Commercial & Technology Contracts

A contract is a legally enforceable agreement which gives certain rights and responsibilities to those that agree to their terms. Contract formation is a practical question and is often determined by analysing the prior negotiations (such as email chains) between the parties.  A brief summary of the essential elements to be established for contract formation in English law is as follows:

1. Offer – a specific promise forming the basis of the agreement without further negotiation;
2. Acceptance – must be final and communicated to the other party;
3. Consideration – a form of payment regardless of type or amount;
4. Intention to create legal relations – usually presumed in commercial arrangements and proven through signature by both parties for written agreements; and
5. Certainty of terms – the agreement is not vague or lacking in essential terms.

Yes. English law allows for e-signatures of all complexities to be used as the basis for entry into a contract with equal treatment to execution by wet-ink signature, so long as the signatory intends for the e-signature to authenticate the document.

Types of e-signature include typewritten, scanned and digital representations of characteristics such as fingerprints.  Please see our e-signatures blog or contact the team for further details.

The essential elements of contract formation also apply to terms of business displayed on your website or app.

Importantly, your customers must be given the opportunity to accept or decline the terms, for example by completing a tick box and clicking a button. Additional requirements as to the type and amount of information to be included in the terms of business will vary depending on whether you are engaging consumers or businesses.

For further advice on the type and amount of information that should be included, contact the team.

The terms ‘agent’ and ‘distributor’ are often used interchangeably as supply chain intermediaries but they differ substantially as regards their legal interpretation. An agent is a person who acts on behalf of another party (the principal).

Some agents have the power to negotiate and conclude contracts with customers on the principal’s behalf whereas others have the ability to make introductions only. Agents are generally not parties to the contract between the principal and the customer. In such cases, a customer who buys from the agent is in fact entering into a contract with the principal. Clearly identifying the scope of the agent’s power will help avoid uncertainty as to whether the principal has incurred liability to a customer.

A distributor purchases goods from the manufacturer or supplier and resells them to its customers with a margin to cover its costs and make profit. In this way the distributor contracts with both the supplier and the customer. An agency agreement may be preferable where the agency commission fees are lower than the margin costs of a distributor or where the principal wishes to retain control of the price of the goods, the target customer base and how the goods are marketed.

By contrast, a distribution agreement may be more appropriate if the supplier intends for title and risk in the goods to pass to the distributor. Distribution arrangements are more straightforward to terminate because they are not subject to the commercial agency regulations which grant a right to a lump sum payment to certain agents on termination of their agency agreement, regardless of breach of contract by the agent. Taxation is also less problematic for distributors as there is no risk of double taxation which can arise when a principal is deemed to trade in a particular country because it has an agent there.

Personal data is any information about a particular living individual (known as the “data subject”) such as employees, customers, business contacts and members of the public. This information could directly identify a person by name or enable them to be identified through a combination of information such as by identification number and address.

Under the UK GDPR, a data controller may only engage a data processor via a legally binding contract containing certain mandatory terms. Details of the mandatory terms to be adopted can be found in our blog. You should consider whether your contracts with suppliers (who process personal data as processors) contain the mandatory terms and, if not, vary them accordingly.

You should also consider whether your business, in the course of providing its services, does so as a data processor. If so, you will need to ensure that your terms of business with all of your customers incorporate the mandatory terms set out in the UK GDPR.

The UK GDPR restricts transfers of personal data to countries located outside the United Kingdom (“third countries”) as well as to international organisations (these transfers each are known as “restricted transfers”). This is because data subjects risk losing the protection granted by the UK GDPR in these situations. As such, restricted transfers cannot be made without:

1. the data subject’s specific and informed consent; or
2. an adequacy decision from the Information Commissioner’s Office (“ICO”). Briefly, an adequacy decision means that the level of protection provided by a country’s data privacy regime is considered to be essentially equivalent to the standards of care set out in the UK GDPR; or
3. an appropriate safeguard being implemented within the relevant organisation receiving the data as listed in UK GDPR; or
4. one of a selection of derogations for specific situations.

Typically, organisation rely on the implementation of appropriate safeguards in order to lawfully make restricted transfers and the most commonly used safeguards are:

1. the international data transfer agreement (“IDTA”) and the international data transfer addendum (“Addendum”) to the European Commission’s standard model contract clauses for international data transfers implemented by the ICO; and
2. binding corporate rules (“BCRs”) for group companies located in different jurisdictions.

The IDTA and Addendum are entered into between the data exporter (located inside the UK) and the data importer (located outside the UK) which contain non-negotiable contractual obligations and directly enforceable rights for the individuals concerned.  Binding corporate rules are effectively an internal code of conduct between the relevant group companies approved by the ICO.

