Know your rights: You can control, extract, and move your data

The EU Data Act gives businesses and individuals operating in the EU more control over their data, including data access and portability for customers.
Charles Wang
Charles Wang
June 5, 2025

Cloud — including SaaS — customers often face significant challenges when trying to move their data or switch providers. Contracts contain restrictive clauses, extraction fees, or vague language that favors the provider. These practices lock customers in, even when other options are available. The EU Data Act changes this dynamic.

Your data, your rights: What the EU Data Act guarantees

Starting in September 2025, enterprise organizations will gain new legal rights designed to eliminate long-standing vendor lock-in challenges. The EU Data Act grants businesses the authority to access their data or switch providers upon notice without requiring approval. It also imposes enforceable obligations on data holders and providers of data processing services, including cloud, Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and edge computing providers.

Unlike the GDPR, the EU Data Act is a broad, horizontal regulation that grants rights to both consumers and businesses. It focuses on 2 key areas: first, the use and access rights to data generated by connected products and digital services, shaping relationships between users, data holders, and third parties; second, the ability for organizations to switch cloud providers easily, fairly, and without functional loss. This latter provision fundamentally shifts the power dynamic, empowering enterprises to regain control of their data and drive innovation without being constrained by legacy platforms.

Key rights granted under the EU Data Act include:

  • The right to retrieve exportable data and digital assets during the contract term (Article 23(c)).
  • The right to switch providers without being obstructed by contractual or technical barriers (Article 23).
  • The right to minimum contractual protections for switching and portability (Article 25).
  • The right to functional equivalence at the new provider, supported by interoperability obligations (Article 23(d)).
  • The right to switch without incurring fees, following a phase-out period (Article 29).
  • The right to invoke these protections even when the provider is established outside the EU, so long as the service is used in the EU (Article 1(3) and Recital 5).

These aren’t just best practices or policy recommendations — they’re enforceable legal rights that apply to your relationships with cloud, SaaS, IaaS, and PaaS providers starting September 2025. For enterprise customers, this marks a significant shift: You no longer have to accept lock-in as the cost of doing business. You now have the legal backing to demand control, portability, and freedom of choice in how your data is managed and used.

Demystifying scope: Who must comply, who can benefit

To understand how the EU Data Act applies to customers and providers of data processing services, it's important to clarify key terms and the boundaries of the law's applicability.

What is a data processing service?

Under Article 2(8), a data processing service is defined as:

“a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

A data processing service includes a wide spectrum of cloud and edge services — ranging from simple data storage services to highly customized Software as a Service solutions — and covers companies that provide typical cloud service distribution models such as IaaS and PaaS.

Who is a customer?

Per Article 2(30), a customer is:

Particularly noteworthy is that, unlike the GDPR, customers include both businesses and individuals. A company is a customer if it holds a license or subscription for the use of a cloud platform or hosted software product.

Who is covered?

Much like the GDPR, the EU Data Act has extraterritorial reach. Under Article 1(3) and Recital 5, any provider of data processing services, regardless of where they’re based, is subject to the EU Data Act if they offer services to customers in the EU.

In other words, if your business uses a cloud, SaaS, IaaS, or PaaS provider in the EU, that provider must comply with the EU Data Act, even if they’re headquartered outside of Europe.

What data is covered?

The EU Data Act safeguards the accessibility and portability of “exportable data” and “digital assets,” defined in Article 2(38) and 2(32) in the legislation. This includes:

  • Data uploaded by the customer
  • Data generated during service use
  • System configuration details and runtime environments
  • Metadata required to support service portability

In effect, this means virtually all digital information input into or generated or cogenerated by customers' use of a data processing service is covered.

Some exceptions apply. For example, data protected by intellectual property rights, trade secrets, or related to service integrity and security may be excluded if their export would pose a cybersecurity risk to the data processing services provider. However, the EU Data Act explicitly prevents providers from using these exclusions to impede, delay, or block valid export requests.

Where personal data is concerned, the GDPR still applies. As outlined in Article 1(5) and Recital 7, the EU Data Act complements — but does not override — existing privacy protections, applying instead to non-personal and mixed datasets.

Parallel use, not just switching: Your right to continuous, independent extraction

While the EU Data Act is often discussed in the context of switching cloud providers, it also recognizes that switching isn’t always a single event. Instead, it enables parallel use, staged migrations, and ongoing data exports, giving customers the operational flexibility to leverage their data on their own terms.

