Contract Adjustment Obligations under Art. 25 Data Act and Legal Consequences of Non-Implementation

The Data Act challenges cloud services to establish a simple switching process for customers by September 2025 and to adapt new and existing contracts. However, behind the clear objectives of the legislator, there are considerable legal hurdles in practice that raise complex legal questions. This article highlights the requirements of Article 25 of the Data Act, the risks involved in adapting existing contracts, and the far-reaching legal consequences that may arise if the legal requirements are not implemented.

I.       The Data Act

The Data Act (Regulation (EU) 2023/2854) is a central set of rules in the European Union's digital data strategy and is intended to create a fair internal market for data, promote innovation, and prevent lock-in effects (see Recitals (4) ff., (32) ff., and (84) Data Act).

In addition to regulations for manufacturers of connected products and providers of related services, the Data Act also defines regulations for data processing services. According to Art. 2 No. 8 Data Act, cloud services that enable users to use computing capacity, storage space, or software applications flexibly and on demand are classified as data processing services. This includes, in particular, well-known models such as IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service), and SaaS (Software-as-a-Service), but also new developments such as “Storage-as-a-Service” and “Database-as-a-Service” (see Recital (81) Data Act).

II.      Minimum Contract Requirements according to Art. 25 Data Act

For these cloud services, Art. 23 ff. of the Data Act regulates data access and interoperability obligations as well as requirements for contract drafting. The relevant standard is Art. 25 Data Act, which specifies the minimum requirements for customer contracts.

According to Article 25 of the Data Act, customer contracts should establish a switching process that enables customers to easily switch to other providers or their own infrastructure (see Recital (84) ff. Data Act). Customers should be able to initiate a switching process at any time with a maximum notice period of two months. The switching process should generally be completed within a transition period of no more than 30 calendar days after the end of the notice period. During the switching phase, the provider must transfer exportable customer data, provide appropriate support, and ensure business continuity and a high level of data security. After the end of the contract, any remaining data must be available for retrieval for at least 30 days and then be completely deleted.

In addition, according to Art. 25 Data Act, providers must disclose certain information before the contract is concluded, such as a list of all transferable and non-transferable data categories as well as transfer formats and methods.

III.    Effective Date of the Data Act from 12.09.2025 for New and Existing Contracts

The minimum requirements of Art. 25 Data Act must not only be implemented in future contracts with new customers, but also in existing contracts with current customers, as the provisions will generally apply from 12 September 2025 (see Art. 50 Data Act).

This can cause problems, especially if the provider has proposed a contract amendment to an existing customer in accordance with the legal provisions, but the customer refuses to accept the changes. Contrary to popular belief, existing contracts cannot usually be amended unilaterally during their term without the customer's consent (see BGH XI ZR 26/20; BeckOK BGB/Becker, § 308 Nr. 5 Rn. 1-28; BeckOK BGB/Gehrlein, § 311 Rn. 33-36). If the customer rejects the amendments, the original contract continues to apply without the changes until it is terminated.

IV.    No Right to Contract Adjustment for Cloud Service Providers

A remedy would be a claim for contract adjustment against the customer in such cases. However, such claim cannot be derived from the Data Act itself, nor can a claim for contract adjustment be derived under German law. Although Art. 308 (4) and (5) of the German Civil Code (BGB) allow general terms and conditions to provide for the right to unilateral contractual adjustments, this only applies to changes that are purely advantageous to the customer. A claim for providers of cloud services cannot be derived from Art. 313 (1) BGB either, as the introduction of the Data Act presumably does not constitute a significant change in the underlying basis of the contract as required by Art. 313 BGB. This leaves a legal gap that imposes all the risks of lack of contractual adjustment on the provider, even if this is attributable to the customer.

cc

V.     Legal Consequences of Non-Compliance with the Minimum Requirements of Art. 25 Data Act

If contracts are not adapted to the requirements of Art. 25 Data Act by the deadline in September, or if contractual provisions violate the requirements, legal consequences may follow.

