Skip to main content

58a. Do the Data Act provisions on data processing services also apply to SaaS?

Article (2)(8) of the Data Act defines “data processing services” as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction”. This definition builds on the widely and internationally accepted definition of cloud computing by the National Institute of Standards and Technology and covers IaaS, PaaS, and SaaS. This is confirmed by Recital 81 which lists IaaS, PaaS and SaaS as data processing service delivery models. Chapter VI of the Data Act does not make a distinction between different types of SaaS, and thus applies to all SaaS types which display the characteristics listed in the definition of data processing services:

  • They enable access to computing resources, including networks, servers, storage, applications, and services;

  • They enable on-demand network access, meaning that a customer can unilaterally provision these computing resources which are available over the network and through standard mechanisms, for example via mobile phones, laptops, or workstations;

  • They can be rapidly provisioned and released with minimal management effort or service provider interaction, which implies that the unilateral provision can be done without significant intervention from the service provider and can be deployed quickly, allowing organisations to start using the resources almost immediately;

  • They are elastic and can be rapidly provisioned, meaning that the solutions can easily scale to accommodate changing needs and that customers can upgrade or downgrade demand based on their requirements.

Another relevant element of the definition of a ‘data processing service’ is that it must be provided to a customer. Article 2(30) defines ‘customer’ as “a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services”. It is therefore important to consider whether the user is a customer and whether that customer uses a data processing service as such or makes use of a functionality enabled by a data processing service, such as listening to music or viewing videos. A provider whose service offering displays these characteristics must comply with the provisions of the Data Act to enable switching between data processing services. This includes, for example, bringing service contracts in line with Article 25, reducing and removing switching and egress charges pursuant to Article 29, and complying with the technical aspects of switching defined in Article 30. However, not all requirements placed on data processing services under Chapter VI of the Data Act apply to SaaS. Notably, the concept of functional equivalence laid down in Article 30(1) only applies to providers of IaaS, whereas Articles 30(1) and 30(2) apply to providers of PaaS and SaaS. These latter two provisions require providers of PaaS and SaaS to make open interfaces available and comply with open interoperability specifications and harmonised standards published in an EU repository. Article 31(1) exempts providers of data processing services from certain obligations when the majority of the main features has been custom-built for a specific customer. In addition, Article 31(2) removes from the scope of Chapter VI data processing services provided for testing purposes and for a limited period of time. While neither of those two exemptions single out SaaS, it is possible that a specific SaaS solution meets these criteria and thus benefits from a lighter regime.