestones (with clear acceptance criteria).
- Retentions: withhold part of the price until critical defects are resolved.
- Price review: objective conditions for scope or rate changes.

---

10) Labor Aspects (Art. 42 Spanish Workers’ Statute)

As the client company, you must verify that the contractor is up to date with Social Security obligations (certificate from TGSS).
Otherwise, you could be jointly liable for debts incurred during the engagement (enforceable up to 3 years after termination) and certain wages.

This liability does not cover debts prior to the contract.

Useful clauses:

- Supplier’s obligation to keep you updated with compliance certificates.
- Compliance with worker information duties or works council notifications, when applicable.

---

11) Governing Law and Dispute Resolution

Specify applicable law (Spain) and jurisdiction or arbitration forum.
Include an escalation process (negotiation / mediation) to resolve issues before litigation.

---

Quick Contract Checklist

- Scope, deliverables, UAT, and change control.
- NDA, non-compete / non-solicitation (if applicable).
- Data processing agreement (Art. 28 GDPR) + subprocessors + security + data return/exit plan.