Before you rely on one of the above appropriate safeguards as a transfer mechanism to make a restricted transfer, you must first carry out a transfer risk assessment (“TRA”). The TRA will help you consider whether, in the circumstances of the transfer and with your chosen safeguard in place, the relevant protections for data subjects under the UK data protection regime will not be undermined.

Once the TRA is completed and it’s determined that the transfer mechanism does provide appropriate safeguards, and effective and enforceable rights for individuals, then the restricted transfers of data can go ahead provided that the rest of UK GDPR is complied with.

The UK GDPR introduces different responsibilities for data controllers, joint controllers and processors. The role that your business plays in a commercial arrangement will depend on the particular circumstances.

Generally, the controller will be the decision maker determining how, why and which personal data is collected. Joint controllers will have data collection objectives and procedures in common with another controller. The processor follows instructions and usually receives the data from a third party, such as a client.

The ICO can bring enforcement action against both controllers and processors for non-compliance with the UK GDPR. Likewise, individuals can make a claim for compensation and damages against both controllers and processors for breaches of the rights under data protection law. It is therefore crucial that you carefully review and document the flow of personal data between your organisation and others so that your status is clear (regardless of the terminology used in a contract).

Your data protection obligations should be taken seriously as a failure to comply may lead to the UK’s privacy regulator, the Information Commissioner’s Office, imposing fines of up to the higher of £17.5m and 4% of your businesses’ global turnover in the preceding financial year (and that’s without taking into account the additional reputational damage).

An indemnity is a promise to reimburse the contract counterparty (and any other specified persons) for losses suffered as a consequence of a specific event taking place. For example, in a licence of intellectual property rights, the licensee may wish to be indemnified by the licensor for any losses suffered as a result of a third party claiming that the use of such rights infringes rights which they hold.

Unlike a regular claim for breach of contract, there is no need to show fault and if the specified trigger event occurs, the indemnifying party automatically becomes liable.

Giving an indemnity should not be taken lightly. You should consider whether other contractual protections may be more suitable in the circumstances. Further, the scope of an indemnity and the extent of losses that it covers as well as limitations of liability should be carefully worded.

A warranty is an assurance or a statement of fact in a contract by one party to the other. If the warranty is breached, it constitutes a breach of contract which may give rise to a claim for damages.

Unlike a condition, a breach of warranty does not provide the injured party with a right to terminate the contract.

Agreements for the provision of services typically include warranties from the supplier that:

• the services will be provided in accordance with a specific services specification;
• any deliverables will be sufficiently fit for purpose;
• the services will be provided with an appropriate level of skill, care and diligence;
• the services will be performed in accordance with all applicable laws and regulations;
• it has, and will maintain, all applicable licences and consents necessary to carry out the services; and
• use of the services will not infringe any intellectual property, or other rights, of any third party.

Suppliers should, of course, pay careful attention to the wording of the warranties in their contracts to ensure that they can provide them and they do not expose the business to unnecessary risk.

If a warranty in respect of a material area of risk is breached, an indemnity is typically requiring for any losses suffered arising from that breach.

Non-Disclosure Agreements (“NDAs”) are generally short form commercial contracts that are put in place to protect the confidentiality of information that is disclosed between the parties for a particular business purpose.

Confidential information can be broadly defined to protect both commercial information and personal data.  Examples of information that is typically protected by a NDA include:

• Financial information;
• Business plans;
• Customer lists;
• Methodology;
• Improvements to processes; and
• Computer programs.

NDAs are designed to prevent the recipient from taking unfair advantage of information received in confidence.  This is achieved in part by restricting the use of the confidential information to a defined purpose.

For example, if you are an investor or start-up business entering into discussions to explore a potential investment, then use of the confidential information should be carefully defined to reference the prospective transaction. Other key considerations will depend on your particular business requirements but common issues include whether the obligations are unilateral or mutual (i.e. is there a one way flow of information or is it coming from both sides?), the duration of the obligations and remedies for breach of confidentiality.

Penalty clauses have the objective of punishing the defaulting party by requiring payment of an excessive amount which is triggered a specified breach of contract.  Penalty clauses will not be enforced by courts in England and Wales beyond the sum of the actual loss suffered.

Typical examples of penalty clauses include high levels of late payment interest or a disproportionately large sum becoming payable on the occurrence of a breach e.g. if the deliverables for services have not been provided by a particular date. It can be difficult to accurately anticipate the losses likely to be suffered as a result of breach and it is best to take advice as to whether a provision is likely to be valid from the outset.

An idea alone does not give rise to IP rights. However, once your idea has been expressed in some manner, there are five main IP rights that may be relevant and which may allow protection of your business output.

