Technology & Outsourcing 2023 Comparisons

Firstly, it should be noted that outsourcing is generally the most important method for companies to focus on their core business. By outsourcing all processes and activities that are not company-specific, know-how can be concentrated and used in a targeted manner. With increasing digitalisation and new technologies such as blockchain, cloudification, big data and data analytics and machine learning, the business environment needs to keep pace. The necessary and rapid evolution of technology is forcing companies to redefine, re-evaluate and ultimately digitise internal processes and workflows. This, of course, means considering the outsourcing of any processes that cannot be done in-house, especially in the IT area or when it comes to IT-related issues.  

Overall, it is clear that companies have by no means exhausted their outsourcing potential, despite the increased supply. Moreover, IT outsourcing has grown steadily across all company sizes in recent years and is expected to continue to grow significantly in the coming years. 

The main reasons for IT outsourcing are to improve the quality of IT services offered, to modernise internal IT and to reduce IT costs. Interestingly, Austrian companies tend to prefer domestic service providers. When outsourcing abroad, neighbouring countries such as the Czech Republic, Romania, Poland or Slovakia are preferred. Local proximity offers greater flexibility in co-operation. However, the use of domestic or in-country service providers is becoming more common as the potential for cost savings diminishes. 

COVID-19 

The pandemic has undoubtedly led to some pressure for virtualisation of the corporate environment and an associated increase in the quality of digital communications. However, it is too early to say what the pandemic’s  impact will be on companies’ outsourcing practices, as they cannot yet be estimated. In any case, as mentioned above, digitisation has continued. Virtual collaboration has also required the use of new governance and leadership approaches in outsourcing management. 

As a rule of thumb, it has been shown that only those processes that are not specific to the company, ie, related to its core business, are outsourced. 

Particularly in HR, the leading outsourced business processes are training management, operating HR systems and payroll. Applicant management and screening are also areas in which external providers are constantly involved. Here, technology is often used to exclude unsuitable applicants from the process as a first step. Applications, artificial intelligence (AI) and similar technologies can be used to filter out candidates who lack certain basic skills through keyword searches or even to conduct an initial interview with a potential candidate.  

The increasing demand for BPO is due to the growing shortage of skilled labour and the problems associated with it: the growing demand for highly skilled workers, the lack of suitable junior staff and the loss of skilled workers. Added to this are issues such as demographic change and the need to support and integrate older employees. These circumstances also contribute to the outsourcing of business processes that require little or no knowledge of the specific company. Popular examples in this area are data protection officers, compliance officers, recruiters and similar positions. 

In the market, service providers have significantly expanded their range of products and services, especially in the area of AI and cloud services. There has also been a significant increase in the number of start-ups with innovative solutions, offering customised products through increased flexibility and competitive prices due to their size.  

The HR sector in particular stands out when it comes to new technologies: AI providers promise that significant parts of HR management can be taken over by self-learning algorithms. AI solutions are also expected to be integrated in the following areas in particular:  

• ongoing monitoring and assessment of employees; 
• employment termination decisions; and 
• promotion decisions. 

It is precisely the decision to terminate employment that is expected to save employers money. The supposedly objective personnel decisions made by AI are intended to reduce the risk of litigation over unjustified dismissals. The aim is also to avoid decisions based on the personal preferences of line managers and to counteract possible discrimination. However, the use of such technologies must respect the limits set by data protection and employee protection legislation. The legal boundaries in these areas are often grey, as they have not yet been conclusively clarified by the courts and will continue to evolve, as will the technical possibilities. 

One of the most well-known examples for the use of outsourcing are call/customer service centres, where chatbots or other forms of AI are often used. In the case of more complex enquiries of the customers, these are passed on to ‒ often external ‒ agents. 

In Austria, there is currently no cross-industry legislation specifically governing outsourcing practices. However, certain highly regulated sectors include provisions on outsourcing in their respective substantive laws; see also 2.2 Industry-Specific Restrictions.  

