New Drafts from European Commission: Model Terms for Data Sharing and Standard Contractual Clauses for Cloud Services
A. Introduction
Under the Data Act, the European Commission (“Commission”) is required to prepare non-binding Model Contractual Terms (“MCT”) on data access and use, as well as Standard Contractual Clauses (“SCC”) for cloud computing contracts. Accordingly, the Commission published the draft MCTs and SCCs on 19 November 2025.
You can access the relevant drafts here.
B. Model Contractual Terms
Data Act regulates users’ access to their own data, including personal data, and the use of such data by users and public authorities.
A total of four (4) different MCT drafts have been prepared in relation to the three (3) mandatory data-sharing scenarios and a voluntary data-sharing scenario envisaged by the Data Act:
(i) Data Holder to User MCTs: Covers the rights and obligations relating to the access to, use of, and sharing of data (such as error codes, usage durations, etc.) generated through the user’s use of a connected product[1] or related service.
(ii) User to Data Recipient MCTs: Sets out the scope of the User’s data-sharing instruction and the conditions of use of the data by the data recipient, which is a third party of the user’s choice. As an example, this may include a contract between a user of a connected product and a third-party maintenance service (the data recipient) chosen by the user.
(iii) Data Holder to Data Recipient MCTs: Sets out the conditions for data sharing by the data holder with the data recipient selected by the user. For example, this may involve the transmission of data—upon the user’s instruction—by the data holder providing the relevant product or service directly to the third-party maintenance service chosen by the user.
(iv) Data Sharer to Data Recipient MCT: Regulates the contractual conditions for voluntary data sharing between a data sharer that is not subject to a data-sharing obligation and the data recipient.
These provisions aim to prevent the stronger party in data-sharing agreements from imposing onerous conditions on the weaker party and to establish a balance of interests between the parties. MCTs will in particular make it more difficult for powerful data holders to unilaterally determine the terms of data access.
C. Standard Contractual Clauses
Section IV of the Data Act introduces rules to ensure that users can effectively switch between different data processing service providers (cloud switching). The Commission has translated these rules into three (3) ready-to-use standard contractual clauses that can be incorporated into data processing contracts and has made them available to the public:
(i) SCC on Switching and Exit: Defines the process for transferring data from the source provider to the destination provider or to the customer’s own premises. It sets out clear procedures, timelines (up to 30 days), and cooperation obligations of the parties for data extraction, transformation, and uploading.
(ii) SCC on Termination: Safeguards the customer’s right to terminate the data processing service.
(iii) SCC on Security and Business Continuity: Aims to ensure the security of the data and the continuity of the customer’s business operations throughout the switching process. It outlines the technical and organizational measures necessary to safeguard data integrity and confidentiality during the transition.
These SCCs aim to eliminate vendor lock-in, which is one of the major barriers to competition in the cloud computing sector. In this way, customers will be able to switch easily between IaaS, PaaS, and SaaS services without high data egress charges, technical obstacles, or contractual restrictions.
In addition to these core SCCs, three (3) further SCC drafts have been recommended to maintain the rights and obligations set out in Section IV of the Data Act:
(i) SCC on Non-Dispersion: Aims to consolidate information and documentation that may otherwise be scattered across different sources. This is intended to ensure that the customer can easily access all up-to-date documents necessary to understand their rights and obligations, particularly during the switching process.
(ii) SCC on Non-Amendment: Prevents the provider from making unilateral and unfair amendments that would disadvantage the customer, particularly shortly before a switching process or in a manner that would hinder switching. It grants a reasonable notice period for significant amendments and provides the customer with the right to terminate the contract without penalty if the provider fails to comply with the conditions governing such amendments.
(iii) SCC on Liability: It aims to ensure a more balanced allocation of liability between the parties, including preventing unfair liability limitations imposed by the provider.
D. Conclusion
It appears that the MCT and SCC drafts published by the Commission aim to improve data egress and switching processes. These provisions and clauses are not binding or mandatory, and they may be revised to suit the relationship between the parties. However, although they are not binding, significant deviations from these drafts—particularly where they include terms that are unfair to the weaker party or that substantially distort the balance of interests—may give rise to objections under Section IV of the Data Act, titled ‘Unfair Contract Terms,’ as they could jeopardize compliance with the Data Act’s mandatory data-sharing and fair switching principles. For this reason, these drafts may function as a de facto best-practice standard. Especially for powerful data and cloud providers, disregarding these drafts carries a risk of non-compliance with the legislation.
Also, it is anticipated that these draft MCTs and SCCs may become part of data contracts not only within the EU but also for third-country companies conducting business with the EU, and that the Data Act may influence regulatory approaches in other jurisdictions as well.
For more information and support, you can contact us.
[1] Pursuant to Article 2(5) of the Data Act, a connected product means; “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user”.
