There has been increased focus among Albanian companies on strengthening their IT functions and services. Digital transformation efforts in Albania in recent years have been mainly influenced by the operational challenges encountered following COVID-19 restrictive measures and by the need to adopt alternative ways of conducting business at the time. Some of the pandemic-influenced actions, as reported by many businesses, include the increased use of videoconferencing platforms and a tendency to opt for virtual instead of face-to-face meetings. New technologies and platforms were also adopted in order to manage work processes, projects and teams entirely remotely.

Furthermore, digital transformation has influenced government processes and the services provided by public institutions in Albania. Currently, the e-albania.al platform acts as a central portal enabling individuals and companies to access and utilise electronic services offered by public institutions. However, the integration of technology in day-to-day business processes implies the need for stronger information security measures, as well as a robust understanding of the legal framework and compliance requirements – mainly with regard to privacy and cybersecurity.

Based on the data reported by the Albanian Investment Development Agency (AIDA), the predominant outsourced functions in the ICT–BPO sector in Albania include activities such as data entry and customer service/call centres. However, based on the same reported data, it is worth noting that the Albanian ICT–BPO sector has been progressively broadening its range of services and therefore reaching clients operating in more complex sectors, such as software development, blockchain technologies, and cybersecurity. This expansion can be attributed in part to the digital transformation efforts undertaken by Albanian businesses in recent years (see 1.1 IT Outsourcing), as well as the actions of visionary Albanian entrepreneurs seeking new larger markets in which to grow their businesses.

The use of advanced robotics technologies such as AI and machine learning is still in its infant stages in terms of integration with day-to-day business processes in the Albanian market. However, as discussed in 1.1 IT Outsourcing, there has been a significant upward trend regarding the use of videoconferencing, chatbots, cloud services, and other platforms and technology solutions that facilitate remote work processes. Additionally, based on the data reported for 2023 by the Albanian Institute of Statistics, cloud services were used for work purposes by 22.9% of companies with access to the internet.

Certain incentives are currently applicable to IT businesses, including a reduced profit tax rate of 5% for companies producing or developing software. Foreign citizens employed in Albanian IT companies also have the right to reside and work in Albania for a period up to one year without a unique permit (ie, the document enabling foreign citizens to stay and work in Albania legally).

As regards blockchain and cryptocurrencies, Albania implemented Law No 66/2020 on financial markets based on distributed ledger technology (the “DLT Law”) in 2020. The DLT Law is the main legal act regulating the issuance of digital tokens/virtual currencies, as well as the licensing, monitoring and supervision of entities involved in related activities – for example, digital token agents, innovative service providers, and automated collective investment undertakings.

However, despite the implementation of specific legislation governing DLT, the sector is still underdeveloped. This is mainly due to the tendency of individuals and businesses in Albania to opt for conventional transaction methods. The slow adoption of smart contracts and virtual transactions in general may be also attributed to the lack of coherence and/or the existence of traditional provisions within different laws. By way of an example, the Albanian Civil Code requires a “written” and/or notarial form for certain transactions (eg, transfers of immovable property), which creates obstacles preventing companies from using blockchain solutions and technology in the booming Albanian real estate market.

The adoption of the Law No 55/2020 on payment services, which partially transposes the revised Payment Services Directive (PSD2), has brought significant developments in the fintech industry. Several e-money and fintech start-ups are now licensed and operating in the Albanian market. In addition, the recent developments in the fintech industry have also encouraged traditional banks in Albania to invest in building and maintaining their own digital banking platforms and incentivise users to opt for “cashless” transactions.

In addition to the reported data indicated in 1.2 Business Process Outsourcing (BPO), several businesses in Albania tend to outsource other operational functions, such as accounting and legal services, IT functions and HR, as well as marketing and advertising services.

Generally, Albanian legislation does not explicitly limit or directly prohibit IT outsourcing and technology transactions. However, certain rules and restrictions are imposed on outsourcing by the applicable sector-specific legislation, depending on the industry and the respective regulatory authority – for example, in the insurance, banking and finance sectors.

Nevertheless, such sector-specific regulations are not designed to impede or discourage companies from outsourcing particular services and functions. Instead, these rules establish a framework for compliance strictly for the purposes of regulatory oversight and impose limitations on the outsourcing of certain types of business functions that pose a higher degree of risk, considering the nature of the specific sector and customer protection obligations. Moreover, there are certain instances within the financial sector regulatory framework that explicitly provide the option for companies operating in the relevant field to outsource certain operational functions, including (but not limited to) IT, marketing, accounting and legal services – subject to the fulfilment of certain conditions and regulatory requirements.

