The Supplier Code as a practical means to ensure compliance with supply chain due diligence

The German Supply Chain Due Diligence Act (SCDDA), which came into force on January 1, 2023, as well as the future EU Directive on Corporate Sustainability Due Diligence are part of a whole list of legal regulations world-wide looking to enhance the protection of human rights and the environment. Whilst the German SCDDA is currently establishing obligations for company with more than 3.000 employees and from 2024 with more than 1.000 employees, the Draft EU Due Diligence Directive is aiming at companies with 500 or more employees and 250 and more employees in certain sectors. However, these regulations do establish due diligence obligations for the protection of human rights and the environment for significantly more companies than is apparent at first glance. The article published in Compliance Berater makes the case for the Supplier Code of Conduct as a suitable instrument for securing human rights obligations in the supply chain. It provides a proposal on how to deal with conflicting Supplier Codes of Conduct in a pragmatic yet legally compliant manner and is available for download in German language on the right hand side.

I. Establishing due diligence obligations towards direct suppliers through supplier codes

If a company obligated under the SCDDA has decided on a supplier after conducting the appropriate risk analysis and screening the existing and potential suppliers for environmental and human rights-related expectations, it is obligated under Section 6 (4) No. 2 and No. 4 SCDDA to also specify these expectations contractually.

This can be done, for example, by including a so-called supplier code in the contract or in the general terms and conditions.

Both, the SCDDA as well as the Draft EU Sustainability Due Diligence Directive actually do recommend the implementation of a code of conduct in the sustainability strategy, as well as the obligation of business partners to comply with a supplier code - including in the further course of the supply chain.

Already today, many companies express in their Codes of Conduct what they expect from the company and its employees regarding compliance with legal and internal company requirements. The aim is to convey the company's values, provide clear guidance for employees' daily work and thus protect the company from major legal violations. Codes of Conduct primarily regulate the topics of (1) ethics and governance and thus the content of "classic" compliance in the areas of antitrust law, anti-corruption, data protection, money laundering and trade sanctions, (2) compliance with human rights and social (labour) standards as well as (3) measures to protect the environment.

If available, the contents of the company's own Code of Conduct will usually not differ significantly from the contents of the company's own supplier code. This is often because a company does not want to agree stricter rules for its suppliers than for itself - especially if the company wants to stand for fairness in dealing with its contractual partners. At the same time, the supplier code should be the result of the risk analysis required by the SCDDA. An example: the German tool manufacturer, whose plants meet all EU and national legal requirements in the environmental area, and who uses primary products made of metals such as tungsten or zinc for his production, must carefully examine whether the required metals fall under the Conflict Minerals Regulation, for example, and thus whether rules stricter than for the company itself must apply to the supplier.

1. Situation in medium-sized companies (“SME”)

In medium-sized companies, a Code of Conduct is not as common as in large, multinational corporations. However, the latter are increasingly demanding that their medium-sized business partners at least provide evidence of the existence of and compliance with a Code of Conduct or, alternatively, that they comply with the multinational corporation's supplier code.

This can become a problem for two reasons.

Firstly, companies not covered by the scope of the SCDDA have no obligation to cooperate or provide information arising from the SCDDA. Any information and confirmations that may be required should therefore only be provided if they are also certain to be correct and complete. If the supplier considers complying with obligations and prohibitions arising from the SCDDA, he must in detail before concluding a contract whether he can actually comply with the required contractual requirements. Otherwise, in the event of violations of such contractual obligations, there may be a risk of damages or even termination of the contractual relationship.

On the other hand, if the medium-sized company is a supplier for a large number of companies that are obligated under the SCDDA, there is the chance that that company will not be in a position to comply with the various supplier codes - even if they are similar in content.

