Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
Cybersecurity
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Data Act
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARINGArticles 3 — 7
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAWArticles 8 — 12
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISESArticles 13 — 13
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEEDArticles 14 — 22
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICESArticles 23 — 31
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATAArticles 32 — 32
CHAPTER VIII
INTEROPERABILITYArticles 33 — 36
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENTArticles 37 — 42
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/ECArticles 43 — 43
CHAPTER XI
FINAL PROVISIONSArticles 44 — 50
DA Article 25. Contractual terms concerning switching
- 1.The rights of the customer and the obligations of the provider of data processing services in relation to switching between providers of such services or, where applicable, to an on-premises ICT infrastructure shall be clearly set out in a written contract. The provider of data processing services shall make that contract available to the customer prior to signing the contract in a way that allows the customer to store and reproduce the contract.
- 2.Without prejudice to Directive (EU) 2019/770, the contract referred to in paragraph 1 of this Article shall include at least the following:
- (a)clauses allowing the customer, upon request, to switch to a data processing service offered by a different provider of data processing services or to port all exportable data and digital assets to an on-premises ICT infrastructure, without undue delay and in any event not after the mandatory maximum transitional period of 30 calendar days, to be initiated after the maximum notice period referred to in point (d), during which the service contract remains applicable and during which the provider of data processing services shall:
(i)
provide reasonable assistance to the customer and third parties authorised by the customer in the switching process;(ii)
act with due care to maintain business continuity, and continue the provision of the functions or services under the contract;(iii)
provide clear information concerning known risks to continuity in the provision of the functions or services on the part of the source provider of data processing services;(iv)
ensure that a high level of security is maintained throughout the switching process, in particular the security of the data during their transfer and the continued security of the data during the retrieval period specified in point (g), in accordance with applicable Union or national law;
- (b)an obligation of the provider of data processing services to support the customer’s exit strategy relevant to the contracted services, including by providing all relevant information;
- (c)a clause specifying that the contract shall be considered to be terminated and the customer shall be notified of the termination, in one of the following cases:
(i)
where applicable, upon the successful completion of the switching process;(ii)
at the end of the maximum notice period referred to in paragraph (d), where the customer does not wish to switch but to erase its exportable data and digital assets upon service termination;
- (d)a maximum notice period for initiation of the switching process, which shall not exceed two months;
- (e)an exhaustive specification of all categories of data and digital assets that can be ported during the switching process, including, at a minimum, all exportable data;
- (f)an exhaustive specification of categories of data specific to the internal functioning of the provider’s data processing service that are to be exempted from the exportable data under point (e) of this paragraph where a risk of breach of trade secrets of the provider exists, provided that such exemptions do not impede or delay the switching process provided for in Article 23;
- (g)a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transitional period that was agreed between the customer and the provider of data processing services, in accordance with point (a) of this paragraph and paragraph 4;
- (h)a clause guaranteeing full erasure of all exportable data and digital assets generated directly by the customer, or relating to the customer directly, after the expiry of the retrieval period referred to in point (g) or after the expiry of an alternative agreed period at a date later than the date of expiry of the retrieval period referred to in point (g), provided that the switching process has been completed successfully;
- (i)switching charges, that may be imposed by providers of data processing services in accordance with Article 29.
- 3.The contract referred to in paragraph 1 shall include clauses providing that the customer may notify the provider of data processing services of its decision to perform one or more of the following actions upon termination of the maximum notice period referred to in paragraph 2, point (d):
- (a)switch to a different provider of data processing services, in which case the customer shall provide the necessary details of that provider;
- (b)switch to an on-premises ICT infrastructure;
- (c)erase its exportable data and digital assets.
- 4.Where the mandatory maximum transitional period as provided for in paragraph 2, point (a) is technically unfeasible, the provider of data processing services shall notify the customer within 14 working days of the making of the switching request, and shall duly justify the technical unfeasibility and indicate an alternative transitional period, which shall not exceed seven months. In accordance with paragraph 1, service continuity shall be ensured throughout the alternative transitional period.
- 5.Without prejudice to paragraph 4, the contract referred to in paragraph 1 shall include clauses providing the customer with the right to extend the transitional period once for a period that the customer considers more appropriate for its own purposes.
