For the past few years, an enormous growth has been observed in outsourcing to the cloud, replacing traditional IT outsourcing. Initially the increase could be attributed mainly to smaller, highly innovative companies, including start-ups. Cloud migrations are becoming the biggest enterprises in the economy, including in the heavily regulated financial sector. Meanwhile, according to market sources, traditional IT outsourcing in the EMA shrank by 19% in 2020.
Tech Giants Recognise Warsaw
In 2020 two tech giants – Google and Microsoft – announced their plans to open their cloud regions in Poland. In April 2021, Google announced that its Warsaw region is open. Furthermore, Microsoft is building its data centre and aims for it to go live in 2022.
Google and Microsoft’s focus on Warsaw is closely related to the establishment of the Chmura Krajowa (the domestic cloud), a pile of cloud services addressed to the Polish public sector, infrastructure and financial sector as well as to technology companies. The domestic cloud is an initiative of PKO BP, the largest Polish bank, controlled by the state, with an instrumental role played by Adam Marciniak, at the time PKO BP’s CIO. The domestic cloud co-operates closely with Microsoft and Google.
The primary drivers for the cloud transformation phenomenon are thought to be:
Legal and Regulatory Perspective
It is not only business reasons impacting the transformation but legal and regulatory too. The approach to cloud outsourcing of both the regulators and internal compliance teams has evolved. The cloud has been domesticated and from initial negation and rejection, a state of careful acceptance has been reached, and the contribution of IT legal advisers to that transformation of approach has been key.
As a general trend, it has been noted that a significant increase of cases involving cloud outsourcing in various models are reaching lawyers' desks.
A key potential obstacle for the cloud market could be the General Data Protection Regulation (GDPR) restrictions in data transfers. Uncertainty arose after a Court of Justice of the European Union (CJEU) judgment in a Schrems II case in July 2020. Not only did the judgement declare the Privacy Shield, the basic tool for lawful personal data transfers to the USA, invalid, but also questioned data transfers to the USA in principle. In response, global cloud suppliers increased their efforts to offer services in which data processing or at least storage is limited to certain areas, such as the European Economic Area (EEA).
Still, outside the EEA, data transfers remain a key part of cloud co-operation for global players. Firstly, a significant part of the services offered operate on overseas data centres. Secondly, a so-called regionalisation usually secures only a data storage location but not a data processing location. The processing of data might still be transferred outside of the arranged storage location.
Regardless, neither the Schrems II judgment nor its aftermath, including complaints filed by Schrems’s foundation NOYB to the regulators in various jurisdictions, has reversed the trend.
The financial sector, with its specific and somewhat restrictive outsourcing regulations, has to be mentioned separately. The Polish Financial Supervision Authority (the "Polish FSA") plays a very active role in regulating the outsourcing of supervised institutions. On top of European regulations and regulatory guidelines, outsourcing in the Polish financial sector is specifically regulated by local laws and soft-law regulations.
At the beginning of 2020, after a couple of months of consultations, the Polish FSA issued its position on information processing by supervised entities using public or hybrid cloud computing services. The regulation is a set of rules for cloud outsourcing risk assessments and sets out the minimum requirements for cloud-based information processing. On the one hand, this is considered by some as an example of the overregulation of the market; on the other hand, it clearly indicates that, under the given conditions, the cloud can be utilised by financial entities if supervised by the Polish FSA.
Issuance of the Polish FSA’s position accelerated cloud transformation in the financial sector, especially for banks, which had refrained from contracting cloud services.
No significant changes have been identified in business process outsourcing (BPO) practices as a result of COVID-19. If profitable and regulatory admissible, companies are still seeking BPO savings, know-how and risk transfer. The market remains considerable.
Poland remains a significant market for global shared service centres owing to well-educated, skilled and experienced human resources and still competitive, regardless of constant growth, wages allowing for cost savings.
There were 42 new projects in 2020 and 22 between January and May 2021, most of them located in Warsaw.
When it comes to Polish companies applying for BPO, a key and general regulation impacting outsourcing is the GDPR. GDPR compliance is especially relevant for BPO providers basing their services on the cloud, as the majority do.