At the same time, the SME will rarely be in a position to refuse cooperation, especially if it is a supplier for several companies subject to the SCDDA. This is because the latter, due to their legal obligation, will at best be able to reduce the obligations for the supplier to the bare legal requirements, unless the result of their own risk analysis contradicts this. If the supplier refuses to give the (necessary) consent to such cooperation, the purchasing company will probably have the right to disengage and thus to terminate the supply relationship without notice based on Section 7 (3) of the SCDDA¹.

As a result, the medium-sized companies that legally are not subject to the scope of the SCDDA are forced into compliance with the SCDDA as a matter of fac. This is also in line with the intention of the legislator: "In principle, companies that do not fall within the scope of the SCDDA should also implement due diligence obligations. The UN Guiding Principles on Business and Human Rights are addressed to all companies. The National Action Plan on Business and Human Rights ("NAP"), which formulates corresponding expectations for all companies based in Germany, has already been in force since 2016."

Therefore, a "flight forward" offers itself: the introduction of basic elements of a compliance management system. This includes the adoption of a company's own Code of Conduct with the elements outlined above.

This is complimented by supplier codes, which set out the company's own corporate values and requirements for compliance as well as its expectations to its contractual partners. The supplier code can thus fulfil two functions: on the one hand, it serves as an assurance for the purchasing company subject to the SCDDA, and on the other hand, it can preserve and pass on the obligation to comply with human rights and environmental standards further down the supply chain. 

Companies that already use supplier codes are well advised to review their supplier codes to determine the extent to which the regulations and risks listed in the SCDDA are already covered. In addition, the need for further assurances may arise from the suppliers' respective risk analysis.

2. Content requirements for the supplier code under the SCDDA

In the explanatory memorandum to the government draft, the SCDDA assumes that companies set out in their supplier codes what they expect from their suppliers with regard to international human rights and environmental regulations. This way, possible risks in these areas should be prevented or minimized.

Section 6 (4) no. 2 SCDDA requires the company to demand those human rights and environmental protection standards that are relevant according to its risk analysis. This may lead to the company deciding to use different regulations and perhaps supplier codes in some circumstances - depending on the risk level of the supplier. Here, the number of suppliers will certainly matter. For groups that may have to deal with thousands of suppliers, a classification by risk groups (risk level, country risk, product/pre-product risk) and different regulations for this are advisable - either in the form of different supplier codes or in additional contractual regulations to cover the specific human rights or environmental protection risks.

It is also advisable to define the company's expectations in the supplier code regarding the willingness to cooperate in the event of problems and the passing on of the standards laid down in the supplier code in the further upstream supply chain.

Finally, it is advisable to address the "classic" compliance issues such as anti-corruption, compliance with trade sanctions, antitrust law, and data protection in the supplier code. This should be combined with information on the grievance mechanism (whistle blower procedure) open to suppliers to report violations or concerns.

a. Regulations from the area of social responsibility/protection of human rights, Sec. 2 (2) SCDDA.
The contents of the supplier code must result from the company's risk analysis. If the company concludes that it only needs to address individual risks due to regional or industry-specific risks, then it should do so.
Companies must look closely at which of the human rights listed in Section 2 (2) are relevant to their suppliers:

Prohibition of child labour under the age of 15 (Convention No. 138 of the International Labour Organization "ILO").

• Prohibition of the worst forms of child labour under the age of 18 (ILO Convention No. 182), such as slavery, child trafficking, debt bondage and servitude, forced or compulsory labour and forced or compulsory recruitment of children; child prostitution and pornography; drug trafficking and work that could harm the health and safety of children
• Prohibition of forced labour (ILO Convention No. 29)
• Prohibition of slavery and similar practices, including economic or sexual exploitation
• Prohibition of disregard for local labour protections, including workplace safety regulations, lack of protective measures or rest periods, adequate training Entwurf eines Gesetzes über die unternehmerischen Sorgfaltspflichten in Lieferketten (bmas.de) 
• Prohibition of disregard for freedom of association to trade unions or the right to strike
• Prohibition of unequal treatment and discrimination, including unequal pay for work of equal value
• Prohibition of withholding a fair wage (local minimum wage)
• Prohibition of causing harmful soil degradation or other harmful environmental impacts that affect the livelihood of the local population, impede access to drinking water or sanitation, and are harmful to health
• Prohibition of unlawful eviction or deprivation of land, the use of which secures the livelihood of a person
• Prohibition on the hiring or use of private or public security forces if they torture, harm life and limb, or interfere with freedom of association and freedom of association