In general, it can be said that the applicable legislation depends on which business activities are outsourced; see also 4. Contract Terms. However, the outsourcing of entire business processes or even specific tasks to third parties may also be provided for by law, but this is more a matter for the public sector. 

However, legal restrictions may relate in particular to data protection issues; see 2.3 Restrictions on Data Processing or Data Security. 

As already mentioned in 2.1 Restrictions on Technology Transactions or Outsourcing, highly regulated industries in particular have their own legislation on outsourcing. This includes the entire financial services sector.  

Financial Sector  

There are special rules on outsourcing for payment institutions, insurance and securities companies and credit institutions. For this sector, not only the national, but above all the European supervisory authorities are helpful: for example, credit institutions should refer to the European Banking Authority’s Guidelines on Outsourcing as a means of interpreting the legal provisions regarding the design of outsourcing projects. 

It is important to note that service level agreements must be in writing. However, credit institutions must have sufficient resources to monitor the outsourced activities. Core banking activities, in particular the deposit and lending business as well as final decisions, cannot be outsourced.  

The risks associated with outsourcing arise primarily from the fact that IT functions, and therefore necessarily personal data, are outsourced to a third party. IT outsourcing means that the client relinquishes power and authority over the security of its systems and data to a third party, although it remains legally responsible for them.  

Data Protection in General 

The legal framework in the area of data protection is primarily outlined by the GDPR. Austria has its own data protection law, which complements the European requirements. However, the main difference is that Austrian law not only protects the personal data of natural persons, but also extends its protection to the personal data of legal persons.  

Data protection law recognises different roles ("actors") in the processing of personal data. This goes hand in hand with a clear division of responsibilities. During data processing, it must be clear throughout the process (ie, from collection to destruction) which role is assigned to each actor.  

In particular, when personal data is processed through outsourcing practices, it is important to determine whether the service provider is acting as a processor or as a third party in terms of data protection law. In short, special attention must be paid to service providers acting on behalf of the outsourcing company or other persons authorised to process personal data. To address these and other relevant issues, specific data protection clauses are included in outsourcing contracts. In any case, it is important that the security of data processing by the provider is guaranteed. In the event of a data breach, eg, as a result of a hacking attack, the data protection responsibility lies with the responsible party, ie, the outsourcing company.  

When outsourcing abroad, special care must be taken with service providers based outside the EEA. The level of data protection required by European and national law must be maintained and there must be no security gaps. Some non-EEA countries have been certified by the EU Commission as having an adequate level of data protection.  

The NIS2 Directive

The new EU Cybersecurity Directive, known as "NIS2", will impose mandatory security measures and incident reporting obligations on many companies in certain sectors from October 2024. 

Currently, the rules in force mainly affect critical infrastructure companies and digital service providers (online marketplaces, online search engines and cloud computing services). The NIS2 will extend the scope to other sectors and require certain risk management measures to be taken. In addition, there will be reporting requirements and the duty of governance bodies to oversee implementation, as well as liability in the event of non-compliance.

There is no standard outsourcing contract in Austria. 

In classic outsourcing relationships, the customer rents specific, usually also specifically designated (assigned to this customer alone) IT infrastructure and related (maintenance and support) services. This offers and at the same time requires flexibility in the design of the outsourcing project and the associated contracts. For this reason, the specific contracts vary from case to case as they are individually drafted and negotiated to meet the specific outsourcing requirements. 

As general civil and company law rules apply, these must also be taken into account in the drafting and interpretation of contracts, liability and warranty. With respect to the specifics of licensing and other grants of rights, the Copyright Act and other relevant principles of intellectual property law and the Unfair Competition Act apply. 

In general, alternative contract models are not widely used. As the services and agreements are usually very individual, the contracts are also customised. Special models in the form of joint ventures (JVs) are rather unusual, as they do not have an appropriate cost-benefit ratio. A JV may be set up where a supplier wishes to develop or market a product jointly with the customer, but this is quite rare. 

