On 11 January 2024, the Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (the so-called Data Act)[1] entered into force.Will the provisions of the Data Act affect cloud contracts and the obligations of data processing service providers, and if so, how?

Current cloud computing guides and guidelines include requirements for the development of a cloud exit plan. However, these do not have the force of generally applicable law. Service providers face no sanctions for failing to apply these rules. Cloud users, on the other hand, do not currently have any tools to insist on adding appropriate provisions to cloud contracts, which would allow them, for example, to transfer their data to another provider. Will the proposed Data Act legislation change the situation for suppliers?

Under the Data Act, data processing service providers are required to put in place the measures provided for in the regulation which allow their customers to switch to another data processing service that covers the same type of service, but is provided by another provider. The obligations under the Data Act will apply to providers regardless of the scale of their operations.

The Data Act provides that, when changing the data processing service provider, the rights of the customer and the obligations of the provider in question, must be clearly set out in a written contract. The contract should therefore specify at least:

    1. maximum period of notice of termination,
    2. the period during which the customer can retrieve the data,
    3. charges related to changing the provider,
    4. the provider’s commitment to support the customer’s exit strategy.

In order to comply with the information obligation, also set out in the Data Act, data processing service providers will be required to provide the customer with information on existing procedures for changing the provider and switching the service. It will also be their responsibility to identify an online registry containing details of all data structures and formats, as well as relevant standards and open specifications for interoperability.

At the same time, service providers will be required to make available on their websites information on the jurisdiction to which their ICT infrastructure used to process data is subject, as well as a general description of the technical, organisational and contractual measures adopted to prevent international access to non-personal data (Article 28 of the Data Act).

Data processing service providers are required to carry out an ‘audit’ of their contract templates and organisation’s processes by 12 September 2025 at the latest (when the Data Act will begins to apply), in order to bring them into line with the Data Act obligations imposed on them.

Author: Karolina Grochecka-Goljan

Footnotes

[1] Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (OJ EU 2023 L. 2854)

 

More from Traple Konarski Podrecki & Partners