Under the Data Act, the European Commission (“Commission”) is required to prepare non-binding Model Contractual Terms (“MCT”) on data access and use, as well as Standard Contractual Clauses (“SCC”) for cloud computing contracts. Accordingly, the Commission published the draft MCTs and SCCs on 19 November 2025.
You can access the relevant drafts here.
B. Model Contractual Terms
Data Act regulates users’ access to their own data, including personal data, and the use of such data by users and public authorities.
A total of four (4) different MCT drafts have been prepared in relation to the three (3) mandatory data-sharing scenarios and a voluntary data-sharing scenario envisaged by the Data Act:
(i) Data Holder to User MCTs: Covers the rights and obligations relating to the access to, use of, and sharing of data (such as error codes, usage durations, etc.) generated through the user’s use of a connected product[1] or related service.
(ii) User to Data Recipient MCTs: Sets out the scope of the User’s data-sharing instruction and the conditions of use of the data by the data recipient, which is a third party of the user’s choice. As an example, this may include a contract between a user of a connected product and a third-party maintenance service (the data recipient) chosen by the user.
(iii) Data Holder to Data Recipient MCTs: Sets out the conditions for data sharing by the data holder with the data recipient selected by the user. For example, this may involve the transmission of data—upon the user’s instruction—by the data holder providing the relevant product or service directly to the third-party maintenance service chosen by the user.
(iv) Data Sharer to Data Recipient MCT: Regulates the contractual conditions for voluntary data sharing between a data sharer that is not subject to a data-sharing obligation and the data recipient.
These provisions aim to prevent the stronger party in data-sharing agreements from imposing onerous conditions on the weaker party and to establish a balance of interests between the parties. MCTs will in particular make it more difficult for powerful data holders to unilaterally determine the terms of data access.
C. Standard Contractual Clauses
Section IV of the Data Act introduces rules to ensure that users can effectively switch between different data processing service providers (cloud switching). The Commission has translated these rules into three (3) ready-to-use standard contractual clauses that can be incorporated into data processing contracts and has made them available to the public:
(i) SCC on Switching and Exit: Defines the process for transferring data from the source provider to the destination provider or to the customer’s own premises. It sets out clear procedures, timelines (up to 30 days), and cooperation obligations of the parties for data extraction, transformation, and uploading.
(ii) SCC on Termination: Safeguards the customer’s right to terminate the data processing service.
(iii) SCC on Security and Business Continuity: Aims to ensure the security of the data and the continuity of the customer’s business operations throughout the switching process. It outlines the technical and organizational measures necessary to safeguard data integrity and confidentiality during the transition.
These SCCs aim to eliminate vendor lock-in, which is one of the major barriers to competition in the cloud computing sector. In this way, customers will be able to switch easily between IaaS, PaaS, and SaaS services without high data egress charges, technical obstacles, or contractual restrictions.
In addition to these core SCCs, three (3) further SCC drafts have been recommended to maintain the rights and obligations set out in Section IV of the Data Act:
(i) SCC on Non-Dispersion: Aims to consolidate information and documentation that may otherwise be scattered across different sources. This is intended to ensure that the customer can easily access all up-to-date documents necessary to understand their rights and obligations, particularly during the switching process.
(ii) SCC on Non-Amendment: Prevents the provider from making unilateral and unfair amendments that would disadvantage the customer, particularly shortly before a switching process or in a manner that would hinder switching. It grants a reasonable notice period for significant amendments and provides the customer with the right to terminate the contract without penalty if the provider fails to comply with the conditions governing such amendments.
(iii) SCC on Liability: It aims to ensure a more balanced allocation of liability between the parties, including preventing unfair liability limitations imposed by the provider.
D. Conclusion
It appears that the MCT and SCC drafts published by the Commission aim to improve data egress and switching processes. These provisions and clauses are not binding or mandatory, and they may be revised to suit the relationship between the parties. However, although they are not binding, significant deviations from these drafts—particularly where they include terms that are unfair to the weaker party or that substantially distort the balance of interests—may give rise to objections under Section IV of the Data Act, titled ‘Unfair Contract Terms,’ as they could jeopardize compliance with the Data Act’s mandatory data-sharing and fair switching principles. For this reason, these drafts may function as a de facto best-practice standard. Especially for powerful data and cloud providers, disregarding these drafts carries a risk of non-compliance with the legislation.
Also, it is anticipated that these draft MCTs and SCCs may become part of data contracts not only within the EU but also for third-country companies conducting business with the EU, and that the Data Act may influence regulatory approaches in other jurisdictions as well.
For more information and support, you can contact us.
[1] Pursuant to Article 2(5) of the Data Act, a connected product means; “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user”.
Download PDF
e.copur@lbfpartners.com