b. Environmental regulations, Section 2 para. 3 SCDDA
In accordance with the company's risk analysis, further regulations outside the SCDDA are to be included here in the Supplier Code of Conduct where relevant. The SCDDA lists:

• Prohibition of the production and use of mercury-added products, including the treatment of mercury waste ("Minamata Convention).
• Prohibition of the production and use of chemicals and their disposal ("POPs Convention")
• Ban on export and import of hazardous substances ("Basel Convention").

In addition, the EU SDS-E still incorporates the OECD due diligence guides for various industries and sectors, such as production of and trade in textiles and clothing, agriculture and forestry, production of food products, extraction of mineral resources, and trade in chemicals (S. 42, Ziffer (22) des EU-Nachhaltigkeits-RL-E). Here, it should be considered to examine the relevance of these standards already as well.

c. Further obligations of the supplier
Section 6 (4) no. 2 SCDDA stipulates that companies must obtain contractual assurances from their suppliers that (1) they themselves will comply with the company's human rights-related and environmental expectations and (2) that they will also address these expectations appropriately in the (upstream) supply chain. Control mechanisms for monitoring compliance with the human rights strategy must also be contractually assured (Section 6 (4) No. 4 SCDDA). In addition, the SCDDA requires the implementation of training courses at the direct supplier (Section 6 (4) no. 3 SCDDA), as well as in Section 7 (2) no. 1 SCDDA the "joint development and implementation of a plan to end or minimize" the violation of human rights or environmental obligations. Such rights of influence should be the subject of the regulations in the supplier code.
It is also conceivable to formulate the expectation in the supplier code that the supplier maintains an appropriate management and control system - and must also demand this from its suppliers (indirect suppliers pursuant to Section 2 (8) SCDDA) ("pass-on clause"). Although this does not replace proof for the company that it has ensured appropriate standards in the further supply chain, it can have an indicative effect on the company's compliance with its due diligence obligations.

d. Considerations under General Terms and Conditions (“GTC”) law
The contractual obligations should be designed in such a way that the requirements arising from the SCDDA can be adapted after conclusion of the contract depending on the respective results of the risk analysis or also more recent developments in the company or at the supplier (Link). This might take the form of an opening clause. Considering that this is a standalone document with a certain set of rules relating to human rights, rule of law and environmental protection, supplier codes may be easier to adapt than, for example, general purchasing conditions with a whole variety of regulations.² Nonetheless supplier codes regulating a large number of business relationships qualify as general terms and conditions under Section 305 (1) of the German Civil Code.³

Accordingly, when drafting supplier codes, care must be taken to ensure that they do not contain unrealistic requirements as supposedly appropriate preventive measures which the supplier cannot foreseeably fulfil without support.⁴ The request to fulfil certain far-reaching requirements may constitute an unreasonable disadvantage and therefore be invalid under Section 307 (2) German Civil Code.⁵ If the company sets higher requirements than foreseen by the law, it must accommodate its contractual partners with a transfer of knowledge or technology or with regard to prices and delivery times and negotiate on an equal footing.⁶ However, as long as obligations reflect the wording of the SCDDA or its content and thus are primarily declaratory in nature, the obligations outlined here are unlikely to be objectionable under the GTC content review.⁷ At the same time the risks identified in the specific risk analysis need to be adequately addressed. Therefore, provisions need to be formulated subject to conditions and thus reflecting the company's need for flexibility in case there is a change in the results of the risk analysis. An example might be a clause that grants the using company the right to conduct on-site inspections at the supplier's premises, but only if the supplier gives cause for significant suspicion of human rights violations. Ultimately, the concrete formulation of the obligations is decisive for the question of whether they might be prohibited under GTC law and are therefore possibly invalid. A careful review of all clauses is therefore recommended.

