Firstly, it should be noted that outsourcing is generally the most important method for companies to focus on their core business. By outsourcing all processes and activities that are not company-specific, know-how can be concentrated and used in a targeted manner. With increasing digitalisation and new technologies such as blockchain, cloudification, big data, data analytics and machine learning, the business environment needs to keep pace. The necessary and rapid evolution of technology is forcing companies to redefine, re-evaluate and ultimately digitise internal processes and workflows. This, of course, means considering the outsourcing of any processes that cannot be done in-house, especially in the area of IT or when it comes to IT-related issues.
Overall, it is clear that companies have by no means exhausted their outsourcing potential, despite the increased supply. Moreover, IT outsourcing has grown steadily across all company sizes in recent years and is expected to continue to grow significantly in the coming years.
The main reasons for IT outsourcing are to improve the quality of IT services offered, to modernise internal IT and to reduce IT costs. Interestingly, Austrian companies tend to prefer domestic service providers. When outsourcing abroad, neighbouring countries such as the Czech Republic, Romania, Poland or Slovakia are preferred. Local proximity offers greater flexibility in co-operation. However, the use of domestic or in-country service providers is becoming more common as the potential for cost savings diminishes.
As a rule of thumb, it has been shown that only those processes that are not specific to the company – ie, related to its core business – are outsourced.
Particularly in human resources (HR), the leading outsourced business processes are training management, operating HR systems and payroll. Applicant management and screening are also areas in which external providers are constantly involved. Here, technology is often used to exclude unsuitable applicants from the process as a first step. Applications, artificial intelligence (AI) and similar technologies can be used to filter out candidates who lack certain basic skills through keyword searches, or even to conduct an initial interview with a potential candidate.
The increasing demand for BPO is owed to the growing shortage of skilled labour and the problems associated with it: the growing demand for highly skilled workers, the lack of suitable junior staff and the loss of skilled workers. Added to this are issues such as demographic change and the need to support and integrate older employees. These circumstances also contribute to the outsourcing of business processes that require little or no knowledge of the specific company. Popular examples in this area are data protection officers, compliance officers, recruiters and similar positions.
In the market, service providers have significantly expanded their range of products and services, especially in the area of AI and cloud services. There has also been a significant increase in the number of start-ups with innovative solutions, offering customised products through increased flexibility and competitive prices owing to their size.
The HR sector, in particular, stands out when it comes to new technologies: AI providers promise that significant parts of HR management can be taken over by self-learning algorithms. AI solutions are also expected to be integrated into the following areas, in particular:
It is precisely the decision to terminate employment that is expected to save employers money. The supposedly objective personnel decisions made by AI are intended to reduce the risk of litigation over unjustified dismissals. The aim is also to avoid decisions based on the personal preferences of line managers and to counteract possible discrimination. However, the use of such technologies must respect the limits set by data protection and employee protection legislation. The legal boundaries in these areas are often grey, as they have not yet been conclusively clarified by the courts and will continue to evolve, as will the technical possibilities.
One of the most well-known examples for the use of outsourcing are call/customer service centres, where chatbots or other forms of AI are often used. More complex enquiries of the customers are passed on to ‒ often external ‒ agents.
In Austria, there is currently no cross-industry legislation specifically governing outsourcing practices. However, certain highly regulated sectors include provisions on outsourcing in their respective substantive laws; see also 2.2 Industry-Specific Restrictions.
In general, the applicable legislation depends on which business activities are outsourced; see also 4. Contract Terms. However, the outsourcing of entire business processes or even specific tasks to third parties may also be provided for by law, though this is more a matter for the public sector.
However, legal restrictions may relate in particular to data protection issues; see 2.3 Restrictions on Data Processing or Data Security.
As already mentioned in 2.1 Restrictions on Technology Transactions or Outsourcing, highly regulated industries in particular have their own legislation on outsourcing. This includes the entire financial services sector.
Financial Sector
There are special rules on outsourcing for payment institutions, insurance and securities companies, and credit institutions. For this sector, not only the national but also (above all) the European supervisory authorities are helpful: for example, credit institutions should refer to the European Banking Authority’s Guidelines on Outsourcing as a means of interpreting the legal provisions regarding the design of outsourcing projects.
It is important to note that service level agreements must be in writing. However, credit institutions must have sufficient resources to monitor the outsourced activities. Core banking activities – in particular, the deposit and lending business as well as final decisions – cannot be outsourced.
The risks associated with outsourcing arise primarily from the fact that IT functions – and therefore necessarily personal data – are outsourced to a third party. IT outsourcing means that the client relinquishes power and authority over the security of its systems and data to a third party, although it remains legally responsible for them.