Crucially, the law requires interoperability to support this kind of flexibility (Article 34). Customers must be able to access their data and digital assets in formats that enable use across multiple services simultaneously. Providers must export all exportable data, on request, in a structured, commonly used, and machine-readable format (Article 30).

And you don’t have to wait until your contract ends. The right to retrieve your data for parallel use applies during the contract term, not just at the point of exit (Articles 23(c) and 34). This includes data and digital assets, so customers can initiate staged extractions or set up real-time redundancies across platforms.

To ensure these rights are actionable, the EU Data Act requires providers to detail switching procedures and timelines in their standard contracts, while also maintaining business continuity (Article 25). It explicitly prohibits technical and contractual lock-ins, including restrictive terms, minimum durations, or limits on third-party tools (Article 23).

In short, the drafters of the EU Data Act wanted to improve access to data and boost competition. The EU Data Act’s provisions for parallel use of data processing services recognize that a customer’s ability to extract data incrementally and use different providers at the same time promotes innovation and competition in the market. You don’t have to rip and replace or wait for a contract to expire. The EU Data Act empowers you to build the stack that works best for you, using your data across services on your terms.

For example, an organization relies on an enterprise system to run its core operations and uses its native tools for analytics, but it wants to work with that data in a different cloud environment better suited for their needs. Rather than replacing its current provider immediately, the company begins regularly extracting and using its data in the new environment.

The EU Data Act enables this kind of parallel use. It gives customers the right to access and reuse their data during the contract term, in structured, machine-readable formats, without being limited by technical barriers or restrictive contract terms.

This allows companies to evolve their data strategy incrementally through experimenting, modernizing, or diversifying their tooling, without waiting for a full migration or contract termination.

Why your provider’s excuses likely don’t hold up

The EU Data Act requires providers to make good faith efforts to enable secure, timely switching and data portability. As enterprises begin to assert their rights, some providers may push back, but most of the common objections don’t stand up to scrutiny.

“We’re not based in the EU.”

That doesn’t matter. Per Article 1(3), if the service is used in the EU, the provider is subject to the Data Act, regardless of where they’re headquartered.

“You’re not in the EU.”

Still doesn’t matter, according to Recital 5. The EU Data Act applies to the use of services in the EU. Even if your company is incorporated or headquartered  elsewhere, you’re protected when operating in the EU.

“We’re charging a fee to export your data.”

Under Article 29 of the EU Data Act, providers must eliminate switching fees entirely by 2027. Until then, only cost-based fees are allowed — no premium surcharges or “data ransom” pricing. For parallel-use scenarios, providers are permitted to charge for export but only to cover the egress costs actually incurred (Article 34(2)).

“We can’t ensure compatibility with other platforms.”

The source provider is responsible for making exportable data and digital assets available in a commonly used, interoperable format. The EU Data Act also encourages adoption of open interoperability standards across the industry.

“Our contracts don’t allow this.”

Then those contracts need to change. Any terms that restrict switching, parallel use, or data portability violate the EU Data Act and are unenforceable.

“We can’t export this data because it includes IP or trade secrets.”

While providers may withhold specific elements for legitimate IP or cybersecurity reasons, the exportable data and digital assets must not be withheld. Recital 82 of the EU Data Act is clear: These exceptions cannot be used to block or delay switching.

“This data includes personal information, so we can’t share it.”

This may be true, depending on GDPR considerations:

  • If the personal data belongs to the customer (e.g., employee information), and the customer is the controller, then sharing may be allowed under Article 6(1)(b) (performance of contract).
  • If the data includes personal information that the provider processes as a controller, transfer may require a separate lawful basis, such as consent or legitimate interest.
  • Joint controller relationships or uncertainty over controllership can complicate this. Providers may refuse transfers unless the customer's role as data controller is clear, and appropriate safeguards are in place.

GDPR may limit some transfers, but it does not override the customer’s rights to export non-personal data or apply to structured environments where the customer is clearly the controller.

While enforcement frameworks are still taking shape, the law is already clear on most of these issues. The EU Data Act wasn’t written to be optional. It gives customers legal leverage. If a provider refuses to cooperate, they’re no longer resisting a best practice. They’re denying a legal right.