The Financial Sector
Depending on the sector, additional laws and regulations apply. The most regulated, when it comes to outsourcing, is the financial sector. Depending on the exact branch of the sector – eg, banking, investment, payment services – as well as the kind and criticality of the outsourcing required, local rules are very strict. For instance:
It is not only the financial sector that is subject to the specific regulations on outsourcing. The impact on the BPO sector can be identified via the Act on the National Cybersecurity System (the "Act") implementing the NIS Directive to Polish law. The regulation covers the security of so-called key services in the economy. If the outsourcing arrangements are part of the supply chain allowing for the provisioning of key services, key services operators have to consider the act’s requirements when organising and building security systems.
The regulation’s impact on outsourcing may grow with proposed amendments to the Act that provide increased powers of authorities to influence the choice of suppliers. The National Cybersecurity System Act covers key entities operating in energy, fuel, mining, civil transportation, banking and finance, healthcare, water supply and digital infrastructure.
Among the biggest technology impacts in outsourcing is cloud computing. The phenomenon is multi-dimensional.
There has been a rapid development of process automation, machine learning and AI application and a consequent decline in human involvement. In such an environment, more attention has to be paid to the compliance of GDPR limitations.
A key challenge is automated data processing, which must be implemented carefully and in accordance with data protection impact assessment results and in compliance with privacy by design and privacy by default rules. GDPR compliance obligations are often skipped by the suppliers, which somewhat hinders the establishment of business relations with more prudent and insightful data controllers.
There are around 200 companies developing artificial intelligence (AI) solutions in Poland. Almost half of them are based in Warsaw. Poland is ranked seventh in the EU AI talent pool according to the State of Polish AI 2021 Report by Digital Poland. Having said that, foreign AI investors feel that Warsaw is an ideal location for developing AI initiatives due to the combination of talent availability, reasonable costs, quality of life and infrastructure, as well as proximity to Ukraine's talent pool, from where new resources can be recruited.
Most of the revenue of the Polish AI sector comes from abroad (primarily from the USA and the EU), and most of the financing is domestic. Half of AI companies benefit from public grants. AI is still perceived as innovation by the Polish market. The local AI adoption is the smallest in the EU, though the Polish shared service centre sector declares fast adoption of process automation and AI.
Blockchain adoption in Poland is in the early stages, except for various initial coin offerings and some attempts to implement private energy clearing systems. However, PKO BP, the largest Polish bank, implemented blockchain solutions to store client documentation (a so-called durable medium) as well as to keep the register of stockholders. PKO BP’s (ex) CEO Adam Marciniak initiated the project as well as a number of other transformational initiatives, including the previously mentioned domestic cloud. As for smart contracts, for now they remain only a buzzword in Poland.
The GDPR constitutes the main and most widely applicable regulation setting the framework for outsourcing. GDPR rules apply whenever outsourcing arrangements cover personal data processing. Most services do involve some aspect of processing of personal data.
In accordance with Article 28.1 of the GDPR, the controller shall only use processors providing sufficient guarantees to implement appropriate and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of rights of the data subjects. Rules on the processing of entrusted data by a processor as well as the content of contracts between the controller and processor are subject to the specific requirements of Article 28.1-10 of the GDPR.
Regardless, a data controller is liable for the compliance of the data processing. To this extent, the GDPR rules can be considered a regulatory restriction on outsourcing. If business processes that include personal data processing can be outsourced only as long as GDPR compliance is provided, the security of the outsourcing arrangement is not only a business issue, it is a legal obligation. Failures may result in legal consequences, including the administrative liability of the outsourcer.
It is worth mentioning that the institution of data entrustment under the GDPR – a controller to processor (C2P) relation – might be a little over-applied in the Polish market versus a controller to controller (C2C) relation. Distinguishing between these two may cause difficulties. Over-application is C2P identification over C2C.
The Act on the National Cybersecurity System
While the Polish Act on the National Cybersecurity System (the implementation of the NIS Directive), setting up a national framework for the cybersecurity of the provisioning of key services in the economy, may not include provisions directly regulating outsourcing (apart from the outsourcing of certain cybersecurity functions), it cannot be omitted when potential regulatory outsourcing restrictions are discussed.