When it comes to outsourcing of products and services by public institutions, the rules set forth in the public procurement legislation with regard to contracting procedures apply.

Another important aspect of the regulatory environment impacting the outsourcing industry is privacy and personal data protection legislation. The personal data protection legislation imposes relevant compliance obligations to the parties engaging in personal data transfers and data processing in general. There are certain important aspects businesses must pay attention to when engaging in technology transactions and outsourcing contracts, including:

• reporting to and/or consultation with the Information and Data Protection Commissioner;
• obtaining the necessary approval(s) in certain cases of cross-border data transfers;
• drafting and signing data processing agreements; and
• complying with the transparency and accountability requirements as set forth in the personal data protection legislation.

Additionally, in terms of employment law provisions, an employer must obtain the employee’s consent in case of assignment to another employer and the initial employment contract remains valid in such cases (see5. Employment Matters for more detail). The employer must also ensure that the same working conditions apply for employees performing the same tasks. Joint liability may apply to employers in terms of compliance requirements with health and safety standards.

As discussed in 2.1 Restrictions on Technology Transactions or Outsourcing, insurance, banking and financial services in Albania are heavily regulated sectors, with a number of regulatory and compliance obligations set forth by the relevant legal framework. The primary regulatory and supervisory authorities in these sectors are the Bank of Albania (BoA) and the Albanian Financial Supervisory Authority (AFSA).

Outsourcing is a common and established practice among banks and financial institutions in Albania, providing the opportunity to cut costs and improve efficiency across business operations. However, certain requirements must be fulfilled by these companies for outsourced activities, including:

• periodic reporting obligations to the relevant supervisory authority;
• necessary prior approvals from the supervisory authority depending on the functions intended for outsourcing; and
• enhanced vigilance in terms of AML requirements.

Furthermore, the outsourcing of specific functions within the insurance, banking and finance sectors does not imply a transfer of liability to third parties. As an important principle enshrined in the aforementioned sector-specific regulatory frameworks, such institutions have the responsibility to ensure that the outsourced services and activities are conducted in accordance with the applicable legal provisions.

In addition, there are instances in which sector-specific regulations forbid and limit the outsourcing of specific critical functions of financial institutions – for example, the AFSA Regulation No 16, dated 28 February 2023, on the exercise of operational activities of investment firms and banks providing investment services (which enters into force on 1 January 2024). This regulation explicitly prohibits investment firms from outsourcing functions related to compliance, AML and risk management.

The Law No 2/2017 on cybersecurity (the “Law on Cybersecurity”) provides enhanced obligations to be fulfilled by critical information infrastructure operators and important information infrastructure operators. Private companies providing critical and important information infrastructures – as defined in the Decision of Council of Ministers (DCM) No 553, dated 15 July 2020, on the approval of the list of critical information infrastructures and the list of important information infrastructures, as amended (the “DCM 553/2020”) – are obliged to implement at least the minimum levels of information security requirements approved by the National Authority for Electronic Certification and Cybersecurity, which controls the implementation of security measures by operators of critical and important information infrastructures.

The list provided in the DCM 553/2020 includes private operators from the energy sector, banking and finance, digital services, and the aviation sector. The Law on Cybersecurity provides for the obligation of such operators to ensure that all applicable information security requirements are also implemented by their subcontracted third parties (ie, outsourced functions and service providers).

Despite the sector-specific limitations and other applicable regulatory requirements (data protection, AML, cybersecurity, etc) imposed on certain types of business, there aren’t any applicable direct restrictions on outsourcing or technology transactions per se in Albania.

The data protection legal framework in Albania is currently undergoing significant changes. The new law on personal data protection, which will fully transpose the EU’s General Data Protection Regulation, is expected to be adopted within the upcoming year (as of September 2023). The currently in force Law No 9887, dated 10 March 2008, on personal data protection, as amended (the “Data Protection Law”) – along with the complementary decisions, instructions and guidelines issued by the Information and Data Protection Commissioner (IDPC) – already provides a set of extensive rules that data controllers are obliged to comply with.

The processing of personal data needs to be carried out with utmost diligence, considering the sensitive and personal information processed within the ambit of outsourcing IT business functions. The implementation of applicable legislative acts is monitored by the IDPC, the authority responsible for the protection of personal data, in line with the provisions of the Data Protection Law.

The Data Protection Law provides for specific transparency and accountability obligations on data controllers and processors, as well as for the rights of the data subjects. Some of the data controller’s obligations include:

• the obligation to notify the IDPC regarding its processing activities;
• the obligation to notify the data subject prior to the start of processing; and
• the obligation to establish and maintain the necessary technical and organisational measures pursuant to the provisions of the Data Protection Law and the Decision of the IDPC No 6, dated 5 August 2013, on the establishment of detailed rules for personal data security, which provides for the data controller’s obligation to draft and approve several regulations regarding data security measures.