Digital transformation has not yet led to a significant change in the contract models used in Austria. Although it can be observed that technology-savvy companies in particular are interested in using alternative contract models such as smart contracts in their day-to-day business, the legal issues associated with digitalisation have not yet been fully addressed in the Austrian judicial practice. 

Contractual warranties and liability provisions are an integral part of outsourcing agreements. This is to ensure that the outsourcing service provider performs its tasks with due care, with qualified personnel, in compliance with all applicable legal provisions, etc. However, in the B2B sector, warranties may even be limited or excluded. When a warranty claim arises depends, of course, on the specific service owed. It is therefore important to precisely define the services to be provided. 

Under Austrian law, the parties are generally free to agree on how long they wish to be bound by a contract and what termination periods should apply. This applies in particular to B2B relationships.  

In the case of fixed-term contracts, these end with the expiry of the term. It is quite common for contracts to contain clauses that provide for automatic renewal (for a pre-defined period of time) if neither party terminates the contractual relationship. If a contract is terminated by either party before the end of the term without good cause, a "contractual penalty" is often agreed. 

Termination for good cause is always possible. What constitutes good cause can vary and ultimately depends on the individual case. These reasons are usually set out in the contract and are therefore predefined. In the context of outsourcing, these reasons may include poor performance by the provider, late payment, data protection breaches or similar.  

In practice, it is important that the consequences of terminating the contract are also clearly defined. In particular, if certain internal processes are outsourced, the handover should be contractually guaranteed in order to ensure the smooth continuation of all other operations and processes. 

Austrian law defines damage as an injury to someone’s property, rights or person. Claims for damages can be brought before the courts within three years from the date of knowledge of the damage and the party causing the damage. However, there is a general limitation period of 30 years. 

A distinction is made between pecuniary loss and non-patrimonial damage. 

• Pecuniary loss, ie, damage to existing goods, and loss of profit: whether the injured party is to be compensated for loss of profit depends on the fault of the injuring party: pecuniary loss, including loss of profit, is to be compensated only in the case of gross negligence on the part of the injuring party. In B2B transactions, however, loss of profit is always compensable.  
• Non-patrimonial damage only affects the emotional world of the injured party (eg, compensation for pain and suffering, loss of enjoyment of a holiday). 

A further distinction is made between: 

• non-performance damages, which arise from the fact that a contractual obligation has not been fulfilled; and  
• damage caused by reliance, which occurs when a person relies on the conclusion of a contract, but the contract is not concluded. 

The concept of implied terms is somewhat foreign to Austrian law.  

If a party’s declaration of intent is doubtful, the so-called trust theory applies. According to this theory, a declaration of intent is to be interpreted as a bona fide recipient of the declaration would have understood it. In the event of disagreement between the parties, the literal meaning of a declaration in its ordinary sense must be taken into account first. If a subject is not regulated at all, Austrian statutory law ‒ the Austrian General Civil Code ‒ is usually used to fill the gap; it does not contain any specific provisions on outsourcing. Rather, outsourcing contracts have various elements of different types of contracts, such as contracts for services, leases or sales contracts. 

Of course, contracts must always comply with the requirements of the GDPR. In addition, the following clauses are often included regarding the obligations of service providers: 

• comply with the client’s internal data protection requirements and policies; 
• continuously improve  technical and organisational security measures to reflect the state of the art, including conducting stress and security tests;  
• the prohibition to use the transmitted data for purposes other than those specified in the contract; and  
• the acceptance of audits carried out by the customer. 

Typically, the provider will contractually commit to certain technical cyber and data security measures. Outsourcing agreements primarily address the encryption of data in transit and data at rest. Typically, the parties agree on key performance indicators (KPIs) against which performance can be measured and reviewed. Repeated failure to meet KPIs is often agreed to be grounds for termination. 