Key service providers (ie, banks, the stock exchange, fuel or energy distributors) are obliged to ensure the cybersecurity of IT systems utilised for providing key services. Outsourcing arrangements may be part of IT systems or a cybersecurity supply chain. If they are, key service operators have to include them in their overall risk assessments as well as make sure that the arrangements (ie, suppliers, provided services, etc) are carried out in line with standards and requirements set by the Act.
Again, the character of the restrictions is similar to that in the GDPR. Outsourcing itself is absolutely admissible as long as security and compliance with regulations is ensured.
The Financial Sector
The restrictions on the financial sector result from both EU and local regulations. The latter, combined with the very strict and conservative approach of the Polish FSA, creates a unique environment for outsourcing in the Polish financial sector.
Outsourcing regulations in the financial sector not only set standards or requirements but can be directly considered as restrictions; eg, limiting the scope of functions that can be outsourced and the length of supply chains.
The financial sector has its own extensive and restrictive industry-specific regulation on outsourcing, only partially due to EU regulations. Harmonisation levels vary depending on the specific branch. It is definitely stronger in the investment firm sector, where outsourcing rules are set by MiFID II (the Markets in Financial Instruments Directive (2014/65/EU)) and its delegated regulation – the Commission Delegated Regulation (EU) 2017/565 of 25 April 2016, supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive. Conversely, for the banking sector, the CRR/CRD regulations, the constitution for banking activity within European Union, barely touch the issue and local regulations prevail.
In addition, the Polish FSA remains very active in regulating and supervising the outsourcing market and practices in the financial sector, with particular attention for the banking sector. This results in specific local regulations, including the Communication from the Polish FSA on information processing by supervised entities using public or hybrid cloud computing services, with a significant impact on the outsourcing landscape. Local regulations and the regulatory approach are, in most cases, more restrictive and go beyond EU regulations. It suffices to mention that in accordance with the Polish FSA’s position on cloud outsourcing: communication outlines the national approach to cloud-based outsourcing of information processing for the financial sector (a reference model). Therefore, the guidelines, recommendations and any other document outlining the position of the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority which pertain to public or hybrid cloud computing do not apply to the supervised entities in that respect.
Due to the above-explained conditioning and circumstances, implementing outsourcing arrangements in the Polish financial sector seems more complicated and challenging than is the European average. Thus, legal and regulatory advice is crucial.
Key Restrictions of the Regulations
Below are the key regulatory restrictions and concerns that apply in financial sector outsourcing arrangements.
Management functions entrustment
One of the key aims of outsourcing regulations is to prevent financial institutions from outsourcing functions that could constitute management of the institution. The wording of the stipulations differ across regulations, though the aim remains unchanged; eg, the Polish Banking Law clearly forbids outsourcing functions that constitute bank management ("the entrusted operations... cannot include bank management... particularly the management of risk related to conducting the business of banking, including assets and liabilities management, the assessment of creditworthiness and credit risk analysis"). This is in general in line with the provisions and general idea set by the EBA Guidelines EBA/GL/2019/02 on outsourcing arrangements.
What might make a difference is a regulatory and supervisory practice as well as an interpretation applied by the local regulator.
The most controversial specificity of the Polish outsourcing regulations in the financial sector are the restrictions on the outsourcing supply chain. Whilst it may vary depending on the branch, in general, only one level of sub-outsourcing is admissible. Sub-providers cannot engage sub-sub-providers for entrusted services. Engagement is mainly qualified as access to the data entrusted by a financial institution.
Such restrictions significantly complicate outsourcing processes. This is particularly problematic in cloud computing outsourcing as a typical IaaS arrangement with a global supplier usually entails at least two levels of outsourcing: the main supplier and its sub-processors. Furthermore, the typical SaaS establishment for a supplier that rents cloud infrastructure for its own services entails at least three levels: the direct SaaS supplier for a financial institution, its IaaS supplier and the IaaS supplier’s sub-providers.
The market has been seeking changes for years. At the time of writing, a proposal for amending the Polish Banking Law, which would allow for extensions of the current supply chain length, is being processed at government level.
As a rule, outsourcing arrangements constitute a legal basis for the disclosure of sectoral secrecy (including banking, investment, insurance). The entrustment of processing of the data covered by sectoral secrecy is at the same time one of the key factors that decide on recognising specific relation as regulated outsourcing. Thus, in principle, the data covered by sectoral secrecy cannot be disclosed to the external provider unless under regulated outsourcing.
