IT-Outsourcing describes a form of outsourcing, where IT processes are not (or no longer) provided by a company’s own resources, but rather by specialised service providers. Depending on the nature and characteristics of the outsourcing, the services in question are either performed onsite at the premises of the company which is outsourcing or onshore, i.e., in the same country as that company. This is usually determined by the selection of a specific service provider. If a service provider operates on a supra-regional or global level, the service provider may choose to pool its resources in certain countries and provide its services partly or entirely from there. Where the services are carried out from a country within the EU or EFTA, from a Swiss point of view, this is sometimes referred to as nearshoring, while, services provided from a country outside the EU or EFTA, are often labelled as offshoring. However, the exact attribution and terminology can vary from case to case. The provision of services from a specific foreign country or particular region often poses a problem in the context of cloud computing, a type of computing in which scalable IT resources, such as storage capacity, processing power, system platforms, processes or applications are provided as an on demand service via a network. Depending on the design of the cloud model, clients have no way of determining from where the services are provided, where their data is processed and stored. To what extent this presents a risk, must be assessed on a case-by-case basis.
IT outsourcing contracts can quickly become very complex. In the case of nearshoring and offshoring, there is also the international element to consider. Accordingly, questions arise as to which law applies and whether foreign authorities could have access to the customer’s data. In terms of data protection, the relevant issue to be addressed in this context is whether a country from which services are provided ensures an adequate level of data protection. Furthermore, depending on the client, it should be examined whether there are statutory requirements restricting or complicating (cross-border) outsourcing, for instance where confidential information is concerned or in the area of dual-use. Cloud services may harbour further risks, such as the possible loss of control over data or lack of data portability and lock-in effects in connection therewith. This is aggravated by the fact, that a possible internationality of a cloud service is not readily apparent. Therefore, clients are well advised to identify and assess risks as early as possible – ideally even before a request for proposal is issued – or at the very least in parallel with the project.