Data Act and SaaS: what SaaS vendors need to prepare for

If you are a customer of a SaaS service and wish to terminate your agreement, you now have an additional option via the right of termination provided for in the Data Act. I invite you to consult my article about this, as well as my dedicated page.

The Data Act has been in force since September 2025. This new European regulation aims to harmonise the access and use of data in the European Union. For SaaS vendors, this is not just a regulatory update: it is a profound transformation in how customer data must be managed, secured, and returned.

A few key points need to be integrated into your contracts and processes without delay.

The Data Act: a new framework beyond the GDPR

Unlike the GDPR, which focuses on personal data, the Data Act covers all data generated by your customers via your SaaS: logs, metadata, functional usage data, performance data. The aim is to extend the rights of access, portability and transparency to all this information, whether personal or not.

In practice, this means SaaS vendors must review their contractual documentation and internal tools to ensure that customer rights are respected, regardless of the type of data concerned.

Expanded right of access to customer data

The first principle of the Data Act is clear: customers must be able to easily access the data generated by their use of the service.

Your contracts must therefore specify:

what data is concerned (raw, aggregated, exportable),
the format in which it will be made available (legible, structured, interoperable),
the access procedure (on request, via a customer portal, API, etc.),
the deadlines within which data restitution is guaranteed.

This obligation extends the one already existing for personal data under the GDPR, but broadens it to cover all data. This requires adapting your internal processes and technical tools.

Strengthened portability and the end of vendor lock-in

The Data Act requires SaaS vendors to facilitate the switching of suppliers. For the concrete impact on SaaS contract termination, see my dedicated article.

Concretely, your terms and conditions must provide for:

data transfer methods (open formats, standards, interoperability),
data restitution deadlines (with a maximum of 30 days as set out in the regulation),
any costs (in principle, restitution is free of charge, except for clearly defined exceptions),
reasonable support for the customer during migration.

The aim is to avoid any vendor lock-in effect (contractual and technical) that would make it impossible or prohibitively expensive for a customer to leave. This requirement will require many vendors to adapt both their contracts and their technical architectures.

Interoperability and support

The regulation also insists on the need to ensure a reasonable level of support and interoperability. This means opening interfaces for data export and clearly documenting the APIs.

Your customers must be able to migrate to another SaaS without depending on bespoke developments or being blocked by proprietary standards.

Unfair terms prohibited

The Data Act introduces a straightforward rule: B2B contracts can no longer contain unbalanced clauses concerning the access and use of data.

The following are considered unfair, for example:

clauses giving the vendor unlimited access to customer data,
clauses that prohibit termination within a reasonable period of time,
conditions that exclude all liability in the event of serious misconduct.

Again, this requires reviewing your terms and conditions to verify that your clauses are transparent and in line with market standards.

What are the sanctions for non-compliance?

Each Member State will designate an authority competent to apply the Data Act. Sanctions must be “effective, proportionate and dissuasive” — a formulation already familiar from the GDPR. If a breach also involves personal data, fines of up to €20 million or 4% of global annual turnover may apply.

How to prepare in practice

For a SaaS vendor, preparing for the Data Act requires several actions:

Map your data: clearly identify what data is generated by your customers and how it is stored.
Update your contracts: your terms and conditions, SLAs and DPA annexes must include the new access, data restitution and portability obligations.
Review your technical processes: plan for standardised export formats, documented interfaces and realistic deadlines for data restitution.
Train your sales teams: they must be able to explain to prospects how their right of access and data restitution is guaranteed.
Prepare your negotiations: some major accounts will require additional guarantees; having compliant contractual templates ready will save you time.

Conclusion

The Data Act is a structural reform for the SaaS market in Europe. It requires rethinking data access, portability and the contractual balance between vendors and customers.

Achieving compliance goes beyond updating your terms and conditions: it requires a comprehensive audit of your contractual practices, technical architectures and internal processes. The earlier you act, the less likely you are to face urgent customer requests or disputes over data access.

I can assist you with this audit, draft Data Act-compliant terms and conditions templates, and help you secure your processes so you can approach your commercial negotiations with confidence.