What you can do now: Contracts, procurement, and governance

The EU Data Act officially takes effect in September 2025, but forward-thinking teams are already taking action. Here's how to prepare:

  • Get familiar with the law: Consult legal and data governance experts to understand how the EU Data Act will reshape your data strategy — from innovation opportunities to switching rights.
  • Audit your providers: Identify which vendors qualify as data processing services and determine whether your usage falls within the EU Data Act’s scope.
  • Review your contracts: Examine existing agreements for lock-in clauses, vague data ownership terms, or switching obstacles. Push for updates that reflect your upcoming rights under the Data Act.
  • Update procurement playbooks: Going forward, standardize contract requirements for interoperability, switching timelines, and data export definitions. Make these table stakes, not nice-to-haves.
  • Explore new partner options: The EU Data Act opens doors for multi-party solutions, controlled sharing, and parallel use. Use this moment to rethink vendor strategies and improve flexibility.
  • Train internal teams: Make sure your IT and product leaders can distinguish between derived data (which may be excluded) and exportable customer-owned data (which is protected under the EU Data Act).

Don’t wait for enforcement to catch up. Prepare now to position your business to fully leverage your data, with the law on your side.

You own your data

The EU Data Act resets the balance of power between cloud providers and their enterprise customers. It formalizes a principle customers have long championed: your data — whether generated, uploaded, or operational — is yours to control.

No more gatekeeping. No more lock-in. No more negotiating for basic access.

Whether you’re focused on vendor flexibility, cost efficiency, risk reduction, or long-term independence, the law now backs your right to move, manage, and maximize your data on your terms.

[CTA_MODULE]

The information provided in this blog is for general informational purposes only and is not intended to be, and should not be construed as, legal advice.

Start for free

Join the thousands of companies using Fivetran to centralize and transform their data.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get demo
Data insights
Data insights

Know your rights: You can control, extract, and move your data

Know your rights: You can control, extract, and move your data

June 5, 2025
June 5, 2025
Know your rights: You can control, extract, and move your data
Charles Wang
Lead Product Evangelist
,
Fivetran
Anchor Link
Charles Wang
Lead Product Evangelist
,
Fivetran
Topics
No items found.
Share
The EU Data Act gives businesses and individuals operating in the EU more control over their data, including data access and portability for customers.

Cloud — including SaaS — customers often face significant challenges when trying to move their data or switch providers. Contracts contain restrictive clauses, extraction fees, or vague language that favors the provider. These practices lock customers in, even when other options are available. The EU Data Act changes this dynamic.

Your data, your rights: What the EU Data Act guarantees

Starting in September 2025, enterprise organizations will gain new legal rights designed to eliminate long-standing vendor lock-in challenges. The EU Data Act grants businesses the authority to access their data or switch providers upon notice without requiring approval. It also imposes enforceable obligations on data holders and providers of data processing services, including cloud, Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and edge computing providers.

Unlike the GDPR, the EU Data Act is a broad, horizontal regulation that grants rights to both consumers and businesses. It focuses on 2 key areas: first, the use and access rights to data generated by connected products and digital services, shaping relationships between users, data holders, and third parties; second, the ability for organizations to switch cloud providers easily, fairly, and without functional loss. This latter provision fundamentally shifts the power dynamic, empowering enterprises to regain control of their data and drive innovation without being constrained by legacy platforms.

Key rights granted under the EU Data Act include:

  • The right to retrieve exportable data and digital assets during the contract term (Article 23(c)).
  • The right to switch providers without being obstructed by contractual or technical barriers (Article 23).
  • The right to minimum contractual protections for switching and portability (Article 25).
  • The right to functional equivalence at the new provider, supported by interoperability obligations (Article 23(d)).
  • The right to switch without incurring fees, following a phase-out period (Article 29).
  • The right to invoke these protections even when the provider is established outside the EU, so long as the service is used in the EU (Article 1(3) and Recital 5).

These aren’t just best practices or policy recommendations — they’re enforceable legal rights that apply to your relationships with cloud, SaaS, IaaS, and PaaS providers starting September 2025. For enterprise customers, this marks a significant shift: You no longer have to accept lock-in as the cost of doing business. You now have the legal backing to demand control, portability, and freedom of choice in how your data is managed and used.

Demystifying scope: Who must comply, who can benefit

To understand how the EU Data Act applies to customers and providers of data processing services, it's important to clarify key terms and the boundaries of the law's applicability.

What is a data processing service?

Under Article 2(8), a data processing service is defined as:

“a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

A data processing service includes a wide spectrum of cloud and edge services — ranging from simple data storage services to highly customized Software as a Service solutions — and covers companies that provide typical cloud service distribution models such as IaaS and PaaS.

Who is a customer?

Per Article 2(30), a customer is:

Particularly noteworthy is that, unlike the GDPR, customers include both businesses and individuals. A company is a customer if it holds a license or subscription for the use of a cloud platform or hosted software product.

Who is covered?

