What happens to cloud data when a company becomes insolvent? Between § 103 InsO, the GDPR and the EU Data Act, complex questions arise about data security, vendor lock-in and contractual exit strategies.
When the Cloud Becomes a Problem
Digitalisation is not an end in itself – but it creates dependencies that can become existentially threatening in a crisis. More and more companies are outsourcing their business-critical data and processes to the cloud: ERP systems, accounting, customer databases, communications. As long as everything runs smoothly, it is efficient and cost-optimal. But what happens when one of the two contracting parties – the user company or the cloud provider – becomes insolvent?
Practice shows that cloud contracts frequently become a flashpoint in insolvency. Data is intangible, contractual provisions are often incomplete, and insolvency law instruments do not fit seamlessly onto digital business models. This article examines the key legal issues and provides practical guidance for forward-looking contract design.
The Insolvency Administrator's Right of Election: § 103 InsO
The central provision for mutual contracts in insolvency is § 103 InsO. Under this provision, for contracts that have not been fully performed by either side at the time proceedings are opened, the insolvency administrator may choose: demand performance or reject performance.
For cloud contracts, this means in concrete terms:
- Insolvency of the cloud user: The insolvency administrator of the user company can decide whether to continue or terminate the cloud contract. If non-performance is chosen, the cloud provider has only a damages claim as an insolvency creditor – in practice a dividend that is often in the single-digit percentage range.
- Insolvency of the cloud provider: This is particularly delicate. If the provider's insolvency administrator rejects performance, the user company loses access to its data and applications.
Is a Cloud Contract a Lease or a Service Agreement?
The legal classification is decisive, because § 108 InsO provides that certain continuing obligations – in particular lease and rental agreements – continue in effect for the insolvency estate. The prevailing view tends to classify SaaS contracts as lease-like continuing obligations, which would be favourable for the cloud user: the contract would initially continue.
However, the legal position has not been conclusively settled. Different assessments may apply to Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). A blanket answer is not possible.
Data Access and Surrender Claims
The Right of Separation Under § 47 InsO
Anyone who can assert a real or personal right to an object that does not belong to the insolvency estate is entitled to separation under § 47 InsO. But: Are data "objects" within the meaning of this provision?
The answer is legally disputed. German property law does not recognise "ownership of data" in the classical sense. Nevertheless, it is increasingly recognised that the cloud user has at least a contractual claim for surrender of their data. However, this must be clearly regulated contractually – otherwise a protracted struggle with the insolvency administrator looms.
The Haufe specialist literature rightly points out that the insolvency of the cloud provider is one of the most serious risks in cloud computing, as the insolvency administrator is not automatically obliged to surrender data.
Practical Challenges
Even where a surrender claim exists, practical questions arise:
- In what format will the data be surrendered?
- Who bears the costs of data migration?
- How long do the data remain available after contract termination?
- Are the data complete and consistently exportable?
These questions are rarely resolved amicably during a crisis if they have not been contractually regulated in advance.
Vendor Lock-in: The Underestimated Danger
Vendor lock-in refers to the technical and economic dependence on a particular cloud provider. Proprietary data formats, provider-specific APIs and the absence of export options make a provider switch expensive or impossible.
In a crisis, vendor lock-in becomes an existential threat: if the insolvency administrator does not continue the contract and a quick provider switch is not technically possible, the company is left without a functioning IT infrastructure.
The Federal Office for Information Security (BSI) has formulated requirements in its C5 Criteria Catalogue that also address the portability and interoperability of cloud services. From July 2025, C5 certification becomes mandatory for many cloud services.
The EU Data Act: New Rules for Cloud Portability
With Regulation (EU) 2023/2854 – the so-called Data Act – the European Union has for the first time established binding rules for switching cloud providers. Since 12 September 2025, the following requirements apply, among others:
- Notice period: Cloud customers can terminate with two months' notice and initiate a switch.
- Transition period: The cloud provider must enable the switch within 30 days. Only where technically impossible may the deadline be extended to a maximum of seven months.
- Fee elimination: From January 2027, no fees may in principle be charged for the switch.
These provisions significantly strengthen the cloud user's position – including and especially in a crisis. However, they apply primarily to regular provider switches. Whether and how they are enforceable in the event of the provider's insolvency has not yet been conclusively settled.
GDPR Implications: Art. 28 and Data Processing
Cloud computing regularly constitutes data processing within the meaning of Art. 28 GDPR. The cloud provider processes personal data on behalf of the user company. This gives rise to specific obligations:
- Data processing agreement (DPA): A written agreement governing data processing must be in place.
- Instruction-bound processing: The cloud provider may only process data in accordance with the controller's instructions.
- Deletion obligation: After contract termination, personal data must be deleted or returned.
In the insolvency of the cloud provider, these obligations conflict with the insolvency administrator's powers. The insolvency administrator is in principle not bound by the controller's instructions but acts in the interest of the creditor body as a whole. Data protection chaos looms if this constellation has not been considered in advance.
Escrow and Exit Strategies: Prevention Is a Duty
The best crisis prevention is a well-designed exit strategy in the cloud contract. The following elements should be mandatory:
1. Data Escrow
Similar to software escrow, data can be regularly deposited with an independent trustee. In the event of insolvency, the cloud user then has direct access to a current data backup.
2. Contractual Clauses for Data Surrender
- Surrender deadlines: Concrete deadlines for data surrender after contract termination (e.g. 30 days)
- Standard formats: Specification of open, common data formats (CSV, JSON, XML, SQL dumps)
- Completeness guarantee: Assurance that all data including metadata are exportable
3. Insolvency-Proof Design
- Special termination right upon the cloud provider's insolvency filing
- Continuation agreement: Obligation of the cloud provider to maintain operations for a transitional period
- Step-in rights: Option to have operations continued by a third party
4. Regular Data Backup
Regardless of contractual provisions, every company should regularly create local backups of its cloud data. This sounds obvious but is alarmingly often neglected.
Checklist: Making Cloud Contracts Crisis-Proof
For managing directors and IT managers, the following review of existing cloud contracts is recommended:
- Legal classification: Is the contract classified as a lease, service or works contract?
- Data surrender: Are clear provisions for data return included?
- Formats: Are open, portable data formats agreed?
- Escrow: Is fiduciary data backup agreed?
- Insolvency clauses: Are provisions for the provider's insolvency included?
- GDPR compliance: Is a proper DPA in place?
- Backup strategy: Are regular own backups created?
- Multi-cloud: Does the IT architecture rely on a single provider?
Conclusion: Digital Dependence Requires Legal Protection
The cloud has become indispensable in modern business. But digital transformation must not lead to companies surrendering their business-critical data without legal safeguards. The insolvency of a cloud provider or of one's own company can occur at any time – and then the contractual foundations must be sound.
The interplay of insolvency law (§§ 103, 108 InsO), data protection law (Art. 28 GDPR) and the new rules of the EU Data Act creates a complex regulatory framework that must be considered from the outset when drafting contracts.
At compleneo, we support you in designing insolvency-proof cloud contracts and developing exit strategies for your IT infrastructure. Get in touch with us.