If the technology or outsourcing is a cloud-based solution, the general remarks on contractual terms and conditions still apply. However, depending on the specific contract, additional details regarding data security and the place of processing will be required. 

Transfer of Operations 

According to Article 1 (a) of Council Directive 2001/23/EC, transfer of operations (Betriebsübergang) means any transfer of an undertaking, business, or part of an undertaking or business to another owner as a result of a legal transfer or merger. In any case, the above directive requires that an economic entity is being transferred, whereby this economic entity retains its identity, meaning an organised grouping of resources which has the objective of pursuing an economic activity, whether or not that activity is central or ancillary. 

For the assessment, whether a transfer of operations has taken place, the following characteristics shall be considered. 

• Is the transferred entity to be qualified as an economic entity? 
• Did the new owner continue the previous (or a similar) business activity following the transfer? 
• Has a takeover of assets, significant employees or customers taken place? 

In order for a transfer of entity to be qualified as a legally relevant transfer of operations, all characteristics shall be assessed individually as well as in their entirety. However, it is not required that all of those are fulfilled simultaneously; it is sufficient that a certain intensity and density threshold is exceeded. This should be assessed in each case individually. 

As mentioned above, the entity at question must be transferred to a new owner. The legal grounds for the transfer or the conclusion of purchase agreements are equally irrelevant in this context as the ownership over the transferred assets. A new owner is to be considered, to whom the actual power of disposal over the entity in question and thus the essential employer functions have been transferred. The new owner shall thus have the actual power over the management and the organisation of the transferred entity. 

From a labour law perspective, a transfer of operations is to be considered completed when the responsibility (ie, power over the management and organisation) for the entity in question is transferred to the new owner, irrespective of the conclusion of the underlying legal transaction. Since the transfer is not linked to the underlying legal transaction, the actual circumstances of the individual case are decisive. Therefore, neither the transferor nor the transferee could agree on an alternate point in time by which the transfer should be completed. 

Legal Consequences 

As a general rule, in the case of a transfer of operations, the new owner shall take over as employer with all rights and obligations of the employment relationship existing at the time of such transfer. The employees, however, may object to such takeover within a month if the new owner refuses to take over the collective bargaining agreement protection (kollektivvertraglicher Bestandschutz) or the company pension commitments (betriebliche Pensionszusagen). As a result of such objection, the employment relationship of the objecting employee will remain with the transferor in its prior form. 

As a result of new ownership, it may also come to a change of the applicable collective bargaining agreement (Kollektivvertrag) or works agreement (Betriebsvereinbarung), following which the working conditions may also worsen. Should the worsening be of substantial character, the employees in question may terminate their employment relationship within one month from the date on which they became (or should have become) aware of that worsening. This termination is, however, subject to the periods and dates of notice stipulated by law or by the collective bargaining agreement. The employee shall be entitled to the same claims which would apply in the case of termination by the employer. 

Outsourcing 

As opposed to a traditional in-house operation, outsourcing entails the involvement of a third party outside of the company (be it within the corporate group structure or outside of it) for the purposes of handling operations or providing services for the company. From a labour law perspective, the process of such hiring out may under certain circumstances ‒ as mentioned above ‒ be qualified as a transfer of operations.  

If the outsourced tasks or field of activity represent an independent economic entity of the outsourcing company and the process is thus considered to be a transfer of operations, the legal consequences discussed above will also apply to such outsourcing. That means that the employment relationships of the employees employed in the transferred entity will also be transitioned to the new owner of the economic entity, whereby reference is made to special objection and termination rights of such employees. 

Conclusion 

The qualification of a process as transfer of operations may only be made based on the circumstances of each case individually, whereby the extensive case law of the European and the Austrian courts may provide a first point of reference. 

Labour law rules governing employee transfers apply not only for traditional transfer processes but also in certain cases for outsourcing practices. The principle is simple: if the general requirements for the process to be qualified as a transfer of operations are met, irrespective of this process being an outsourcing, the consequences shall be the same as for traditional transfers. 