II. What to do in case of conflicting supplier codes of conduct

As described above, medium-sized suppliers not subject to the SCDDA will find themselves confronted with a large number of supplier codes of the purchasing companies and/or corresponding general terms and conditions or supply contracts drafted in accordance with the SCDDA. Accordingly, it is faced with the question of how it should behave or what "compromise" it can offer the purchasing company.

1. Submission to a foreign supplier's code of conduct

A promise to comply with such a large number of supplier codes and to oblige one's own employees to do so is probably not only impractical, but also legally impossible. Under certain circumstances, questions of co-determination law may even arise pursuant to Section 87 (1) No. 1 of the Works Council Constitution Act (BetrVG) as a regulation of the "order of the company", which would also stand in the way of a simple agreement to third-party supplier codes. It is doubtful whether a "general obligation" of suppliers to comply with the supplier code of the purchasing company would lead to a greater sense of responsibility, especially if such a supplier code does not fit the specifics of the supplier.⁸ Finally, the obligations might not even adequate and appropriate.
Supplier codes are often very similar in content and therefore there are hardly any contradictions and rather similarities between the requirements from the different supplier codes. Frequently, the codes also only reflect what is self-evident and required by law.⁹ However, it should be noted that the "devil is probably in the details" here. The supplier codes, if they have been drawn up correctly, are the result of the risk analysis of the company using them. This means that special attention may be required precisely in those areas where there are deviations, and it cannot be assumed without further ado that there is no contradiction. Furthermore, companies that do not fall under the scope of the SCDDA are not legally obligated to some of the standards postulated in the SCDDA. In that case, submission to the foreign supplier code becomes a civil law obligation with corresponding claims for damages or termination.
Suppliers not subject to the SCDDA are therefore advised not to submit to the supplier code of the purchasing company. This is also the conclusion reached by the Center for Business Ethics and the BDI (Link).

2. Industry standards

If a supplier is not subject to the SCDDA and does not have its own supplier code, it may join an existing industry code or develop a company's own code on such basis.¹⁰ The prerequisite is that such an industry code meets the requirements of the SCDDA and already enjoys a certain level of acceptance. This is currently the case, for example, with the Code of Conduct of the German Association of Materials Management, Purchasing and Logistics (BME), the Code of Conduct of the ZVEI-VDMA, the Code of Conduct of the German Textile + Fashion Association (Gesamtverband Textil + Mode) and the German Retail Association (HDE), or the handout for text modules for the SCDDA of the German Medical Technology Association. These cross-industry codes of conduct or model clauses describe the areas of regulation and principles of conduct recommended under the SCDDA, as well as other regulations of "classic" compliance. Adoption is voluntary for the member companies. At the same time, they represent a facilitation in business transactions, because recourse to an industry standard facilitates an assessment as "equivalent and sufficient". However, industry codes may not be sufficiently tailored to the situation of the using company. And the question of submission to further (non-industry) codes of conduct or supplier codes also remains (see p. 3 of "Anerkenntnis fremder Verhaltenskodizes").

Ultimately, adherence to an industry standard does not waive the need to audit the extent to which these industry standards are complied with. Some industry associations are addressing this problem by creating corresponding auditing companies, such as the "Responsible Supply Chain Initiative RSCI e.V." association of the VDA (German Association of the Automotive Industry) or the worldwide Responsible Minerals Initiative.

3. Mutual recognition of codes of conduct/supplier codes

In case a medium-sized company wants to reference its own supplier code which might conflict with the other party’s code and terms, the question arises under GTC law as to whose terms and code prevail. In addition, in the past such references to a company's own code of conduct or supplier code usually went unheeded because the purchasing companies, taking advantage of their buying power, did not want to go through the trouble of checking the supplier's code of conduct or supplier code  (see p. 2 of "Anerkenntnis fremder Verhaltenskodizes").

