The EU has the world's most comprehensive data protection framework — GDPR has been in force since 2018 — but many SaaS contracts still fail to meet its requirements. The EU Data Act (in force September 2025) adds a new layer of data access rights and switching obligations. Understanding what your SaaS contract must contain, and what rights you have over your data, is essential for any EU business buying software.
What is a Data Ownership?
In an EU SaaS contract, data governance operates on two levels: (1) GDPR compliance — if the SaaS platform processes personal data on your behalf, you are the data controller and the vendor is a data processor. GDPR Article 28 requires a written Data Processing Agreement (DPA) with mandatory provisions. (2) The EU Data Act (Regulation 2023/2854, applicable from September 2025) gives business customers the right to access and port data generated on SaaS platforms, and requires SaaS providers to facilitate switching to competitors.
Red flags to watch for
Without an Article 28 DPA, both you (as controller) and the vendor (as processor) are in breach of GDPR. You remain liable for how the vendor processes your customers' personal data. Fines can reach 20 million EUR or 4% of global annual turnover.
GDPR requires a lawful basis for all personal data processing. Using customer data to train AI models typically requires either consent or a convincing legitimate interests assessment. Broad contractual licences don't substitute for a valid GDPR basis.
Transfers of personal data outside the EEA require one of the mechanisms in GDPR Chapter V: adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules. A contract silent on transfer mechanisms is non-compliant.
The EU Data Act (Articles 23-29) requires cloud service providers to remove technical, commercial, and contractual barriers to switching. Excessive switching fees or proprietary-only export formats may breach these obligations from September 2025.
Under GDPR Article 28(2), you have the right to object to new sub-processors. Contracts that give the vendor unrestricted rights to add sub-processors without notice undermine this right.
Your legal rights
GDPR Article 28 requires a written DPA specifying the subject matter, duration, nature, and purpose of processing. Data subjects can exercise rights (access, erasure, portability, objection) against you as controller — you must be able to fulfil these with your processor's assistance. The EU Data Act (applicable September 2025) gives data holders (businesses using SaaS) the right to access data generated by their use of the product, and requires providers to offer porting in interoperable formats. Switching fees must be phased out by 2027. Supervisory authorities (DPAs) in each member state can investigate and impose GDPR fines.
Questions to ask before you sign
- 1Is there a GDPR-compliant Data Processing Agreement covering Article 28 requirements?
- 2Does the vendor have any right to use my data beyond delivering the contracted service?
- 3Where is personal data stored and processed, and what transfer mechanisms apply to any non-EEA processing?
- 4What is the sub-processor list, and how am I notified of changes?
- 5Can I export my data in open, interoperable formats, and what are the switching procedures under the EU Data Act?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.