Data Protection in General
The legal framework in the area of data protection is primarily outlined by the General Data Protection Regulation (GDPR). Austria has its own data protection law, which complements the European requirements. However, the main difference is that Austrian law not only protects the personal data of natural persons but also extends its protection to the personal data of legal persons.
Data protection law recognises different roles (“actors”) in the processing of personal data. This goes hand in hand with a clear division of responsibilities. During data processing, it must be clear throughout the process (ie, from collection to destruction) which role is assigned to each actor.
In particular, when personal data is processed through outsourcing practices, it is important to determine whether the service provider is acting as a processor or as a third party in terms of data protection law. In short, special attention must be paid to service providers acting on behalf of the outsourcing company or other persons authorised to process personal data. To address these and other relevant issues, specific data protection clauses are included in outsourcing contracts. In any case, it is important that the security of data processing by the provider be guaranteed. In the event of a data breach (eg, as a result of a hacking attack), the data protection responsibility lies with the responsible party – ie, the outsourcing company.
When outsourcing abroad, special care must be taken with service providers based outside the EEA. The level of data protection required by European and national law must be maintained and there must be no security gaps. Some non-EEA countries have been certified by the EU Commission as having an adequate level of data protection.
The NIS2 Directive
The new EU Cybersecurity Directive, known as NIS2, will impose mandatory security measures and incident-reporting obligations on many companies in certain sectors from October 2024.
Currently, the rules in force mainly affect critical infrastructure companies and digital service providers (online marketplaces, online search engines and cloud computing services). NIS2 will extend the scope to other sectors and require that certain risk-management measures be taken. In addition, there will be reporting requirements and the duty of governance bodies to oversee implementation, as well as liability in the event of non-compliance.
Regardless of the Directive’s implementation deadline of October 2024, an existing bill to implement NIS2 has not been adopted by the Austrian Parliament and has therefore not been implemented. Implementation is currently not expected to take place in time.
There is no standard outsourcing contract in Austria.
In classic outsourcing relationships, the customer rents specific services, usually also specifically designated (assigned to this customer alone) IT infrastructure and related (maintenance and support) services. This offers – and at the same time requires – flexibility in the design of the outsourcing project and the associated contracts. For this reason, the specific contracts vary from case to case as they are individually drafted and negotiated to meet the specific outsourcing requirements.
As general civil and company law rules apply, these must also be taken into account in the drafting and interpretation of contracts, liability and warranty. With respect to the specifics of licensing and other granting of rights, the Copyright Act, as well as other relevant principles of intellectual property law and the Unfair Competition Act, apply.
In general, alternative contract models are not widely used. As the services and agreements are usually very individual, the contracts are also customised. Special models in the form of joint ventures (JVs) are rather unusual, as they do not have an appropriate cost-benefit ratio. A JV may be set up where a supplier wishes to develop or market a product jointly with the customer, but this is quite rare.
Digital transformation has not yet led to a significant change in the contract models used in Austria. Although it can be observed that technology-savvy companies in particular are interested in using alternative contract models, such as smart contracts, in their day-to-day business, the legal issues associated with digitalisation have not yet been fully addressed in Austrian judicial practice.
Contractual warranties and liability provisions are an integral part of outsourcing agreements. This is to ensure that the outsourcing service provider performs its tasks with due care and qualified personnel, and in compliance with all applicable legal provisions, etc. However, in the business-to-business (B2B) sector, warranties may even be limited or excluded. When a warranty claim arises depends, of course, on the specific service owed. It is therefore important to precisely define the services to be provided.
Under Austrian law, the parties are generally free to agree on how long they wish to be bound by a contract and what termination periods should apply. This applies in particular to B2B relationships.
Fixed-term contracts end with the expiry of the term. It is quite common for contracts to contain clauses that provide for automatic renewal (for a predefined period of time) if neither party terminates the contractual relationship. If a contract is terminated by either party before the end of the term without good cause, a “contractual penalty” is often agreed.
Termination for good cause is always possible. What constitutes good cause can vary and ultimately depends on the individual case. These reasons are usually set out in the contract and are therefore predefined. In the context of outsourcing, these reasons may include poor performance by the provider, late payment, data protection breaches or similar.
In practice, it is important that the consequences of terminating the contract are also clearly defined. In particular, if certain internal processes are outsourced, the handover should be contractually guaranteed in order to ensure the smooth continuation of all other operations and processes.
Austrian law defines damage as an injury to someone’s property, rights or person. Claims for damages can be brought before the courts within three years from the date of knowledge of the damage and the party causing the damage. However, there is a general limitation period of 30 years.
A distinction is made between pecuniary loss and non-patrimonial damage.