1.      Legal Consequences under Public Law set out in the Data Act

The Data Act itself does not regulate civil law consequences in the event of non-implementation. Art. 40 Data Act merely opens the possibility of national public law sanctions, particularly the imposition of fines. However, this possibility has not yet been used in Germany (see BeckOK DatenschutzR/Schmidt-Wudy Data Act Art. 23 Rn. 23).

Since no specific legal consequences are set out, the legal consequences are based on the general principles of German law (see BeckOK DatenschutzR/Schmidt-Wudy Data Act Art. 23 Rn. 23). In addition to the invalidity of individual clauses or the entire contract, civil liability and the direct application of the in some cases unfavorable statutory provisions are also possible.

2.      Ineffectiveness of Contractual Clauses standing against the Data Act

In general, individual contract clauses are considered invalid under Sections 305 et seq., 307, and 242 BGB if they violate statutory provisions. If the minimum requirements of Art. 25 Data Act are not implemented or are implemented incorrectly, the corresponding clauses will therefore be invalid. This primarily affects clauses relating to terms and notice periods. However, product-specific provisions may also be affected due to the data access and interoperability requirements of the Data Act.

Depending on the specific contract design, the invalidity of individual clauses may also extend to the entire contract, thereby cutting off liability limitations and service-related provisions (see EuGH C-349/18; BeckOK DatenschutzR/Schmidt-Wudy Data Act Art. 23 Rn. 20-22).

3.      Civil Liability of the Provider for Non-Compliance with the Data Act

Regardless of the invalidity of individual clauses or the entire contract, cloud service providers are potentially liable under German civil law if they fail to implement Art. 25 of the Data Act.

Depending on the wording of the contract, failure to comply with Art. 25 Data Act may be considered a breach of a main or ancillary contractual obligation (e.g., duties of care and disclosure), due to the fact that the failure to implement the switching process results in the non-implementation of mandatory legal requirements and the denial of important rights to the customer. In individual cases, depending on the type of contract, the conflict with the law may also give rise to material or immaterial defects in the contractual products and services. The legal consequences are warranty rights for customers, such as rights to a reduction in price, claims for damages, or rights of withdrawal or termination.

However, if an existing customer has rejected the contract amendment in advance, they cannot fully invoke these rights. In such cases, responsibility must be considered in the context of a balancing of interests or contributory negligence on the part of the customer in accordance with Section 254 BGB.

4.      Direct Application of the Data Act regardless of Contractual Implementation

If contractual gaps arise due to the failure to implement the Data Act or the ineffectiveness of the clauses, the text of the law and the rights and obligations standardized therein apply directly under German and European law. As a result, the provisions and requirements of the Data Act apply directly in the contractual relationship with the customer, even if they are not implemented in the contract (see BeckOK DatenschutzR/Schmidt-Wudy, 52nd Ed. 1.5.2025, DA Art. 23 Rn. 20).

A different assessment makes hardly any sense, as the purpose of the law is to protect customers and providers could otherwise undermine important customer rights by delaying the implementation of the legal requirements.

VI.    Conclusion and Action Required for Cloud Service Providers

Cloud service providers are therefore well advised to prepare their business models for the implementation of the Data Act requirements at an early stage and to adapt new and existing contracts.

These contract adjustments are not only required by law, but are also useful, as the legally defined switching and notice periods, transition periods, and the specific design of the switching process can be adapted to a certain extent to internal procedures. Contracts should also ensure that remuneration already incurred for an agreed term remains unaffected by early termination under the Data Act.

Contract terms adapted to the Data Act must be offered not only to new customers but also to existing customers, if possible before September 12, 2025. Even if the offer to amend the contract is rejected by the existing customer, the provider's request for amendment is thereby documented. The existing customer can then no longer easily invoke the provisions and legal consequences of the Data Act that are advantageous.

If cloud service providers fail to amend their contracts or make corresponding offers, they risk the (partial) invalidity of the contracts and civil liability and must accept the customers' right to terminate the contract at any time under the Data Act without compensation.