The Data Protection Law also provides for specific obligations on data controllers when engaging in cross-border data transfers. As a rule, any cross-border transfer of personal data may be carried out only with recipients from countries which have an adequate level of personal data protection. The level of personal data protection for a specific country is determined by the IDPC’s assessment of:

• all circumstances related to processing;
• the nature, purpose and duration of processing;
• the country of origin and final destination; and
• legal provisions and security standards in force in the recipient state.

The Decision of the IDPC No 8, dated 31 October 2016, on determining the countries with a sufficient level of protection of personal data provides the list of countries that the IDPC has concluded provide an adequate level of personal data protection. As an exception to the general rule, any cross-border data transfers to countries without a sufficient level of personal data protection may only be carried out under certain conditions outlined in the Data Protection Law.

Under Article 39 of the Data Protection Law, failure to comply with such obligations is punishable by fines calculated on the basis of the severity and type of violation.

In Albania, there is currently no standard model contract tailored specifically for outsourcing transactions. Nonetheless, the prevailing and widely adopted contract type in such scenarios is the service contract, which is typically drafted in accordance with the stipulations outlined in the Albanian Civil Code.

However, the choice of contract model can vary depending on the complexity of the outsourced service and the mutual understanding and specific arrangements of the parties involved. Common industry-standard models – including service-level agreements primarily used in IT and BPO arrangements, as well as build-operate-transfer (BOT) agreements commonly applicable to complex and long-term infrastructure projects – may be applied based on the nature of the outsourcing engagement.

Furthermore, the pricing structure is subject to negotiation. Parties may opt for either a fixed pricing model or a time and materials pricing model, conditional upon the mutually agreed business terms and the unique circumstances of the arrangement. In certain instances, it is also possible for a contract to incorporate elements from the various contracting models mentioned here, while simultaneously including any sector-specific requirements (see 2.2 Industry-Specific Restrictions).

In Albania, the adoption of alternative, more complex contracting models – such as multi-sourcing contracts, which require enhanced co-ordination capacities – is not very common. This is down to the size of the market and the simple organisational structure of most Albanian businesses.

The use of joint venture agreements for outsourcing purposes is not a market practice in Albania. Joint ventures are regulated by the provisions of the Albanian Civil Code (Articles 1074–1112) and constitute a form of unlimited partnership, which may be entered into by two or more persons, individuals or legal entities aiming to engage in an economic activity or project and to divide costs and profits as per mutually agreed terms. The partners are liable to meet the obligations and make the contributions defined in the executed agreement. They are also jointly responsible for fulfilling the obligations imposed by the legal provisions and their agreed terms.

In Albania, the primary reason for outsourcing specific business functions is typically cost reduction. Consequently, it is unusual to see joint venture agreements being used for outsourcing transactions. Most businesses entering into outsourcing contracts within the Albanian market generally opt for full delegation of these functions to third-party providers, to the extent permitted by the sector-specific regulations.

However, there may be specific circumstances in which joint ventures might be used for outsourcing transactions – depending on the nature of the outsourced service or project, as well as the mutually agreed terms between the client and service provider. By way of an example, joint ventures may be utilised where there is a need for close collaboration between the client and the contracted service provider in order to develop a specific product or jointly implement a project.

Owing to the trending digital transformation actions carried out by businesses, there has been an increase in contracting cloud computing and IT services, which typically implies the adoption of more sophisticated contracting models than the standard service agreement/contract. These contract models typically include extensive provisions on service levels, communication between the parties for facilitating timely delivery of services, continuity, testing and acceptance, IP, liability and penalties, warranty, data protection and information security, etc.

One of the most common challenges frequently encountered in technology transactions or outsourcing agreements is the lack of a customised contract draft – tailored to meet the specific demands and operational needs of the client – provided by the service provider. In numerous cases, it may be difficult to negotiate certain terms of the draft contract with service providers, especially in the case of ICT services. This reluctance to negotiate from the service provider side can pose significant challenges for the client party, thereby hindering their ability to incorporate important contractual provisions that safeguard their interests and ensure the uninterrupted and timely delivery of services.

Additionally, on account of the increased focus on privacy and information security requirements, the contracting models adopted for technology transactions generally contain extensively elaborated provisions concerning the technical and organisational measures in place by the service provider. They often also contain a detailed description of the rights and responsibilities of both parties involved in the transaction.