A further distinction is made between:
The concept of implied terms is somewhat foreign to Austrian law.
If a party’s declaration of intent is doubtful, the so-called trust theory applies. According to this theory, a declaration of intent is to be interpreted as a bona fide recipient of the declaration would have understood it. In the event of disagreement between the parties, the literal meaning of a declaration in its ordinary sense must be taken into account first. If a subject is not regulated at all, Austrian statutory law ‒ the Austrian General Civil Code ‒ is usually used to fill the gap; it does not contain any specific provisions on outsourcing. Rather, outsourcing contracts have various elements of different types of contracts, such as contracts for services, leases or sales contracts.
Of course, contracts must always comply with the requirements of the GDPR. In addition, the following clauses are often included regarding the obligations of service providers:
Typically, the provider will contractually commit to certain technical cyber and data security measures. Outsourcing agreements primarily address the encryption of data in transit and data at rest. Typically, the parties agree on key performance indicators (KPIs) against which performance can be measured and reviewed. Repeated failure to meet KPIs is often agreed to be grounds for termination.
If the technology or outsourcing is a cloud-based solution, the general remarks on contractual terms and conditions still apply. However, depending on the specific contract, additional details regarding data security and the place of processing will be required.
Transfer of Operations
According to Article 1(a) of Council Directive 2001/23/EC, transfer of operations (Betriebsübergang) means any transfer of an undertaking, business or part of an undertaking or business to another owner as a result of a legal transfer or merger. In any case, the above Directive requires that an economic entity is being transferred, whereby this economic entity retains its identity – meaning an organised grouping of resources that has the objective of pursuing an economic activity, whether or not that activity is central or ancillary.
For the assessment, whether a transfer of operations has taken place, the following characteristics shall be considered.
In order for a transfer of entity to be qualified as a legally relevant transfer of operations, all characteristics shall be assessed individually as well as in their entirety. However, it is not required that all of those be fulfilled simultaneously; it is sufficient that a certain intensity and density threshold be exceeded. This should be assessed in each case individually.
As mentioned above, the entity at question must be transferred to a new owner. The legal grounds for the transfer or the conclusion of purchase agreements are equally irrelevant in this context as the ownership over the transferred assets. A new owner is to be considered, to whom the actual power of disposal over the entity in question and thus the essential employer functions have been transferred. The new owner shall thus have the actual power over the management and the organisation of the transferred entity.
From a labour law perspective, a transfer of operations is to be considered completed when the responsibility (ie, power over the management and organisation) for the entity in question is transferred to the new owner, irrespective of the conclusion of the underlying legal transaction. Since the transfer is not linked to the underlying legal transaction, the actual circumstances of the individual case are decisive. Therefore, neither the transferor nor the transferee could agree on an alternate point in time by which the transfer should be completed.
Legal Consequences
As a general rule, in the case of a transfer of operations, the new owner shall take over as employer with all rights and obligations of the employment relationship existing at the time of such transfer. The employees, however, may object to such takeover within a month if the new owner refuses to take over the collective bargaining agreement protection (kollektivvertraglicher Bestandschutz) or the company pension commitments (betriebliche Pensionszusagen). As a result of such objection, the employment relationship of the objecting employee will remain with the transferor in its prior form.
The new ownership may also lead to a change of the applicable collective bargaining agreement (Kollektivvertrag) or works agreement (Betriebsvereinbarung), following which the working conditions may also worsen. Should the worsening be of substantial character, the employees in question may terminate their employment relationship within one month from the date on which they became (or should have become) aware of that worsening. This termination is, however, subject to the periods and dates of notice stipulated by law or by the collective bargaining agreement. The employee shall be entitled to the same claims as would apply in the case of termination by the employer.
Outsourcing
As opposed to a traditional in-house operation, outsourcing entails the involvement of a third party outside the company (be it within the corporate group structure or outside it) for the purposes of handling operations or providing services for the company. From a labour law perspective, the process of such hiring-out may under certain circumstances (as mentioned above) be qualified as a transfer of operations.
If the outsourced tasks or field of activity represent an independent economic entity of the outsourcing company and the process is thus considered to be a transfer of operations, the legal consequences discussed above will also apply to such outsourcing. That means that the employment relationships of the employees employed in the transferred entity will also be transitioned to the new owner of the economic entity, whereby reference is made to special objection and termination rights of such employees.
Summary
The qualification of a process as a transfer of operations may only be made based on the circumstances of each case individually, whereby the extensive case law of the European and Austrian courts may provide a first point of reference.
Labour law rules governing employee transfers apply not only for traditional transfer processes but also, in certain cases, for outsourcing practices. The principle is simple: if the general requirements for the process to be qualified as a transfer of operations are met – irrespective of this process being an outsourcing – the consequences shall be the same as for traditional transfers.
