Digital transformation has become a priority for all major companies. This is being driven only further by the spread of artificial intelligence's commercial use cases and ever-tightening data protection and cybersecurity regulations. However, procuring enterprise software (concerning both the development of custom-made software and "off-the-shelf" software developed for mass use) may give rise to various legal issues. Promptly identifying and addressing these issues can help prevent considerable legal and operational expenses, as well as other inconveniences.
In the case of custom-made software, it is important, among other things, to understand what rights remain with the developer. The software's source code may be protected by copyright, and the solutions included in the software individually ordered by the buyer may be based on valuable trade secrets or know-how. A key issue may be whether the developer would be entitled to resell the developed software, either in its original or partially modified form, to third parties, including the buyer's competitors. It is also prudent to consider which rights the buyer should acquire to meet their specific needs and have this reflected in the software development agreement. Is it necessary to acquire all economic rights in relation to the software to be developed, or is it sufficient to obtain a license to use the software? Naturally, if the buyer company chooses to obtain a license, the scope of the license is also crucial. As one may expect, the scope of rights obtained and the scope of a license might also have an impact on pricing.
In the case of "off-the-shelf" software, service providers often implement general terms and conditions. However, such terms and conditions are sometimes overly general or do not govern key matters, which might prevent the buyer company from using the software in the way it intended. A typical mistake is when the buyer procures the software to use it at the group-level or together with its retail network, but this is not reflected properly, from a legal perspective, in the license terms, which results in other group members or retailers not being entitled to use the software. In the event of unlawful use of the software or use that goes beyond the terms of the software license agreement (the license terms), the right holder of the software might, for example, make claims against the buyer for license fees after the unlawful use.
The buyer should also take the time to consider, even at the time of procurement whether they plan to later order unique additional developments (enhancements) to the software, as the case may be, from a software developer who is different from the original supplier. This is because the lawfulness of those enhancements may depend, to a great extent, on the technical details of the relevant enhancement and the license terms of the existing software.
The buyer's to-do list is not completed just with the purchase of the software license. To use the software properly, it is essential to integrate it into the already-existing IT environment, handle any technical and user problems, install — and, as the case may be, develop — necessary updates and train employees to use the software. The buyer should already be considering these tasks at the time of concluding the contract in relation to the software. In the case of custom-made software, it is also worth considering whether the buyer "chains" itself to the software developer. If so, it is advised to agree on (and, ideally, include in the relevant contract) the magnitude of foreseeable technical support fees.
Finally, if the software's operation involves the processing of confidential information (e.g., personal data or trade secrets), the buyer must comply with applicable law and, as the case may be, with the terms of its contracts with its business partners (e.g., provisions related to confidentiality and data processing) when using the software. Relevant regulatory and contractual breaches might not only have serious legal consequences but might also raise trust issues from the business partners' perspective. Therefore, it is always recommended to analyze the software and the contract for its use from a data protection and confidentiality perspective and take the necessary measures. These include assessing and documenting the management of potential confidentiality and data protection risks, preparing the relevant data privacy documentation or updating existing documentation, and negotiating appropriate data privacy and confidentiality provisions for the contract with the vendor.
If the software transmits personal data to the supplier's servers (e.g., in the case of cloud hosting), some servers may be located outside the European Economic Area, which might result in additional legal and practical risks for certain countries (e.g., India, China or, in certain cases, the United States). In such cases, the buyer should analyze whether the European Commission has adopted an "adequacy decision" regarding data protection for the country of destination. If there is none, the buyer should assess the measures under which the transfer may be lawful.
The protection of personal data is also important during software development and bug (defect) fixing. Such data may be processed for testing only in justified cases. In these instances, where possible, it is recommended to substitute personal data with fictive data.
By Andras Gaal, Attorney, Baker Mckenzie
