§ Data Act · Article 25
Data Act Article 25: Obligations, Deadlines & Penalties
At a glance
Article 25 of the Data Act imposes 17 obligations on provider of data processing services. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 25
Obligation 1
The provider of data processing services shall make the written contract setting out switching rights and obligations available to the customer prior to signing in a way that allows the customer to store and reproduce it.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
make available
- Deadline
-
prior to signing the contract
- Penalty
-
—
Obligation 2
The contract shall include clauses allowing the customer to switch to a different provider or port data to on-premises infrastructure without undue delay and within a maximum transitional period of 30 calendar days.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
include clauses
- Deadline
-
—
- Penalty
-
—
Obligation 3
During the transitional period, the provider of data processing services shall provide reasonable assistance to the customer and authorized third parties in the switching process.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
provide assistance
- Deadline
-
during the transitional period
- Penalty
-
—
Obligation 4
During the transitional period, the provider of data processing services shall act with due care to maintain business continuity and continue the provision of functions or services under the contract.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
maintain continuity
- Deadline
-
during the transitional period
- Penalty
-
—
Obligation 5
During the transitional period, the provider of data processing services shall provide clear information concerning known risks to continuity in the provision of functions or services.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
provide information
- Deadline
-
during the transitional period
- Penalty
-
—
Obligation 6
During the transitional period, the provider of data processing services shall ensure that a high level of security is maintained throughout the switching process, particularly regarding data transfer and retrieval.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
ensure security
- Deadline
-
during the transitional period
- Penalty
-
—
Obligation 7
The contract shall include an obligation for the provider of data processing services to support the customer’s exit strategy, including by providing all relevant information.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
support exit strategy
- Deadline
-
—
- Penalty
-
—
Obligation 8
The contract shall specify that it is considered terminated and the customer shall be notified of the termination upon successful completion of switching or at the end of the notice period if the customer chooses to erase data.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
notify termination
- Deadline
-
upon successful completion or end of notice period
- Penalty
-
—
Obligation 9
The contract shall specify a maximum notice period for initiation of the switching process that shall not exceed two months.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
specify notice period
- Deadline
-
—
- Penalty
-
—
Obligation 10
The contract shall include an exhaustive specification of all categories of data and digital assets that can be ported during the switching process, including all exportable data.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
specify data categories
- Deadline
-
—
- Penalty
-
—
Obligation 11
The contract shall specify categories of data specific to the internal functioning of the provider’s service that are exempted from exportable data where a risk of breach of trade secrets exists, provided this does not impede switching.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
specify exemptions
- Deadline
-
—
- Penalty
-
—
Obligation 12
The contract shall include a minimum period for data retrieval of at least 30 calendar days starting after the termination of the transitional period.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
allow retrieval period
- Deadline
-
—
- Penalty
-
—
Obligation 13
The contract shall guarantee full erasure of all exportable data and digital assets generated by or relating to the customer after the expiry of the retrieval period or an alternative agreed period.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
erase data
- Deadline
-
after expiry of retrieval period
- Penalty
-
—
Obligation 14
The contract shall specify switching charges that may be imposed by providers of data processing services in accordance with Article 29.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
specify charges
- Deadline
-
—
- Penalty
-
—
Obligation 15
The contract shall include clauses providing the customer with the right to notify the provider of its decision to switch to a different provider, switch to on-premises infrastructure, or erase data upon termination of the notice period.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
include clauses
- Deadline
-
—
- Penalty
-
—
Obligation 16
Where the mandatory maximum transitional period is technically unfeasible, the provider shall notify the customer within 14 working days of the switching request, justify the unfeasibility, and indicate an alternative transitional period not exceeding seven months.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
notify and justify
- Deadline
-
within 14 working days of switching request
- Penalty
-
—
Obligation 17
Where an alternative transitional period is applied due to technical unfeasibility, the provider shall ensure service continuity throughout that alternative period.
Regulation (EU) 2023/2854, Article 25, Article 25
- Obligated entity
-
provider of data processing services
- Action required
-
ensure continuity
- Deadline
-
throughout the alternative transitional period
- Penalty
-
—
§ Frequently asked
Questions about Article 25
Who must comply with Article 25 of the Data Act?
+
provider of data processing services.
What does Article 25 of the Data Act require?
+
make available include clauses provide assistance
What is the compliance deadline for Data Act Article 25?
+
after expiry of retrieval period; during the transitional period; prior to signing the contract; throughout the alternative transitional period; upon successful completion or end of notice period; within 14 working days of switching request