As described in 5.1 Employee Transfers, the practice of outsourcing may be considered as a transfer of operations. In such case, the company owner has a duty to inform the workers’ council. Even if the plans of outsourcing may not be considered as a transfer of operations, outsourcing generally involves at least a change in the company’s operations, which also triggers rights of the workers’ council. Such a change in the company organisation already exists if the internal organisation (division into departments) and the regulation of responsibilities in the company (hierarchical structures) are changed.
In both cases, the owner of the company is obliged to inform the workers’ council of the planned changes at a time and in a manner that enables the workers’ council to:
The workers’ council must therefore be involved at a very early stage in the planning. It must be informed at a time when it is still possible to influence the design of the planned measures. The duty of the owner of the firm to inform the workers’ council therefore already exists at the beginning of the planning stage.
At the request of the workers’ council, the owner must consult with it on the design of the measures. The workers’ council may request that representatives of the competent body capable of concluding collective agreements (trade union and/or chamber of labour) also participate in the consultation sessions.
Therefore, in general and regardless of a transfer of operations, the workers’ council shall be given sufficient opportunity to submit proposals for the prevention, elimination or mitigation of consequences that may be detrimental to the employees.
There is no relevant information in this jurisdiction.
Austrian labour law currently defines the term “remote working” but does not impose any specific regulatory requirements. The legislature understands this to mean the performance of work at the residence of the employee or their close relatives or partners, or from any secondary residences.
Employees do not have a special right to work from home; rather, it must be agreed upon separately by the employer and the employee. Austrian law stipulates that such agreements must be concluded in writing. However, this is a non-sanctioning provision, because formal deviances do not lead to an invalidity of the agreement.
The employer must provide the required digital work equipment for employees who are working from home. The employee and employer may agree otherwise; however, the employer must bear at least the reasonable and necessary costs for the digital work equipment provided by the employee for the performance of the work. The costs can also be compensated at a flat rate.
A homeworking arrangement can generally be terminated by either party for good cause by giving one month’s notice up to the last day of a calendar month. The agreement may include a time limit and termination provisions.
From a practical point of view, it is important to note that the employer can also call the employee into the company at a time when they are working from home. The time spent travelling from their home to the office is then considered working time and must therefore be remunerated. When working from home, it should also be noted that the general working time regulations apply. Working time limits and rest periods must therefore be complied with. All health and safety regulations apply when working from home: the workplace must be state-of-the-art and meet ergonomic requirements. However, it is the employee’s responsibility to implement these.
In everyday working life, it is also important to comply with data protection and data security regulations when working from home. Employees should be informed about and trained in the proper handling of data and documents outside the office. Employees should be obligated to immediately report any data protection violations. Training on how to deal with possible cyber-attacks is also advisable.
Collective bargaining agreements (CBAs) should also be considered. These can provide for more favourable conditions for working from home. Whenever these CBAs are more favourable than the legal provisions, they take precedence over them.
This may concern the following points, in particular:
With regard to tax, it should be noted that the employer must disclose the days on which the employee has been working from home in the payslip. The employer must indicate the number of such days in the payroll account and in the payslip. In the payroll accounting, the employer can take into account up to 100 working-from-home days per year at a maximum of EUR3 per day – ie, a maximum of EUR300 per calendar year on a tax-privileged basis. Therefore, the number of days must be calculated and compared to the lump sum received. If fewer days were worked from home, the lump sum exceeding the amount of actual home office days multiplied by EUR3 must be treated as taxable by the employer.
One of the most significant developments of the past year was the Austrian legislature’s adoption of a new law on working from home: the so-called Telework Act (Telearbeitsgesetz). This law is due to come into force on 1 January 2025 and extends the existing provisions.
As mentioned above, the Austrian legislature has, so far, only defined telecommuting as working from home. The Telework Act extends this to actual telework – ie, working outside the employee’s home (eg, in a café, while travelling, etc). It also aims to harmonise the terminology used in labour and tax law, and clarifies that the employer is also obliged to provide digital work equipment or, alternatively, to grant a (flat-rate) reimbursement of costs in the case of telework (and not only in the case of home office).
It is important to note that previous homeworking arrangements remain valid in practice. Should a new telework location be added, this would need to be agreed upon again or in addition between the relevant parties. Therefore, if working from other locations in addition to working from home is not permitted, the existing homeworking arrangement must be adapted. If teleworking has already been agreed upon, the arrangement can continue unchanged.
Pfarrhofgasse 16/2
1030 Vienna
Austria
+43 019 195 656
+43 019 195 757
reception@arbeitsrecht.at www.arbeitsrecht.at