1. Copyright protects the expression of ideas, for example the words in a book or the source code of a computer programme.
2. Trademarks protect product names and logos.
3. Patents protect novel inventions and products.
4. Registered design rights protect the appearance of a product, for example, the shape, packaging, pattern and colour.
5. Unregistered design rights protect the shape and configuration of an object.

You may also use the law of confidential information to protect your ideas which are not otherwise protected by IP rights. For example, by asking any relevant party to sign a non-disclosure agreement (“NDA”). Although better than nothing, this approach can be risky particularly since the NDA is likely to be superseded if the parties subsequently enter into a supply agreement. Often by the time a disclosure has been made to a third party, the damage may already have been done.

When starting a new business, it is important to develop an IP strategy from the outset. Whilst it may not seem urgent at the time, a failure to do so can be costly in the long run. should you have any concerns around your IP strategy, or need advice, contact our intellectual property solicitors.

Intellectual property rights (“IP rights”) are intangible property rights which are the result of your intellectual endeavours for example, proprietary methodology.

In a licensing arrangement, the licensor (IP rights owner) retains ownership of the IP rights and grants the receiving party (the licensee) permission to use them in exchange for a fee (usually as royalties whereby a percentage of the licensee’s sales revenues are payable to the licensor periodically).

Licensing can benefit licensors by boosting revenues and market penetration whilst allowing licensees to enjoy greater access to expertise and lower research and development costs.

In deciding whether to grant or take a licence you should consider how it will help meet your business needs and commercial goals.  Risks of licensing typically include prohibitively high rates of royalties being charged and reputational harm which can occur where a licensee uses your trade mark but produces inferior quality products.

There are numerous types of licences and variable conditions which can impact the effectiveness of this commercialisation vehicle. For example, exclusivity, whether the rights can be transferred or sub-licensed, the duration of the licence, territorial and use restrictions, performance obligations (such as minimum sales) and payment terms.

If you are considering granting or taking a licence of IP rights and would like further support then please contact our IP law experts.

An assignment of intellectual property rights (‘IP Rights’) differs from a licence in the sense that ownership of the IP Rights is transferred from the assignor to the assignee, usually in exchange for a fee. Documenting such an assignment therefore sounds straightforward but assignors should be aware that assignees may seek certain contractual protections in respect of the assignment, including:

1. Warranties from the assignor that they are the sole owner of the assigned rights, that such rights are free from third party interests and that they do not infringe the rights of any third party. Typically, the assignee will require an indemnity from the assignor in respect of the breach of any such warranties and so assignors should consider limiting the extent of that indemnity accordingly e.g. by capping it.
2. The inclusion of a ‘further assurance’ provision which states that the assignor will provide the assignee with all such reasonable assistance as may be required to effect the assignment of the assigned rights. This may include executing further documents, such as those required to update the ownership register in respect of registered IP Rights e.g. trade marks. Some assignees may insist on an assignor granting them a power of attorney to sign such documentation on their behalf.
3. A waiver by the assignor of its moral rights in any copyright to be assigned. Moral rights are the rights of a creator of copyright (e.g. the software developer who originally wrote the source code for a software program) to be credited as the author of the copyrighted work.

Terms of website use are required to set out the basis upon which a visitor to the site may access and use it. These terms should be used to comply with the website owner’s legislative information requirements by making it clear who operates the site and how to contact them. The terms are also an opportunity for a website owner to limit its liability relating to content on the site via the inclusion of disclaimers relating to reliance on that content.

A privacy notice is required on a website to notify visitors about how their personal data is collected, used, shared, stored, retained and secured by the website operator. Privacy notices need to comply with the UK General Data Protection Regulation (UK GDPR) and should therefore include specific details regarding the legal rights exercisable by individuals in respect of their personal data, including the right to be provided with access to it, to ask for it to be erased it and to transfer it to a third-party provider.

Every website that uses cookies must provide visitors with details of such cookies and the purposes for which they are used in a cookies policy. Website owners should ensure that links to cookies policies are prominent and banner notices which appear when a user lands on a site are commonly used to ensure compliance.

An acceptable use policy (AUP) will be required if your website contains functionality which allows visitors to upload comments and/or other materials to the site. The AUP should set out the rules and standards governing those uploads and, if drafted carefully, should assist in excluding the website operator’s liability in the event that those uploads are defamatory or breach a third party’s intellectual property rights.

E-commerce websites should contain terms and conditions of sale setting out the terms on which goods and/or services are sold via the website. If sales are made to consumers,  website operators will be subject to numerous obligations pursuant to the Consumer Rights Act 2015 and associated regulations, the vast majority of which can be complied with via well drafted terms and conditions of sale.

