Your Data Portability Rights When a SaaS Vendor Shuts Down
The EU Data Act changed the game. Here's what you're legally entitled to and how to use it before the deadline hits.
When a SaaS vendor announces a sunset, the first question is always "how do I get my data out?" The second question should be: "what am I legally entitled to?"
As of September 2025, the answer changed significantly for anyone in the EU. The EU Data Act introduced mandatory data portability requirements for cloud and SaaS providers. If you're a European customer (or your vendor serves the EU market), you now have concrete legal rights that didn't exist before.
This guide covers what those rights are, how they apply during a SaaS sunset, and what you can do right now to protect your data.
The EU Data Act: what changed
The EU Data Act, which became applicable on September 12, 2025, includes specific provisions for cloud services, including SaaS. The key requirements for vendors:
- Data export in standard formats. Vendors must provide your data in a structured, commonly used, machine-readable format. No proprietary binary dumps. No "we'll mail you a PDF." Actual usable data: CSV, JSON, XML, or equivalent.
- 30-day completion window. Once you request your data, the vendor must complete the transfer within 30 calendar days. They can request a limited extension in exceptional cases, but the default is 30 days.
- Switching assistance. The vendor must provide reasonable technical support during the transition period. This includes documentation of data formats, API access for bulk export, and support for migrating to a replacement service.
- No lock-in barriers. Vendors cannot use technical or contractual tricks to prevent you from leaving. No "export fees," no degraded export functionality, no artificial limitations on bulk downloads.
- 60-day termination notice. Customers can terminate for convenience with no more than 60 days' notice to switch to another provider or move on-premises.
How this applies during a SaaS sunset
When a vendor announces a sunset (like Delighted's June 30, 2026 deadline or Project Online's September 30, 2026 retirement), the Data Act provisions are especially relevant. The vendor is essentially forcing a switch on you. The question is whether they're doing it in compliance with the law.
Reasonable notice period. Most sunsets give 6 to 12 months' notice. The Data Act requires at least 60 days. Most vendors exceed this, but if you discover a sunset with less than 60 days' notice, you may have grounds to demand an extension.
Export functionality must remain operational. Until the sunset date, the vendor must maintain working data export features. If export tools start breaking in the final weeks (which happens more often than you'd think), document it. Under the Data Act, the vendor has an obligation to keep these tools functional through the transition.
Format matters. If the vendor offers only a proprietary format or an incomplete export (missing metadata, relationships, or historical data), that may not meet the "structured, commonly used, machine-readable" standard. You have grounds to request a more complete export.
GDPR rights still apply (and stack)
If your SaaS tool processes personal data (and most do: customer emails, survey responses, user profiles), GDPR data portability rights under Article 20 also apply. These are separate from and stack on top of the Data Act:
- Right to receive personal data in a structured, commonly used, machine-readable format
- Right to transmit that data to another controller (i.e., your new tool)
- This applies to data you provided and data generated by your use of the service
- The vendor must provide this free of charge
The practical implication: if the vendor's standard export misses personal data fields, you can file a separate GDPR data portability request to get them. This is a legal right, not a feature request.
Outside the EU: what rights do you have?
If you're not in the EU, your rights depend on your contract and local law:
United States. No federal data portability law equivalent to the EU Data Act. Your rights come from your service agreement. Check for data export clauses, data retention after termination, and any switching assistance provisions. California's CCPA/CPRA gives consumers rights over personal data, but it's narrower in scope than the EU framework.
United Kingdom. UK GDPR provides data portability rights similar to EU GDPR for personal data. The UK is developing its own equivalent to the Data Act but hasn't implemented it yet.
Your contract. Regardless of jurisdiction, read your Terms of Service. Many SaaS agreements include data export provisions, data retention periods after account closure, and sometimes explicit migration assistance. If the vendor is sunsetting the product, they may be willing to negotiate extended access or enhanced export options. It costs them little and avoids legal disputes.
Practical steps to exercise your rights
1. Export immediately, don't wait
Legal rights are great. But litigation takes months. Your data deletion takes one API call. The moment a sunset is announced, export everything. Don't wait to exercise your legal rights as a fallback. Use every export tool available today. Our survival guide walks through this process step by step.
2. Document the export capabilities
Screenshot the export options. Note what formats are available, what data is included, and what's missing. If the export is incomplete, this documentation supports a complaint or request for a more complete export under the Data Act or GDPR.
3. Send a formal data portability request
If the standard export is insufficient, send a written request citing the specific regulation:
- For EU Data Act: Reference Article 23-26 (switching and data portability for cloud services). Request data in a structured, commonly used, machine-readable format within 30 days.
- For GDPR: Reference Article 20 (right to data portability). Request all personal data you provided and that was generated by your use, in a machine-readable format.
Send this via email to the vendor's data protection officer or legal team. Keep a copy. This creates a paper trail if you need to escalate.
4. Escalate if necessary
If the vendor doesn't comply within 30 days (Data Act) or one month (GDPR), you can file a complaint with your national data protection authority. For GDPR: your local DPA (e.g., BfDI in Germany, CNIL in France, ICO in the UK). For the EU Data Act: your national competent authority, which may be the same as or different from the DPA depending on the member state.
5. Check your contract for extras
Some SaaS contracts include post-termination data retention periods (30, 60, or 90 days after account closure). If your vendor offers this, it extends your window. Ask the support team explicitly: "How long will my data be available after the sunset date?"
What vendors should do (and what good ones actually do)
The best-handled sunsets we've seen include:
- 12+ months' notice
- Complete data export in multiple formats (CSV, JSON, API access)
- Clear documentation of what's exported and what's not
- A dedicated migration support team
- Extended data retention period after the sunset date (30 to 90 days)
- Partnerships with alternative vendors that include discounted migration paths
Microsoft's handling of Project Online is a reasonable example: long notice period, clear documentation, and a migration path to their own replacement (Microsoft Planner). Qualtrics's handling of Delighted provides a six-month window with CSV exports. Neither is perfect, but both meet the minimum legal requirements.
The bottom line
You have more rights than you think. The EU Data Act and GDPR give you concrete legal tools to ensure you get your data out of a sunsetting SaaS product in a usable format. But legal rights are a safety net, not a strategy. The strategy is: export early, export often, and store copies in at least two places.
Don't wait for the deadline to find out your export tool doesn't work. Don't wait for a legal dispute to get your data. Act now, while the tools still function and the vendor still has support staff.