Data processing services and provider switching

Chapter VI of the Data Act lays down rules that make it easier for customers of data processing services to switch from one service to another. Data processing services are mostly cloud services.

Nowadays many enterprises and public institutions are largely dependent on individual data processing services, mostly cloud services. Switching providers or using several data processing services at the same time often involves high costs, technical barriers or contractual restrictions. Chapter VI of the Data Act aims to make it easier for customers to use more than one data processing service at the same time, switch to a different provider of data processing services or move to on-premises IT infrastructure and to eliminate the above-mentioned barriers. The objective is to create a fair, transparent and competitive cloud market. The rules apply to all providers of data processing services, irrespective of their size, and to both existing and new contracts.

What are data processing services?

The term “data processing service” is defined in Article 2 point 8 of the Data Act. It covers a large number of digital services with a very large range of different application purposes, functions and technical structures. The definition mirrors common definitions of cloud computing services. It was designed to cover the popular delivery models such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), while also remaining open to future technological innovation in the field of data processing service delivery.

Not all services are covered by the full set of switching and interoperability rules. Article 31 of the Data Act provides for exemptions from obligations.
Exemptions apply to:

data processing services that have been designed or developed to accommodate individual needs and that are not offered on a broad commercial scale; and
data processing services that are provided as a test or beta version.

However, this does not mean that custom-built services are fully exempt from the scope of Chapter VI (Article 31(1) of the Data Act). Providers of custom-built services must, for example, make open interfaces available and ensure that data are exported in a structured, commonly used and machine-readable format.

Providers making use of these exemptions are obliged to properly inform their customers before concluding a contract about the obligations of Chapter VI of the Data Act that do not apply to them.

Which particular rules apply to IaaS, PaaS and SaaS delivery models?

The Data Act requires providers of data processing services to remove any existing obstacles that customers may face when they want to use several services at the same time, switch from one provider to another provider offering the same service type or move to on-premises IT infrastructure. The rules apply to all typical cloud service delivery models such as IaaS, PaaS and SaaS.

The following applies additionally to IaaS:

Providers of IaaS are required to take all reasonable measures in their power to enable their customers, after switching to a new provider offering the same service type, to achieve functional equivalence in the use of their new service. In accordance with Article 30(1) of the Data Act, this specifically means that the source provider must provide adequate information, technical documentation and capabilities and, where appropriate, the necessary tools.

The following applies to PaaS and SaaS:

Source providers of PaaS or SaaS must make open interfaces for their services available free of charge, both to their customers and to the new providers to whom their customers are switching. Source providers must also provide the documentation necessary to enable their customers and the new providers to use the interfaces.

Source providers must still guarantee interoperability for data portability on the basis of common specifications or harmonised standards. These specifications and standards are published in the central European Union standards repository for data processing services. Providers of PaaS or SaaS must use the specifications or standards for switching processes no later than 12 months after the specifications and standards have been published.

What does “same service type” mean?

The provisions on switching between data processing services only apply if the provider from which and the provider to which a customer is switching cover the “same service type” (Article 23 of the Data Act). According to the definition in Article 2 point 9 of the Data Act, this means that the data processing services must share the same “primary objective”, the same “main functionalities” and the same data processing service model.

Switching process and deadlines

Providers must provide clear and comprehensible terms for provider switching in their contracts. Customers must be able to understand before concluding a contract which rights they have with respect to exporting data, terminating a contract and receiving assistance from a provider. This information must be available, for example, in general terms and conditions, in pre-contractual documentation or on a provider’s website.

All of the parties involved, including destination data processing service providers, must work together constructively to ensure that switching is completed effectively, data are transferred in time and continuity of the data processing services is maintained.

As technical conditions vary considerably in practice, it makes sense to distinguish between two switching scenarios: scenario A with a low level of technical complexity and scenario B with a high level of complexity.

Scenario A – low level of technical complexity

Scenario A is the standard case. Switching is technically feasible without a large degree of complexity.

Wechselprozess in Szenario A

1. Switching request/notice period

A customer notifies their provider that they want to terminate their contract or switch to another provider. In accordance with the notice period set in the Data Act, the provider then has a maximum of two months to make the technical preparations.

