{"id":2594,"date":"2025-11-21T16:51:30","date_gmt":"2025-11-21T15:51:30","guid":{"rendered":"https:\/\/blog.eprivacy.eu\/?p=2594"},"modified":"2025-11-25T15:41:07","modified_gmt":"2025-11-25T14:41:07","slug":"the-new-eu-data-act-what-saas-and-iot-businesses-need-to-do-now-2","status":"publish","type":"post","link":"https:\/\/blog.eprivacy.eu\/?p=2594","title":{"rendered":"The new EU Data Act: What SaaS and IoT Businesses need to do now"},"content":{"rendered":"\n<p>The new EU&nbsp;Data&nbsp;Act has been of increasing concern for our clients that are active in the SaaS and connected products industries since it entered into force in mid-September. Notably, the EU Data Act is applicable in parallel to the GDPR, and also applies to non-personal data (so-called \u2018machine\u2019 or \u2018product\u2019 data).<br><br>This new EU regulation brings two major implications for the industry:&nbsp;<\/p>\n\n\n\n<ul><li>Ban on long-term contracts: Typical contract&nbsp;terms of 12 to 24 months will be prohibited in the future as soon as the contracted service falls under the&nbsp;Data&nbsp;Act. Instead, all customers have a 60-day right of termination for convenience \u2013 even for B2B contracts.<br>&nbsp;<\/li><li>Mandatory migration support: Businesses that fall under the&nbsp;Data&nbsp;Act&nbsp;must&nbsp;actively support a migration to another provider requested by the customer \u2013 in other words, they must help their competitors onboard new customers free of charge. When migrating customer product data, additional GDPR compliance requirements may apply where personal data is involved.<\/li><\/ul>\n\n\n\n<p>Businesses that do not implement these requirements in their contracts may be subject to legal action from competitors and risk extremely heavy fines, comparable to the well-known sanctions under EU\u00a0data protection law.<br><br>In this context, a number of our SaaS clients are currently adapting their contracts and, in some cases, also their business and sales models. Before doing so, however, it is of course necessary to check whether the\u00a0Data\u00a0Act\u00a0applies to any of the products offered: Not all SaaS models fall under the law, even if there are some contradictory statements circulating on this subject.<br><br>SMEs are not generally exempt from the provisions of the\u00a0Data\u00a0Act, but they are exempt from certain obligations. For example, IoT businesses with less than \u20ac10 million in revenue are not required to provide migration support.<br><br>In addition to posing new risks, the\u00a0Data\u00a0Act\u00a0also offers opportunities for SaaS providers themselves. For example, it has now become much easier to move one\u2019s own cloud infrastructure to another provider.<br><br>Our legal team is happy to support you with any questions you may have, or kick off your EU Data Act implementation project, and to align it with your existing GDPR compliance measures.<br><br>To provide you with an initial overview of the new law and to give you an opportunity to address your questions, we will be offering a free EU Data Act webinar on\u00a0December 4th, 2025 at 2.00 pm.\u00a0<a href=\"https:\/\/events.teams.microsoft.com\/event\/558fe394-794e-4ccc-bc67-c8be836c4053@ef9db3d4-9134-416e-aace-116d440d493a\">Registration<\/a><\/p>\n\n\n\n<p>(Dr Lukas Mezger, UNVERZAGT Rechtsanw\u00e4lte)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The new EU&nbsp;Data&nbsp;Act has been of increasing concern for our clients that are active in the SaaS and connected products industries since<\/p>\n<p class=\"link-more\"><a class=\"myButt \" href=\"https:\/\/blog.eprivacy.eu\/?p=2594\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts\/2594"}],"collection":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2594"}],"version-history":[{"count":2,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts\/2594\/revisions"}],"predecessor-version":[{"id":2606,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts\/2594\/revisions\/2606"}],"wp:attachment":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}