The Data Act will come into force as of September 12, 2025. This new European regulation aims to harmonize the access and use of data in the European Union. For SaaS companies, this isn't just a regulatory update: it's a profound transformation in how customer data should be managed, secured, and returned.

A few key points should be integrated right now into your contracts and processes.

The Data Act, a new framework beyond the GDPR

Unlike the GDPR, which focuses on personal data, the Data Act concerns all the data generated by your customers via your SaaS: logs, metadata, functional uses, performance data. The aim is to extend the rights of access, portability and transparency to all this information, whether personal or not.

In practice, this means for SaaS companies to review their contractual documentation and internal tools to ensure that customer rights are respected, regardless of the type of data concerned.

Expanded right of access to customer data

The first principle of the Data Act is clear : Customers need to be able to easily access the data generated by their use.

Your contracts should therefore specify:

  • what data is concerned (raw, aggregated, exportable),
  • the format in which they will be made available (legible, structured, interoperable),
  • the access procedure (on request, via a customer portal, API, etc.),
  • the deadlines within which the return is guaranteed.

This obligation extends the already existing one for personal data in the GDPR, but extends it to all data. This requires adapting your internal processes and technical tools.

Strengthened portability and the end of supplier lockdown

The Data Act requires SaaS companies to facilitate the change of supplier.


Concretely, your terms and conditions must provide for:

  • data transfer methods (open formats, standards, interoperability),
  • the return deadlines (with a maximum of 30 days provided for by the regulation),
  • any costs (in principle, the return is free, except for clearly defined exceptions),
  • reasonable support for the customer during the migration.

The aim is to avoid any lock-in effect (contractual and technical locking) that would make it impossible or expensive for a customer to leave. This requirement will require many publishers to adapt their contracts and technical architectures.

Interoperability and support

The regulation also insists on the need to ensure a reasonable level of support and interoperability.
This means opening interfaces for exporting data and clearly documenting the APIs.

Your customers must be able to migrate to another SaaS without depending on tailor-made developments, or being blocked by proprietary standards.

Unfair terms prohibited

The Data Act introduces a simple rule: B2B contracts can no longer contain unbalanced clauses concerning the access and use of data.

For example, the following are considered abusive:

  • clauses giving the publisher unlimited access to customer data,
  • clauses that prohibit termination within a reasonable period of time,
  • conditions that exclude all liability in the event of serious misconduct.

Again, this requires you to review your terms and conditions to verify that your clauses are transparent and in accordance with market standards.

What are the sanctions in case of non-compliance?

Each Member State will designate an authority competent to apply the Data Act. Sanctions must be “effective, proportionate and dissuasive” — a terminology that is already familiar from GDPR.
If a breach also involves personal data, fines of up to 20 million euros or 4% of global annual turnover may apply.

How to anticipate concretely?

For a SaaS publisher, preparing for the Data Act requires several actions:

  • Map your data: clearly identify what data is generated by your customers and how it is stored.
  • Update your contracts: your terms and conditions, SLAs and DPA annexes must include new access, return and portability obligations.
  • Review your technical processes: plan for standardized export formats, documented interfaces and realistic deadlines for returning the data.
  • Train your sales teams: they must be able to explain to prospects how their right of access and return is guaranteed.
  • Prepare your negotiations: some major accounts will require additional guarantees; having compliant contractual models will save you time.

Conclusion

The Data Act is a structural reform for the SaaS market in Europe. It requires rethinking access to data, their portability and the contractual balance between publishers and customers.

I can help you integrate these new obligations into your terms and conditions, adapt your SLAs and secure your processes to calmly pass the Data Act.

Other posts


Blog image
Variable metrics in SaaS: how to describe it in your SaaS agreements?

Variable billing in SaaS and contracts: how to define your metrics, anticipate excess use and avoid disputes.

Lire Plus
Blog image
Accepting the test of a SaaS without a contract: what are the risks for the SaaS company?

Testing a SaaS without a contract exposes you to major legal risks. Discover how to secure your POCs and test phases while contracting quickly.

Lire Plus

Let's build together to grow your business

Schedule an Appointment
Contact Me

I have been supporting software and SaaS companies for more than 10 years, to structure their business, protect their intellectual property and improve their contracts.

Pages
HomeServicesMatthieu PacaudPricesResourcesSaaS Contracting GuideTrademark Registration GuideContact
Services
Managing your IT AgreementsIntellectual PropertyE-commerceSecondment
Legal
Legal InformationPrivacy Policy
Consent Banner

Ourama - Website creation for lawyers