The German Act on Corporate Due Diligence Obligations in Supply Chains (Supply Chain Act or SCDDA) has been passed. Its objective is to get companies to incorporate human rights and environmental protection into the entire supply chain.

After voluntary standards and self-commitments failed to deliver the desired results, the German Federal Council agreed on 25 June 2021 not only to binding rules on the quota for women on management boards, but also to increased regulation in the supply chain.

"All large companies on the global market need to act now, in their supply chains and in their own practice areas," said Federal Employment Minister Hubertus Heil on the introduction nof the German Supply Chain Act (Lieferkettengesetz). "We have fought hard and established a law that has legal consequences and packs a real punch."

In the future, a careful risk analysis needs to be carried out to determine whether a violation of human rights and environmental standards occurred in the past or can be expected in the future.

Many German companies are already struggling with the immense bureaucratic burden this entails even in the preparatory phase. Environmental associations and human rights groups, however, say the Act does not go far enough. Follow this link to the main article where we hope to dispel five misconceptions about this Act.

1. The SCDDA applies only to companies with 3,000 or more employees, so we cannot be affected.

Wrong: It is true that from 1 January 2023 the Act will initially apply only to large companies with their administrative headquarters or statutory seat in Germany that normally have at least 3,000 employees in Germany [section 1 (1) sentence 1]. According to the Explanatory Memorandum on the SCDDA, this concerns approximately 600 companies. A year later, this threshold will drop to at least 1,000 employees [section 1 (1) sentence 3 SCDDA], and will concern approximately 2,800 companies, according to the Explanatory Memorandum on the SCDDA.

However, even if your own company does not reach the thresholds mentioned, it can be expected that small and medium-sized enterprises (SMEs) will also be affected indirectly, since the large companies addressed will likely pass on the due diligence obligations imposed on them by law to their suppliers. In future, smaller companies will also be covered by the "sphere of influence" of the SCDDA without themselves being in-scope companies.

2. The Act will not pose any major problems for us, since our suppliers do not themselves manufacture the products that are critical from a human rights perspective, but purchase them from third parties.

Wrong: With regard to indirect suppliers [section 2 (8) SCDDA], which are companies that belong to the supply chain of the (German) company concerned but are not its contractual partners, the Act contains a necessary mitigation of the diligence obligations. Making due diligence obligatory would otherwise hardly be practicable, particularly in view of the lack of knowledge and enforcement options. However, in order not to relieve the companies completely of their responsibility, there are still some obligations to follow here.

More specifically, there will be a duty to carry out a risk analysis if the company concerned has actual indications that suggest that a violation of a human rights-related or an environment-related obligation at indirect suppliers may be possible (i.e. substantiated knowledge, section 9 (3) SCDDA). The company must then, among other things, establish "appropriate preventive measures" against the violator (e.g. by carrying out control measures, and must draw up and implement a prevention, cessation or minimisation concept).

In contrast, the risk analysis for direct suppliers (i.e. contractual partners, section 2 (7) SCDDA) must be carried out once a year as well as on an ad hoc basis if the enterprise must expect a significantly changed or significantly expanded risk situation in the supply chain, [section 5 (1) and (4) SCDDA].

It should also be noted that indirect suppliers must be treated in the same way as direct suppliers if the due diligence obligations are circumvented by evasive transactions or improperly structuring the direct supplier relationship [section 5 (1) sentence 2 SCDDA]. This applies in particular to the case of a "formal interposition" of a company in order to formally identify it as a downstream link in the supply chain, even though it is in fact a direct supplier.

3. The Act does not provide for civil liability of German companies in the case of human rights violations, so fines are the most that can be imposed.

Wrong: It is indeed the case that, according to the declared will of the legislator, the SCDDA is not intended to create any additional liability risks for companies under civil law. This was expressly clarified in section 3 (3) sentence 1 SCDDA.

As a consequence, the implementation of the due diligence obligations laid down in the Act, which is monitored by the German Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschafts- und Ausfuhrkontrolle or BAFA) is thus primarily sought through administrative fines (see section 24 SCDDA). Correspondingly, infringements are punishable by fines of up to EUR 8 million (depending on the type of infringement) or, for a limited number of grave infringements, up to 2% of the global annual turnover (for companies with an annual average turnover of more than EUR 400 million).