Much like the GDPR, the EU Data Act has extraterritorial reach. Under Article 1(3) and Recital 5, any provider of data processing services, regardless of where they’re based, is subject to the EU Data Act if they offer services to customers in the EU.

In other words, if your business uses a cloud, SaaS, IaaS, or PaaS provider in the EU, that provider must comply with the EU Data Act, even if they’re headquartered outside of Europe.

What data is covered?

The EU Data Act safeguards the accessibility and portability of “exportable data” and “digital assets,” defined in Article 2(38) and 2(32) in the legislation. This includes:

  • Data uploaded by the customer
  • Data generated during service use
  • System configuration details and runtime environments
  • Metadata required to support service portability

In effect, this means virtually all digital information input into or generated or cogenerated by customers' use of a data processing service is covered.

Some exceptions apply. For example, data protected by intellectual property rights, trade secrets, or related to service integrity and security may be excluded if their export would pose a cybersecurity risk to the data processing services provider. However, the EU Data Act explicitly prevents providers from using these exclusions to impede, delay, or block valid export requests.

Where personal data is concerned, the GDPR still applies. As outlined in Article 1(5) and Recital 7, the EU Data Act complements — but does not override — existing privacy protections, applying instead to non-personal and mixed datasets.

Parallel use, not just switching: Your right to continuous, independent extraction

While the EU Data Act is often discussed in the context of switching cloud providers, it also recognizes that switching isn’t always a single event. Instead, it enables parallel use, staged migrations, and ongoing data exports, giving customers the operational flexibility to leverage their data on their own terms.

Crucially, the law requires interoperability to support this kind of flexibility (Article 34). Customers must be able to access their data and digital assets in formats that enable use across multiple services simultaneously. Providers must export all exportable data, on request, in a structured, commonly used, and machine-readable format (Article 30).

And you don’t have to wait until your contract ends. The right to retrieve your data for parallel use applies during the contract term, not just at the point of exit (Articles 23(c) and 34). This includes data and digital assets, so customers can initiate staged extractions or set up real-time redundancies across platforms.

To ensure these rights are actionable, the EU Data Act requires providers to detail switching procedures and timelines in their standard contracts, while also maintaining business continuity (Article 25). It explicitly prohibits technical and contractual lock-ins, including restrictive terms, minimum durations, or limits on third-party tools (Article 23).

In short, the drafters of the EU Data Act wanted to improve access to data and boost competition. The EU Data Act’s provisions for parallel use of data processing services recognize that a customer’s ability to extract data incrementally and use different providers at the same time promotes innovation and competition in the market. You don’t have to rip and replace or wait for a contract to expire. The EU Data Act empowers you to build the stack that works best for you, using your data across services on your terms.

For example, an organization relies on an enterprise system to run its core operations and uses its native tools for analytics, but it wants to work with that data in a different cloud environment better suited for their needs. Rather than replacing its current provider immediately, the company begins regularly extracting and using its data in the new environment.

The EU Data Act enables this kind of parallel use. It gives customers the right to access and reuse their data during the contract term, in structured, machine-readable formats, without being limited by technical barriers or restrictive contract terms.

This allows companies to evolve their data strategy incrementally through experimenting, modernizing, or diversifying their tooling, without waiting for a full migration or contract termination.

Why your provider’s excuses likely don’t hold up

The EU Data Act requires providers to make good faith efforts to enable secure, timely switching and data portability. As enterprises begin to assert their rights, some providers may push back, but most of the common objections don’t stand up to scrutiny.

“We’re not based in the EU.”

That doesn’t matter. Per Article 1(3), if the service is used in the EU, the provider is subject to the Data Act, regardless of where they’re headquartered.

“You’re not in the EU.”

Still doesn’t matter, according to Recital 5. The EU Data Act applies to the use of services in the EU. Even if your company is incorporated or headquartered  elsewhere, you’re protected when operating in the EU.

“We’re charging a fee to export your data.”

Under Article 29 of the EU Data Act, providers must eliminate switching fees entirely by 2027. Until then, only cost-based fees are allowed — no premium surcharges or “data ransom” pricing. For parallel-use scenarios, providers are permitted to charge for export but only to cover the egress costs actually incurred (Article 34(2)).

“We can’t ensure compatibility with other platforms.”

The source provider is responsible for making exportable data and digital assets available in a commonly used, interoperable format. The EU Data Act also encourages adoption of open interoperability standards across the industry.

“Our contracts don’t allow this.”

Then those contracts need to change. Any terms that restrict switching, parallel use, or data portability violate the EU Data Act and are unenforceable.