Also, defence clauses in the general terms and conditions can be an obstacle to agreeing on a standard from an ethical, human rights and environmental protection perspective.

For this reason, the Federation of German Industries (BDI) already in 2010 proposed a mutual recognition of the relevant codes in the event of conflicting supplier codes or codes of conduct. This way, the parties can avoid non-compliance as well as submission to the code of the other party.
An "informal waiver of acceptance/submission" postulated by the BDI in 2010, for example by email with code of conduct or supplier code attached, is indeed unbureaucratic and, in the opinion of the BDI, avoids complex legal follow-up questions (see link). However, against the current background of the SCDDA and its documentation obligations, it is recommended to have a formal recognition agreement between company and supplier. Depending on how the agreement is structured, the company's own code of conduct or supplier code becomes a binding part of the legal relationship with the contractual partner and can have consequences under liability law. According to the BDI proposal, a recognition agreement may contain the following elements:

• Recognition of the respective codes of conduct or supplier codes as equivalent
• Waiver of contractual submission to the other party's code of conduct
• Commitment to compliance with the respective code of conduct or supplier code
• Obligation to provide information in the event of changes to the code of conduct or supplier code
• Provisions for possible violation of own code of conduct or supplier code, e.g., cease and desist, moratorium, remedial action or termination, if applicable
• Scope of the agreement (e.g., extension to Group companies)
• Possible rights to information and auditing, e.g., in the event of a suspected violation of the code of conduct or supplier code

The above regulations are intended as guidance and are no substitute for a legal review or advice.

4. Example USA: supplier code and buyer code

With regard to the objectives (namely the improvement of working conditions and the human rights situation in production) pursued by the SCDDA and the many other standards of the United Nations and the OECD, the American Bar Association ("ABA") takes an interesting approach: It proposes that there should be two codes of conduct in the supply chain context: a code of conduct for the purchasing company ("Schedule Q")¹¹ and a code of conduct for the supplier ("Schedule P")¹² that is variable and in each case addresses the industry, production environment, and human rights and environmental situation. Schedule P obligates the supplier to impose the obligations from this code of conduct on its other suppliers. In Schedule Q, on the other hand, the buyer commits to a purchasing code of conduct. Here, for example, regulations are made for the fact that a change in delivery deadlines or drastic changes in costs (for example, of energy prices or certain preliminary products) lead to the fact that the business partners (must) enter into a dialog to prevent these changed basic conditions from being carried out on the backs of the employees at the supplier. In the "Model Contract Clauses” referring to Schedule Q and P, there has also been a departure from the strict liability clauses that are otherwise frequently used, particularly in the US legal sphere. The Model Contract Clauses now "only" specify the requirement for reasonable efforts and good due diligence as measures to better achieve the goal of human rights protection.

The Model Contract Clauses such as Schedules Q and P are very extensive and predominantly tailored to the Anglo-American sphere, which is why they appear to be only partially suitable for a pragmatic implementation of the SCDDA.¹³ Nevertheless, it is worth taking a look at them, as these models follow international initiatives such as the UN Global Compact and the ILO core labour standards and are likely to be particularly helpful for companies with extensive international business relationships.

III. Conclusion

The more companies fall within the scope of the SCDDA (and in the future the requirements of the Draft EU Sustainability Directive) and the more legislators worldwide take up the issue, the more medium-sized companies that legally do not fall within the scope of the SCDDA will also be confronted with the requirements to protect human rights and the environment. It is therefore advisable to develop your own code of conduct and supplier code now on the basis of the company's own risk analysis and consideration of your own supply chains and to fill a corresponding risk-adequate compliance management system with life. Within the framework of mutual contractual recognition of the relevant codes of both parties, it should be possible to avoid lengthy discussions and contract negotiations and thus liability risks.

Published April 2023