The German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, short LkSG) is now in force and the European Union’s Corporate Sustainability Due Diligence Directive (CSDDD) has been adopted. Both are compliance regulations that directly affect large companies. If they do not comply with the rules, they can be fined up to 4 % of their global turnover and at least 5 % if the CSDDD is fully implemented. The risks of impending liability have a significant impact on the practice of corporate governance and responsibility.
The question therefore arises for companies as to what other liability risks exist along the supply and activity chain and how these can ultimately affect non-covered companies (NCCs) and covered companies (CCs).
Supply chains and liability: the German perspective
Ulrich Herfurth, Attorney at Law in Hanover and Brussels, Jan Weber, Lawyer, Research Associate, Hanover
Liability of covered companies
Legal liability in accordance with the German LkSG
If covered companies violate the due diligence obligations standardised in the LkSG, they can be fined up to 4 % of the company’s global turnover. Furthermore, the corresponding notices are published in the course of “naming and shaming”. This not only damages the company’s reputation, but also existing and potential business relationships. The LkSG itself is not a protective law, meaning that tortious liability from direct application of the LkSG is ruled out. However, other civil law claims remain unaffected. They therefore continue to exist independently of the LkSG.
Legal liability in accordance with the EU’s CSDDD
Overall, the CSDDD expands and specifies the duties to protect, so that the liability framework is initially expanded. Furthermore, the CSDDD, similar to the LkSG, provides for fines for breaches of due diligence obligations. The amount is at least 5 % of the company group’s global turnover. In addition, the Directive requires Member States to create their own civil law claims for damages.
The CSDDD does not turn the LkSG into a protective law either. A compliance breach does not constitute a tort under civil law, meaning that it does not give rise to a claim for compensation for financial losses. It should be noted that the damage caused does not have to be exclusively due to breaches of duty by the “chain leader”. The CSDDD provides for “joint and several liability”, so that suppliers, clients and top management can be jointly responsible for damage.
Due to the resulting joint and several liability, the injured party can claim against a single chain link as its sole debtor on the basis of its right to choose. “Naming and shaming” is also provided for in the CSDDD. In addition – as is already the case with the LkSG – authorities are obliged to consider whether the bidding company fulfils the due diligence obligations when awarding public contracts.
Liability of non-covered companies
Legal liability
Non-covered companies are not subject to either the LkSG or the CSDDD. They are therefore exempt from the aforementioned liability provisions. Nevertheless, liability under general tort law and special rules (e.g. environmental law) remains possible. However, it is problematic that in many cases the damage is likely to occur outside of Germany, meaning that the rules of private international law apply. The Rome II Regulation of the EU, for example, stipulates that only the law of the place of damage applies to tort law. However, the situation is different in cases of environmental damage or child labour, for example. In these cases, special regulations apply, according to which German law is also applicable.
Contractual liability towards covered companies and third parties
However, non-covered companies can become liable through contractual provisions with covered companies. In particular, service agreements, framework agreements or a code of conduct often contain provisions that can result in the liability of a non-covered company.
Non-covered companies are not liable to third parties per se – however, contractual agreements with covered companies may be concluded in favour of third parties, so that they can assert their own rights against non-covered companies.
Code of Conduct
Companies that are not subject to due diligence are not legally obliged to cooperate. However, in order to support covered companies in fulfilling their due diligence obligations, the assistance of their suppliers is essential. They therefore often receive extensive enquiries. If the non-covered companies do not answer these questions, this may constitute a breach of duty under the code of conduct. In this way, non-covered companies can also become liable.
Protection of human rights and the environment
The code of conduct often contains extensive requirements for the supplier.
- Compliance with laws
- Social responsibility and business ethics
(integrity, honesty, respect for human dignity, openness and non-discrimination of religion, belief, gender, ethnic origin, no corruption and bribery, clean business practices, intellectual property rights, export controls and economic sanctions) - Human rights (protection of privacy, freedom of expression and opinion, prohibition of child labour and forced labour, no modern slavery, compliance with labour standards with regard to wages, remuneration levels and social benefits to be granted in accordance with applicable laws and regulations as well as compliance with the prohibition of discrimination, respect for the rights of employees to freedom of association, freedom of assembly and collective bargaining)
- Working conditions (cooperation with stakeholders, equal opportunities, prohibition of harassment, discrimination and violence, health and safety, working hours)
- Whistleblower (complaints office)
- Handling of information (data protection, confidential information)
- Correct behaviour on social media
Conflicts of interest
However, the refusal to provide information by non-covered companies can put a strain on the business relationship and have a negative impact on the contractual relationship, up to and including possible cancellation.
There is a conflict between the German Trade Secrets Act (Geschäftsgeheimnisgesetz, short GeschGehG) and the LkSG. According to the literature, the LkSG has the advantage when it comes to precise and relevant information for the individual case. An overall consideration could justify the prevailing of the LkSG.
Reduction of liability
Suppliers should take care to limit their contractual liability, preferably by excluding liability to the non-covered companies or third parties. In many cases, however, the promises made by suppliers in the code of conduct are likely to constitute a guarantee for which the supplier should be liable even if he is not at fault. For example, the supplier could only provide its guarantee “to the best of its knowledge” or “to its knowledge”.
If liability for fault is to apply to the promise, this may arise in the case of intent, gross and slight negligence, but in particular in the case of fraudulent misrepresentation or fraud.
The supplier can also limit liability by excluding damages, for example for fines, business interruption, loss of orders, loss of profit and reputational damage, or generally indirect, consequential or unforeseeable damages. In addition, the supplier could limit its liability to a certain maximum amount.
Recommendations for action
For covered companies
Covered companies must fulfil their due diligence obligations in their own business area as well as with direct and indirect suppliers. This requires a dynamic process and continuous dialogue. Risk analyses should include comprehensive questionnaires, on-site visits and audits.
For non-covered companies
Non-covered companies should require justification for unfounded data requests and only disclose necessary data. It is important to ensure adequate data protection when transferring data.
The contracting parties must reach an agreement with the obligated companies on the risks to be identified and the information to be provided about the costs incurred.
As a rule, grievances cannot be remedied by covered companies alone. Coordinated measures and the joint development and implementation of a remediation plan are therefore required. Non-covered companies should therefore check whether existing resources are available for remediation.
Furthermore, when requesting information, non-covered companies should check whether the requested data is really needed and whether there is a legitimate interest. The principle of data minimisation must also be observed.
Non-covered companies should seek individual legal advice for LkSG-induced contract amendments or contractual assurances. Legal advice is also useful for drafting the company’s own code of conduct, structuring its information policy and developing a disaster plan.
+ + +