Under the UK GDPR, a data controller may only engage a data processor in accordance with the terms of legally binding contract containing certain mandatory terms. Typically, providers of a cloud-based software-as-a-service platform are data processors under the UK GDPR, whereas their customers are data controllers, given that the software provider typically processes the personal data of the customer on its behalf.

The mandatory terms which must be set out in contracts for the provision of affected cloud-based software applications are briefly summarised below and more details can be found in our blog:

• Details of the nature of the personal data being processed e.g. subject matter, duration, purpose of processing etc.
• A provision confirming that the software provider may only process the customer’s personal data in accordance with the customer’s written instructions.
• A commitment from the software provider to protect the confidentiality of the customer’s personal data.
• An obligation upon the software provider to maintain appropriate technical security measures in respect of the customer’s personal data.
• The software provider may only engage a sub-contractor to process the customer’s personal data (e.g. a server host) with the customer’s prior written consent.
• The software provider must assist the customer in relation to certain obligations of the customer under the UK GDPR to the extent those obligations relate to the data processed by the software provider e.g. notifying incidents of data security breaches and assisting in respect of requests to access personal data by data subjects.
• The software provider must delete or return the customer’s personal data at the end of the contract in accordance with the customer’s instructions.
• The software provider must maintain records to demonstrate compliance with the provisions set out above and the customer must be provided with a right to audit and inspect the same.

If you are a cloud software platform provider who is yet to tackle this aspect of UK GDPR compliance, you will therefore need to: (a) vary the terms of all existing contracts with your customers; and (b) ensure that standard terms and conditions are amended appropriately so that your new customers sign up to compliant agreements.

Subscription and pricing model. Consideration needs to be given as to whether access to the software will be provided on a price-per-user basis or whether the subscription fee will allow unlimited numbers of personnel at a customer organisation to access the platform. If the former, you should include a mechanism in the SaaS agreement for additional user subscriptions to be purchased during the term of the agreement.

Term and termination. The industry standard is for the SaaS agreement to last for an initial term of usually a month, a quarter or a year. The SaaS agreement would then automatically renew for the initial term if neither party serves notice to cancel prior to the end of the initial term or any renewal term.

Data protection. As a provider of a cloud-based software platform, you are likely to be deemed a data processor in accordance with the UK General Data Protection Regulation (UK GDPR). If so, your SaaS Agreement must contain certain mandatory terms in accordance with the UK GDPR. In addition, it’s prudent to add a schedule to the SaaS agreement setting out the specific technical security measures that you have in place to protect your customer’s personal data.

Availability. SaaS software is typically made available to customers by suppliers on a 24-7 basis. If a warranty of this nature is included in the SaaS agreement, it should ideally be accompanied with carve outs for foreseeable periods of downtime. This may include scheduled maintenance which is to periodically take place in stated downtime windows during the term of the SaaS agreement and/or unscheduled periods of maintenance which can take place at any time, provided your customers are given sufficient notice. Downtime and delays caused by problems with the customer’s internet connection should also be carved out from any 24-7 availability warranty.

Support. If users are provided with helpdesk support, a comprehensive support policy should be provided setting out the extent of that service e.g. methods of contact (telephone, e-mail, live web-chat etc.), hours of operation etc.

IP. The SaaS agreement should make it clear that your organisation owns all of the intellectual property rights in the software, which are only licensed to the customer during the term. Given that position, customers will usually expect you to indemnify them against any costs they incur defending a third party’s claim relating to ownership of the IP in the software.

Limitations and exclusions of liability. As is the case with all commercial agreements, it’s prudent to insert a cap limiting your total liability to the customer under the SaaS agreement. Such caps are only enforceable if they are reasonable and a cap based on the total subscription fee paid by the customer is likely to be considered reasonable. Ideally, you should also  exclude liability for certain unreasonable heads of loss, such as indirect or consequential losses which haven’t directly arisen from your breach of contract.

Access to source code is essential to allow a party to modify and support the software program to which the source code relates. Software suppliers understandably want to ensure that they keep hold of the source code relating to the software they license to their customers and therefore software is licensed in machine readable object code form. As such, the customer is dependent on the software supplier for modifications, maintenance and error correction of the software on an ongoing basis. If business critical software is being licensed, a savvy customer may require a mechanism that allows them (or a third party appointed by them) to take over these software support functions if the supplier fails to provide them.

An escrow agreement serves as a reasonable compromise to satisfy the supplier’s need to maintain control over its source code and the customer’s need to gain access to the source code in certain circumstances. A copy of the source code is deposited with an independent third party (the escrow agent) which enters into the escrow agreement with the supplier and the customer. Upon the occurrence of any mutually agreed ‘trigger event’, e.g. the supplier becoming insolvent or failing to maintain the software if it has been contracted to do so, the escrow agent will release the source code to the customer for the limited purposes of maintaining and updating the software.