As described in 5.1 Employee Transfers, the practice of outsourcing may be considered as a transfer of operations. In such case, the company owner has a duty to inform the workers’ council. Even if the plans of outsourcing may not be considered as a transfer of operations, outsourcing generally involves at least a change in the company’s operations which also triggers rights of the workers’ council. Such a change in the company organisation already exists if the internal organisation (division into departments) and the regulation of responsibilities in the company (hierarchical structures) are changed.  

In both cases, the owner of the company is obliged to inform the workers’ council of the planned changes at a time and in a manner that enables the workers' council:  

• to assess the possible effects of the planned measure in detail; and  
• to issue a statement on the planned measure. 

The workers’ council must therefore be involved at a very early stage in the planning. It must be informed at a time when it is still possible to influence the design of the planned measures. The duty of the owner of the firm to inform the workers’ council therefore already exists at the beginning of the planning stage.  

At the request of the workers’ council, the owner must consult with it on the design of the measures. The workers’ council may request that representatives of the competent body capable of concluding collective agreements (trade union and/or chamber of labour) may also participate in the consultation sessions. 

Therefore, in general and regardless of a transfer of operations, the workers’ council shall be given sufficient opportunity to submit proposals for the prevention, elimination or mitigation of consequences that may be detrimental to the employees.

There is no relevant information in this jurisdiction.

Austrian labour law defines the term "remote working" but does not impose any specific regulatory requirements. The legislator understands this to mean the performance of work at the residence of the employee or their close relatives, partners or from any secondary residences. 

Employees do not have a special right to work from home; rather, it must be agreed upon separately by the employer and the employee. Austrian law stipulates that such agreements must be concluded in writing. However, this is a non-sanctioning provision, because formal deviances do not lead to an invalidity of the agreement. 

The employer must provide the required digital work equipment for employees who are working from home. The employee and employer may agree otherwise; however, the employer must bear at least the reasonable and necessary costs for the digital work equipment provided by the employee for the performance of the work. The costs can also be compensated at a flat rate.  

A homeworking-arrangement can generally be terminated by either party for good cause by giving one month’s notice to the last day of a calendar month. The agreement may include a time limit and termination provisions. 

From a practical point of view, it is important to note that the employer can also call the employee into the company at a time they are working from home. The time spent travelling from their home to the office is then considered working time and must therefore be remunerated. When working from home, it should also be noted that the general working time regulations apply. Working time limits and rest periods must therefore be complied with. All health and safety regulations apply when working from home: the workplace must be state of the art and meet ergonomic requirements. However, it is the employee’s responsibility to implement these. 

In everyday working life, it is also important to comply with data protection and data security regulations when working from home. Employees should be informed about and trained in the proper handling of data and documents outside the office. Employees should be obligated to immediately report any data protection violations. Training on how to deal with possible cyber-attacks is also advisable.   

Collective bargaining agreements (CBAs) should also be considered. These can provide for more favourable conditions for working from home. Whenever these CBAs are more favourable than the legal provisions, they take precedence over them.  

This may concern the following points in particular:  

• the minimum content of homeworking-arrangements; 
• the forms of agreement;  
• the provision of work equipment; and
• the scope of cost reimbursement. 

With regard to tax, it should be noted that the employer must disclose the days on which the employee has been working from home in the payslip. The employer must indicate the number of such days in the payroll account and in the payslip. In the payroll accounting, the employer can take into account up to 100 work-from-home days per year at a maximum of EUR3 per day, ie, a maximum of EUR300 per calendar year on a tax-privileged basis. Therefore, the number of days must be calculated and compared to the lump sum received. If fewer days were worked from home, the lump sum exceeding the amount of actual home office days x EUR3 must be treated as taxable by the employer. However, the respective statutory provisions are limited until 2023.