However, this does not mean that civil liability is off the table. Claims under section 823 of the German Civil Code (Bürgerliches Gesetzbuch - BGB) on the grounds of a breach of a duty of care and claims under foreign law are a realistic threat to German companies violating human rights.

While liability may not have been extended in substantive legal terms, something has happened in procedural terms: section 11 (1) SCDDA now extends the rights of domestic trade unions and non-governmental organisations (NGOs) regarding the assertion of third party rights violations in front of German courts. Thus, a person claiming to be the victim of a violation of a "paramount protected legal position" may authorise trade unions and NGOs to bring proceedings to enforce that person's rights in their own capacity (i.e. "special transfer of procedural authority").

4. Since the SCDDA applies to my company, we need our own human rights officer.

Wrong: It is true thatSection 4 (3) sentence 1 SCDDA gives the example of appointing a human rights officer in order to monitor the risk management. In accordance with section 4 (3) sentence 2, upper management must also be informed about the work of the responsible person or persons at least once a year.

However, this does not rule out the possibility of integrating the task of risk management into already existing departments (e.g. compliance officer, sustainability department, etc.) and having it carried out there. This does not necessarily have to involve creating a new job or hiring new employees. Nevertheless, the tasks associated with the due diligence obligations pursuant to section 3 (1) sentence 2 are likely to be quite substantial – at least in most companies – meaning that corresponding capacities have to be created for this.

5. The Act is of little relevance to us since it will be replaced by a European regulation in the near future.

Wrong: It is true that proposals for the introduction of corporate due diligence obligations have been prepared at European level by various institutions. For example, the EU Commission introduced a public consultation procedure back in October 2020 in which various stakeholders participated, such as companies and social groups. Simultaneously, the EU Parliament Committee on Legal Affairs drafted a report with recommendations to the Commission, which the European parliament adopted in March 2021. This contains, among other things, a proposal for a Directive that would impose even stricter obligations on companies than the SCDDA currently does.

However, the EU Commission has repeatedly postponed the presentation of its own draft for an EU-wide supply chain law, which was originally planned for June 2021. The draft was last expected on 8 December 2021 and has been postponed once again. If the Commission proposes a directive, an implementation period of two years from its entry into force can be expected.

However, the following already seems clear. Even if the precise content cannot be predicted due to the Commission not having submitted a proposal, the regulations will be stricter than the German Act.

EU Justice Commissioner Reynders stated: "We want to go a long way, a long way down the supply chain and a long way in terms of the number of companies involved."

This statement suggests that the Commission will follow the EU parliament's proposal for a Directive, which will include regulations applicable to small and medium-sized enterprises that are either listed on the stock exchange or are active in so-called high-risk sectors. As a result, the scope of the Directive is expected to be much broader. In contrast to the SCDDA, the European Directive, if the EU Parliament has its way, will not make the distinction between indirect and direct suppliers, but rather focus on whether there is risk attached to a company. If this is the case (i.e. if the company is active in one of the predefined high-risk sectors), the company is also at risk of having to answer for harmful conduct by suppliers further back in the supply chain, and thus in cases where liability would not exist under German law. It is also conceivable that a strict original civil law will be legislated at the EU level, which will include liability or group liability for presumed fault for due diligence violations.

It is therefore correct that a law implementing the Directive will in all likelihood amend, and probably also revise, the current SCDDA. However, even in view of the planned European legal instrument, we consider it advisable to become familiar with the requirements of the SCDDA now and integrate them into the existing compliance management system (CMS), taking into account future guidance from the German Federal Office for Economic Affairs and Export Control (BAFA). This is advisable not only to rule out risks to the company's reputation or to use the compliance with the Supply Chain Act for marketing purposes, but also to be prepared for expected future tightening.

Further information on conducting due diligence as well as on existing laws and bills in other countries including the EU level can be found in the White Paper on Managing Supply Chain Risk jointly published by CMS and the Boston Consulting Group (BCG).

Further experts to contact for all questions concerning the Supply Chain Act:

In our monthly series "Five Myths" on ESG, sustainability and CSR, we dispel untruths and clichés that you may encounter as a legal practitioner, such as in the field of labour law or compliance, and provide comprehensive legal advice that looks to the future.