2. Transitional period

The technical switching process then begins. The process must be completed within a transitional period of 30 calendar days.
Important: A customer may extend the transitional period once for a period that they consider more appropriate, for example if they need more time for tests or preparations. This extension does not have to be based on specific technical reasons.
During the agreed transitional period, the data must be transferred, the necessary technical interfaces must be in place and the new provider must be able to put the applications into operation. The original service must still be accessible during this period.

3. Completion of switching and post-switching period

The data must remain retrievable from the old provider for at least 30 calendar days after the switching process has been completed. This enables final backups to be made or missing data to be added. The data must be erased after this retrieval period, unless there is a legal reason for retaining the data.

Scenario B – high level of technical complexity

In some cases, such as in the case of very complex IT environments, provider switching is not technically feasible within 30 calendar days. In this case, the Data Act allows the period to be extended.

Wechselprozess in Szenario B

1. Switching request/notice period

The following applies here as well: A customer notifies their provider that they want to terminate their contract or switch to another provider. In accordance with the notice period set in the Data Act, the provider has a maximum of two months to make the technical preparations. If the provider establishes that switching within the subsequent 30-day transitional period is not technically feasible, the provider must inform the customer within 14 working days and prove that switching within the period would not be technically feasible.

2. Alternative transitional period

If a provider proves that switching within the 30-day transitional period would not be technically feasible, the provider can extend the transitional period to a maximum of seven months.

Important: In this scenario as well, a customer can also voluntarily extend the transitional period for a period that they consider more appropriate for their own purposes, irrespective of any technical reasons.
During the agreed transitional period, the data must be transferred, the necessary technical interfaces must be in place and the new provider must be able to put the applications into operation. The original service must be maintained during this period.

3. Completion of switching and post-switching period

As in scenario A, the data must remain retrievable from the old provider for at least 30 calendar days after the switching process has been completed. The data must be erased after this retrieval period unless there is a legal reason for retaining the data.

When do the new rules for provider switching become applicable?

All contracts, that is both existing contracts concluded before and new contracts concluded after 12 September 2025, when the Data Act became applicable, must comply with the provisions of Chapter VI.

Withdrawal of switching charges

The Data Act includes rules on switching charges, which are the charges that are imposed on users switching to a different provider. These charges will gradually be withdrawn:

In the transitional period from 11 January 2024 to 11 January 2027, providers may only charge actual, direct costs.
From 12 January 2027, no switching charges at all may be imposed.

Before entering into a contract, providers are required by the Data Act to give prospective customers clear information about the standard service fees for operation of a service and the reasonable compensation for early termination that may be imposed and about the reduced switching charges applicable during the transitional period from 11 January 2024 to 12 January 2027.

Are my data safeguarded against third-country access?

The Data Act provides special protection for data held in the EU. Providers of data processing services may not share data with non-EU authorities or bodies unless there is a valid legal basis.

This means that even if a third-country authority (for example in the US, China or another non-EU country) requests that data should be shared, the provider must first check whether or not the request is compatible with EU legislation. If there is no legal basis such as a bilateral agreement or EU law, the provider must refuse the request for data.

See „International governmental access to data“.

Standard contractual clauses (SCCs)

The European Commission’s standard contractual clauses (SCCs) provide a structured and adaptable basis for putting the new requirements into practice efficiently, while allowing scope for individual and sector-specific adjustments. The SCCs aim to support customers and providers of data processing services in implementing their rights and obligations under the Data Act in contracts. They apply to all cloud models (IaaS, PaaS and SaaS) and provide model clauses that providers can include in their individual contracts. The SSCs are not binding: use of the SSCs is voluntary.

Structure of the SSCs:

The SCCs consist of modular clauses that can be used as a complete set or separately.
They are not intended as a full contract but as a supplement to a comprehensive contract for data processing services. Other aspects outside the scope of the Data Act need to be set out in additional clauses.
An integral part with definitions based on the Data Act aims to ensure uniform interpretation.
For ease of reference, the SCCs include cross-references that link certain clauses to relevant provisions in the Data Act or to other clauses.

Flexibility:

Although not necessary, the European Commission recommends using the entire set of modular clauses.
It is possible to use only some of the clauses or make changes to them, but this requires a careful, legal assessment to ensure that there are no gaps or contradictions.

Contact

E-Mail: DataAct@BNetzA.de

Service

Data Act Glossary

Da­ta pro­cess­ing services and provider switch­ing