Regulations differ across the financial sector; however, the Banking Law contains specific provisions (restrictions) on an insourcer’s liability limitations. The liability of an insourcer towards the bank for damage caused to customers and arising from the non-performance or improper performance of the outsourcing agreement cannot be excluded or limited. Stipulations reflecting Banking Law provisions must be obligatorily included in the outsourcing agreements, usually causing concern for the supplier.
As mentioned, the Polish FSA decided to establish its own local-specific regulation on cloud computing. It is a set of detailed rules on:
As Poland is a member of the EU, most of Polish law is harmonised with the rest of the EU. That applies to data flows and the GDPR is the main regulation concerning the export of data beyond the European Economic Area.
The Schrems II judgment of the European Court of Justice set a high threshold for exporting data and, in particular, using cloud services originating from the USA. As mentioned, the practical impact of Schrems II seems limited. However, it has inferred the necessity of encrypting data in transit.
The Polish Ministry of Digitisation issued a white paper called “National Cybersecurity Standards. Cloud Computing Cybersecurity Standards” v 1.00 in February 2020; according to which, public administration systems processing limited access data should not be placed beyond Polish jurisdiction. This seems loosely correlated with state secrecy regulations, as information covered by state secrecy needs to be processed via providers and infrastructure certified for security by the Polish National Security Agency.
A separate area is the financial sector, where the GDPR overlaps with sectoral regulations covering data secrecy. See 2.2 Industry-Specific Restrictions.
The key regulation on data security that stipulates penalties for non-compliance in data processing, including data breaches, is the GDPR. The GDPR covers liability of both outsourcing arrangement parties – outsourcer and insourcer. In accordance with the GDPR, both the data controller and data processor may be found liable and fined for GDPR infringements. Depending on the severity of a breach, the total amount of a fine may be up to EUR10 million, or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, or up to EUR20 million, or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Sector-specific penalties in the financial sector are concentrated on the outsourcer rather than the insourcer. It is outsourcers that are primarily responsible for the compliance of outsourcing arrangements. Some regulatory actions may impact the insourcer; for instance, if the regulator orders a supervised entity to terminate, limit or otherwise amend the outsourcing arrangement based on its supervisory powers.
Since the GDPR's entry into force, most contracts follow the requirements of its Article 28. After the European Commission adopted the new Standard Contractual Clauses, a further standardising and levelling up to the new SCCs, both in intra-EU data processing and data export, is expected.
The usual protections used in contracts, on top of Article 28 requirements, are:
Further detailed requirements may result from sector-specific regulations that an outsourcer falls under.
First is the National Cybersecurity System Act, implementing the NIS Directive in the Polish legal system. The act requires certain enterprises providing key services in the economy (key service operators) to provide security for the IT systems that key services rely on. Insourcers providing services to the key service operators may expect an intensification of security-level expectations form outsourcers towards them if the services they provide impact the provision of key services.
Second is outsourcing in the financial sector. Insourcers may expect here the obligation to provide extended declarations on the information security systems they apply, including specific control mechanisms, including secure authorisation mechanisms (MFA), systems monitoring, business continuity and data separation. It is the outcome of very casuistic regulations on IT security applicable in the sector, both local and European.
In Poland, typical outsourcing arrangements are based on the entrusting of functions and external services provisioning. Outsourcing arranged on the basis of existing employee transfers to separate entities or dividing a business is less popular among local enterprises.
Other than service provision, contract models are, on the whole, less common in Poland. Sometimes, capital groups decide to establish shared service centres to save costs and develop common practices, standards, experience and knowledge in certain outsourced areas (eg, IT, accounting, HR). Usually, it is then easier to establish compliant outsourcing arrangements than choose external providers; however, the usual regulations still apply.
Poland is one of the leading destinations for global corporations to locate their shared services centres. There were an estimated 338,000 people working in 1,500 centres in Poland in 2020 according to a report by ABSL. Some 12% of those 338,000 are foreigners and Polish SSCs provide services in 38 languages. Poland is becoming less of a cheap workforce country, but at the same time is building upon its provision of quality services and business continuity.
At the time of writing (October 2021), Poland is adopting significant changes in the personal income tax system. However, it seems that the SSC sector will not be affected.