The most commonly applicable customer protections in outsourcing contracts include:

• the provision of detailed and tailored service levels and performance standards to be fulfilled by the service provider;
• liability, indemnity and penalty clauses in case of non-performance;
• suitable warranties applicable to the specific nature of the service and type of service provider;
• a termination for convenience clause;
• a clear and precise definition of force majeure events;
• a detailed description of technical and organisational measures to be fulfilled by the service provider in terms of privacy and information security; and
• limitations on the service provider subcontracting the services (where necessary).

In accordance with Albanian law, the contractual parties enjoy the right to freely establish particular conditions and events that would lead to the termination of the contract, within the limits set by the legislation in force. Generally, in outsourcing contracts, the customer/client party will negotiate the inclusion of some or all of the following as grounds for termination (as applicable):

• if the service provider does not provide the required services within the mutually agreed timelines;
• if the service provider does not provide the required services pursuant to the quality and specifications mutually agreed by the parties;
• if the service provider does not fulfil any of the privacy and/or information security technical and organisational measures identified in the contract;
• in the case of force majeure events, as defined in the relevant contract;
• if the service provider fails to duly inform the customer in cases where it has the obligation to do so pursuant to the agreed contractual terms;
• in the case of subcontracting of services where such subcontracting is not allowed based on the contract provisions;
• a termination for convenience clause;
• in the case of change of control of the service provider; and
• other conditions and/or events agreed by the parties on a case-by-case basis.

On the other hand, the service provider will typically negotiate the inclusion of some or all of the following as grounds for termination (as applicable):

• if the customer fails to make the payments for the services as agreed in the contract;
• in the case of force majeure events, as defined in the relevant contract;
• if the customer fails to duly inform the service provider in circumstances where it has the obligation to do so pursuant to the agreed contractual terms;
• if the customer fails to provide the necessary assistance and cooperation for the fulfilment of the services, in line with the agreed contract provisions;
• a termination for convenience clause; and
• other conditions and/or events agreed by the parties on a case-by-case basis.

The parties may decide to include termination with or without prior notice, or in some cases both, depending on the type of contract violation specified in the contract. Additionally, in some cases, the parties may mutually decide to terminate their contractual relationship, as well as decide to offset and/or cancel any outstanding obligations arising as a result of their contractual arrangement (as applicable).

The customer’s rights upon termination of the contract will typically vary, depending on the agreed contractual terms. However, some of these rights may include:

• seeking any compensation due for payment based on the liability, indemnity and/or penalty clauses;
• seeking the fulfilment of the obligations by the service provider; and
• seeking compensation for damages and loss of profit where applicable.

In line with the contractual freedom provided in the Albanian legislation, the types of losses for which a party may or may not be held liable – as well as the definition and types of direct and indirect loss – will be typically negotiated and agreed by the parties involved. It is common market practice for the parties to negotiate for the inclusion of limitation of liability clauses and liability caps with regard to direct losses, to the extent permitted by the applicable regulatory framework. However, if the parties have not agreed on specific provisions outlining their liabilities, the provisions of the Albanian Civil Code will be applicable should the parties decide to seek compensation.

In principle, any terms concerning technology transactions or outsourcing contracts are negotiated and mutually agreed upon by the parties based on their contractual freedom, industry standards and market practice. However, if the parties have not specifically addressed certain aspects of their contractual arrangement, the provisions of the Albanian Civil Code shall apply. Additionally, in cases where certain regulatory and compliance obligations apply to the customer and/or service provider as a result of the sector-specific legislation, such provisions and regulatory compliance requirements will apply regardless of the contractual arrangements between the parties.

In terms of data protection, the parties are required to enter into a separate data processing agreement. This agreement defines their respective rights, obligations and liabilities to the extent permitted by the Data Protection Law.

As regards cybersecurity, apart from the sector-specific requirements outlined in 2.2 Industry-Specific Restrictions, the parties will generally include in the contract the specific technical and organisational measures that must be fulfilled by the service provider during the provision of the services.

Notwithstanding the liabilities defined by the applicable regulatory framework, the parties will typically include indemnity clauses. These become crucial in cases of third-party claims – for example, those deriving from data breaches – and offer a layer of financial protection to the parties, especially the customer side.

In typical outsourcing contracts, and especially in technology outsourcing, customers often seek to negotiate and include contractual clauses that enable them to effectively evaluate and measure the performance of the service providers. These clauses commonly include the following two aspects.

Service Levels

Service-level agreements aim to establish clear expectations regarding the quality and efficiency of the services provided. This includes the definition and detailing of key performance indicators (KPIs) such as response times and error rates. These serve as measurable benchmarks against which the service provider’s performance can be assessed.