“We can’t export this data because it includes IP or trade secrets.”

While providers may withhold specific elements for legitimate IP or cybersecurity reasons, the exportable data and digital assets must not be withheld. Recital 82 of the EU Data Act is clear: These exceptions cannot be used to block or delay switching.

“This data includes personal information, so we can’t share it.”

This may be true, depending on GDPR considerations:

  • If the personal data belongs to the customer (e.g., employee information), and the customer is the controller, then sharing may be allowed under Article 6(1)(b) (performance of contract).
  • If the data includes personal information that the provider processes as a controller, transfer may require a separate lawful basis, such as consent or legitimate interest.
  • Joint controller relationships or uncertainty over controllership can complicate this. Providers may refuse transfers unless the customer's role as data controller is clear, and appropriate safeguards are in place.

GDPR may limit some transfers, but it does not override the customer’s rights to export non-personal data or apply to structured environments where the customer is clearly the controller.

While enforcement frameworks are still taking shape, the law is already clear on most of these issues. The EU Data Act wasn’t written to be optional. It gives customers legal leverage. If a provider refuses to cooperate, they’re no longer resisting a best practice. They’re denying a legal right.

What you can do now: Contracts, procurement, and governance

The EU Data Act officially takes effect in September 2025, but forward-thinking teams are already taking action. Here's how to prepare:

  • Get familiar with the law: Consult legal and data governance experts to understand how the EU Data Act will reshape your data strategy — from innovation opportunities to switching rights.
  • Audit your providers: Identify which vendors qualify as data processing services and determine whether your usage falls within the EU Data Act’s scope.
  • Review your contracts: Examine existing agreements for lock-in clauses, vague data ownership terms, or switching obstacles. Push for updates that reflect your upcoming rights under the Data Act.
  • Update procurement playbooks: Going forward, standardize contract requirements for interoperability, switching timelines, and data export definitions. Make these table stakes, not nice-to-haves.
  • Explore new partner options: The EU Data Act opens doors for multi-party solutions, controlled sharing, and parallel use. Use this moment to rethink vendor strategies and improve flexibility.
  • Train internal teams: Make sure your IT and product leaders can distinguish between derived data (which may be excluded) and exportable customer-owned data (which is protected under the EU Data Act).

Don’t wait for enforcement to catch up. Prepare now to position your business to fully leverage your data, with the law on your side.

You own your data

The EU Data Act resets the balance of power between cloud providers and their enterprise customers. It formalizes a principle customers have long championed: your data — whether generated, uploaded, or operational — is yours to control.

No more gatekeeping. No more lock-in. No more negotiating for basic access.

Whether you’re focused on vendor flexibility, cost efficiency, risk reduction, or long-term independence, the law now backs your right to move, manage, and maximize your data on your terms.

[CTA_MODULE]

The information provided in this blog is for general informational purposes only and is not intended to be, and should not be construed as, legal advice.

Discover smarter data integration — from every source to any destination, so that you can power all of your initiatives.
Learn more
Topics
No items found.
Share

Related blog posts

The state of data security in 2025
Data insights

The state of data security in 2025

Read post
How to prepare for the EU AI Act
Data insights

How to prepare for the EU AI Act

Read post
How to replicate and analyze SAP ERP data with Fivetran
Enterprise

How to replicate and analyze SAP ERP data with Fivetran

Read post
The state of data security in 2025
Blog

The state of data security in 2025

Read post
You can’t afford a data breach. Here’s how to avoid one.
Blog

You can’t afford a data breach. Here’s how to avoid one.

Read post
How Fivetran ensures GDPR compliance and protects your data
Blog

How Fivetran ensures GDPR compliance and protects your data

Read post
No items found.

Start for free

Join the thousands of companies using Fivetran to centralize and transform their data.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get demo
Product
Platform overviewTransformationsSecurityGovernanceExtensibility Deployment models
Pricing
OverviewAll featuresFree PlanY Combinator
Resources
BlogCustomer storiesResource centerNewsEventsProfessional servicesPodcast
Company
About FivetranCultureCareersContact us
Impressum
Support
Support portalStatusChangelogFull API ReferenceFAQs
MIT research: Data readiness is key to AI readiness
Read now
Language

*dbt Core is a trademark of dbt Labs, Inc. All rights therein are reserved to dbt Labs, Inc. Fivetran Transformations is not a product or service of or endorsed by dbt Labs, Inc.

LegalPrivacy policyCookie settingsWebsite terms of useCookie list
©2025 Fivetran Inc.