International outsourcing agreements are usually based on English law and are enforceable in Poland. Similar to English contracts, Polish law-based outsourcing contracts tend to regulate the potential consequences of different scenarios. One of the reasons for this is that the Polish Civil Code provisions on services are poorly formulated.
There is a specific provision of Polish contract law which cannot be changed. According to Article 750, in conjunction with Article 746, of the Polish Civil Code, a services agreement which is not specifically regulated (which applies to outsourcing agreements to a large extent) may be terminated by either party “for important reasons”. Where “important reasons” are legitimate, the terminating party is not liable for damage resulting from the termination.
This is a double-edged sword but, in practice, the customer might benefit from such “nuclear” option more than the provider. The parties are not allowed to derogate the right to terminate the contract for services for “important reasons”. It is formally forbidden by Article 746 Section 3 of the Polish Civil Code.
In outsourcing, a contract will usually set forth when it may be terminated by either party. See 4.1 Customer Protections.
A Polish contract law provides liability only for direct loss. According to Article 361 Section 1 of the Polish Civil Code, only losses stemming from “normal” consequences of the debtor’s act are recoverable. This is “an adequate causal link” and it corresponds to “direct loss”. Within normal consequences (direct loss), the debtor is liable both for actual loss and for loss of profit. It is worth noting that Polish lawyers rarely understand the terms “direct” and “indirect loss”.
Several regulations define the shape of outsourcing contracts, including the GDPR and sector-specific regulations; see 2. Regulatory and Legal Environment.
The Polish Labour Code implements the European legislation on transfer of undertakings and protection of employment (TUPE) into Polish law. The aim of these provisions is to protect employees’ acquired rights and maintain the stability of employment in the case of transfer of undertaking (or part thereof). The main rule is that once there is a transfer of undertaking, the employees are automatically transferred to the new employer, without the need to conclude new employment relationships. The employment conditions basically remain the same. An important rule is also that the old and new employer are jointly and severally liable for liabilities that arose under employment relationships prior to the transfer.
The TUPE regulations may be applicable to outsourcing where, eg:
In order to ascertain whether TUPE regulations apply, it is necessary to take into account all aspects of a case. A key factor is to define whether or not an undertaking will be transferred as a result of implementing or changing outsourcing arrangements. Typically, assets are transferred as part of the undertaking; however, maintaining the identity of the organised part of the business is decisive.
A works council (if present) may need to be consulted, eg, when an employer is considering activities that may cause significant changes in the organisation of work or the basis of employment. This may include implementing outsourcing arrangements. Typically, trade unions (if present) do not need to be informed, unless they ask for specific information relating to the above. In this case, they must be informed within 30 days from the employer receiving a request for information.
Whenever a transfer of an undertaking occurs, triggering TUPE regulations, trade unions (if present) must be informed by both employers in writing about the expected date of the employees’ transfer, and its reasons, legal, economic and social consequences for employees, as well as intended actions regarding the terms of employment. Where there are no trade unions, individual employees must be informed.
If the parties agreeing to an outsourcing arrangement want to trigger the transfer of employees pursuant to TUPE regulations, it often happens that they conclude a separate agreement regarding the latter. However, it is important to remember that TUPE regulations may apply automatically and irrespective of the will of the parties. For this reason it is very important to appropriately structure the contemplated outsourcing from a legal perspective. This would be to ensure legal certainty in the transaction. Service-based outsourcing, as opposed to outsourcing involving the voluntary transfer of employees, currently seems to be a more popular option in Poland.
Asset transfers for purposes related to the outsourcing of functions, more common in the past, are rather rare today in the Polish market owing to the developed market of external outsourcing services. Outsourcers do not need to transfer their assets as the external services and teams are widely available. It is more common that the functions are simply outsourced as a service and internal resources cut if necessary and possible. Thus, asset transfers are more an M&A subject than an outsourcing one.
Nevertheless, if an outsourcer and insourcer decides to establish an outsourcing arrangement based on asset transfer, it would probably entail the separation of an organised part of the enterprise. From a private law perspective, in general, it is subject to the freedom of contract rule whether parties can freely decide on what to transfer. Additional regulations may apply, mainly if the transfer covers employees (employee transfers in accordance with the TUPE Directive) or licensed regulatory activity; eg, banking.