Detailed Communication Procedures

Customers will generally negotiate the inclusion of robust communication procedures for monitoring the transparency and accountability of the service provider throughout the outsourcing partnership. These procedures will generally stipulate how and when progress updates, reports, and meetings should occur – thereby enabling customers to stay informed about the service provider’s activities, address any concerns promptly, and ensure alignment with their objectives and the purpose of the contractual arrangement. By incorporating these contractual provisions, customers can proactively monitor, manage and evaluate the service provider’s performance and progress in the provision of agreed services.

The same contractual provisions will generally also apply for cloud-based services. However, certain provisions such as data recovery and back-up plans take on enhanced importance due to the special nature of cloud infrastructure. Robust data recovery mechanisms, disaster recovery plans, and comprehensive back-up strategies become crucial – not only for the purpose of ensuring compliance with the applicable regulatory framework, but also for ensuring data integrity. Additionally, data portability provisions gain added significance in the cloud environment, given the flexibility with which data can be stored and accessed across various cloud-based platforms.

Considering that the Albanian Civil Code governing the contract lays out the general contractual principles and the sector-specific legislation rarely addresses contractual provisions, the local market benefits from the international experience in contract drafting by limiting the input only into ensuring compliance with the Albanian Civil Code principles. Technical aspects are defined based on international best practices.

The assignment and transfer of employees are specifically regulated in Chapter 13 of the Albanian Labour Code. Article 137 of the Albanian Labour Code stipulates that, in the event of an employee being reassigned to a different employer, the original employer must obtain the explicit consent of the employee. It is crucial to note that the original employment contract with the initial employer retains its legal validity even when such assignment occurs. Moreover, the original employer would still be responsible for ensuring that employees who undertake similar job responsibilities are provided with the same working conditions following assignment to the new employer.

Furthermore, both employers may share liability concerning compliance with health and safety standards. This means that both the original employer and the new employer who receives the reassigned employee could be held jointly liable for non-compliance with the health and safety regulations, as well as other obligations towards the employee.

Apart from the explicit consent requirement described in 5.1 Employee Transfers and the consultation requirements provided in the Albanian Labour Code in cases of partial or complete business sales, as a general principle, the employer is required to have regular communication at least once a year with employee representatives (either any existing union representative or a representative appointed by employees). Such communication should cover the current and future activities of the company, its financial status, and employment relations. Additionally, before deciding on matters that could significantly impact work organisation and employees’ legal status, the employer must notify employee representatives and engage in discussions with them about the rationale behind these decisions, their legal, economic, and social implications for employees, and any measures to reduce or mitigate these effects.

The decision to obtain services onshore, offshore or nearshore would normally depend on certain factors, including the financial capabilities of the business customer, the specific service characteristics required, and the strategic objectives of the business customer. Although there is no publicly accessible data on this matter, it is worth noting that larger organisations such as banks tend to make contracting decisions based on a thorough analysis of cost and quality offered, rather than location preferences.

The Albanian Labour Code permits remote work, allowing employees to work from a location of their choice as long as they agree on the arrangements with their employer. Remote workers are entitled to the same working conditions and legal rights as on-site employees who perform similar duties and job responsibilities. Generally, the specific working arrangements would be agreed between the employer and the employee in the relevant employment contract.

It is worth noting that in Albania, it is a common practice among BPO service providers to contract self-employed individuals (as independent contractors) to offer their services remotely by means of service contracts entered into pursuant to the Albanian Civil Code provisions. However, it is also worth noting that Articles 12 and 21/2 of the Albanian Labour Code outline the fundamental characteristics of an employment arrangement. These include the provision of the work/service by the employee:

• for a definite or indefinite duration;
• under the employer’s organisation and instructions; and
• in exchange for a remuneration.

Considering the foregoing, as well as the lack of established case law in Albania differentiating between employees and independent contractors, this would impose a certain risk to the business provider. The Albania Labour Inspectorate could re-categorise certain independent contractor arrangements as falling within the definition of the employment relationship, resulting in possible administrative sanctions.

Furthermore, concerning data protection responsibilities, another challenge concerns the practice of monitoring remote employees using specific monitoring platforms, which would generally not be permissible under the Albanian data protection legislation. The IDPC has previously stated that relying solely on employee consent may be insufficient for justifying data processing, as employees are often in a less advantageous position within the employment relationship and this can compromise the validity of their consent. In situations where an employer finds it necessary to carry out monitoring of remote workers, they are obligated to perform a data processing impact assessment so as to thoroughly evaluate potential risks and threats to employees’ privacy.