Relevant Recitals for this Article
Undermining the extraction of the exportable data that belongs to the customer from the source provider of data processing services can impede the restoration of the service functionalities in the infrastructure of the destination provider of data processing services. In order to facilitate the customer’s exit strategy, avoid unnecessary and burdensome tasks and to ensure that the customer does not lose any of their data as a consequence of the switching process, the source provider of data processing services should inform the customer in advance of the scope of the data that can be exported once that customer decides to switch to a different service provided by a different provider of data processing services or to move to an on-premises ICT infrastructure. The scope of exportable data should include, at a minimum, input and output data, including metadata, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data of the provider of data processing services or a third party. The exportable data should exclude any assets or data of the provider of data processing services or of the third party that are protected by intellectual property rights or constituting trade secrets of that provider or of that third party, or data related to the integrity and security of the service, the export of which will expose the providers of data processing services to cybersecurity vulnerabilities. Those exemptions should not impede or delay the switching process.
Data processing services are used across sectors and vary in complexity and service type. This is an important consideration with regard to the porting process and timeframes. Nonetheless, an extension of the transitional period on the grounds of technical unfeasibility to allow the finalisation of the switching process in the given timeframe should be invoked only in duly justified cases. The burden of proof in that regard should fall fully on the provider of the data processing service concerned. This is without prejudice to the exclusive right of the customer to extend the transitional period once for a period that the customer considers to be more appropriate for its own purposes. The customer may evoke that right to an extension prior to or during the transitional period, taking into account that the contract remains applicable during the transitional period.
Switching charges are charges imposed by providers of data processing services on the customers for the switching process. Typically, those charges are intended to pass on costs which the source provider of data processing services may incur because of the switching process to the customer who wishes to switch. Common examples of switching charges are costs related to the transit of data from one provider of data processing services to another or to an on-premises ICT infrastructure (data egress charges) or the costs incurred for specific support actions during the switching process. Unnecessarily high data egress charges and other unjustified charges unrelated to actual switching costs inhibit customers from switching, restrict the free flow of data, have the potential to limit competition and cause lock-in effects for the customers by reducing incentives to choose a different or additional service provider. Switching charges should therefore be abolished after three years from the date of entry into force of this Regulation. Providers of data processing services should be able to impose reduced switching charges up to that date.
A source provider of data processing services should be able to outsource certain tasks and compensate third-party entities in order to comply with the obligations provided for in this Regulation. A customer should not bear the costs arising from the outsourcing of services concluded by the source provider of data processing services during the switching process and such costs should be considered to be unjustified unless they cover work undertaken by the provider of data processing services at the customer’s request for additional support in the switching process which goes beyond the switching obligations of the provider as expressly provided for in this Regulation. Nothing in this Regulation prevents a customer from compensating third-party entities for support in the migration process or parties from agreeing on contracts for data processing services of a fixed duration, including proportionate early termination penalties to cover the early termination of such contracts, in accordance with Union or national law. In order to foster competition, the gradual withdrawal of the charges associated with switching between different providers of data processing services should specifically include data egress charges imposed by a provider of data processing services on a customer. Standard service fees for the provision of the data processing services themselves are not switching charges. Those standard service fees are not subject to withdrawal and remain applicable until the contract for the provision of the relevant services ceases to apply. This Regulation allows the customer to request the provision of additional services that go beyond the provider’s switching obligations under this Regulation. Those additional services, can be performed and charged for by the provider when they are performed at the customer’s request and the customer agrees to the price of those services in advance.
Throughout the switching process, a high level of security should be maintained. This means that the source provider of data processing services should extend the level of security to which it committed for the service to all technical arrangements for which such provider is responsible during the switching process, such as network connections or physical devices. Existing rights relating to the termination of contracts, including those introduced by Regulation (EU) 2016/679 and Directive (EU) 2019/770 of the European Parliament and of the Council should not be affected. This Regulation should not be understood to prevent a provider of data processing services from providing to customers new and improved services, features and functionalities or from competing with other providers of data processing services on that basis.
To facilitate interoperability and switching between data processing services, users and providers of data processing services should consider the use of implementation and compliance tools, in particular those published by the Commission in the form of an EU Cloud Rulebook and a Guidance on public procurement of data processing services. In particular, standard contractual clauses are beneficial because they increase confidence in data processing services, create a more balanced relationship between users and providers of data processing services and improve legal certainty with regard to the conditions that apply for switching to other data processing services. In that context, users and providers of data processing services should consider the use of standard contractual clauses or other self-regulatory compliance tools provided that they fully comply with this Regulation, developed by relevant bodies or expert groups established under Union law.