What privacy and AI clauses are essential in software contracts under the EU AI Act?

Why are privacy clauses in software contracts critical under the EU AI Act?

Corporate software procurement involves much more than functionality and price. With the advancement of artificial intelligence and increasing privacy regulations like the EU AI Act and GDPR, contractual clauses have become an essential battleground for protecting corporate data and avoiding regulatory risks.

The question every legal, procurement, and privacy team should ask is: does your current contract protect your company against improper use of data to train AI models under the EU AI Act? If you can't answer with certainty, this guide is for you.

Let's explore the essential clauses that cannot be missing from any negotiation with software suppliers.

How to ensure protection against AI model training with corporate data?

One of the biggest current concerns is the use of corporate data to train artificial intelligence models without explicit consent. Companies like OpenAI, Google, and Microsoft have been questioned about their training practices, and many organizations discovered too late that their data was being used to improve algorithms.

What should be included in the training opt-out clause?

Clearly specify that corporate data CANNOT be used to:

Train or improve machine learning models
Develop new products or features based on your data patterns
Benchmarking or aggregate analysis without prior consent

The clause should include the right to unconditional and immediate opt-out, without penalties or additional costs. Additionally, require written confirmation that the opt-out has been technically implemented, not just contractually accepted.

What technical guarantees should be required?

Ask the supplier to demonstrate how they implement opt-out at the system level. This may include:

Specific flags in your environment that prevent data ingestion for training
Auditable logs that prove data segregation
Certifications that technical controls are in place

What should be the maximum data retention period?

Indefinite data retention is an unnecessary risk. Every byte stored beyond what's necessary is a potential exposure in case of breach or misuse.

How to define proportional retention periods?

The clause should establish:

Retention period during contract: only the time necessary for service provision
Post-cancellation retention period: maximum 30–90 days for transition
Certified deletion obligation: supplier must issue data destruction certificate

Special attention: backup tapes and disaster recovery must have clear purge deadlines. Many companies maintain backups for years without real operational necessity.

Why require deletion in all copies and backups?

Deleting the main instance is not enough. The clause should cover:

Production, development, and test environments
Backups and disaster recovery
Logs containing personal data
Caches and staging systems

Require a data destruction certificate signed by a legal representative of the supplier, specifying which systems were purged and when.

How to protect data in international transfers?

With global operations, it's common for data to transit through multiple countries. Each international transfer represents a compliance point that needs to be contractually covered.

What international transfer mechanisms should be in the contract?

Depending on the jurisdictions involved, you'll need:

Standard Contractual Clauses (SCCs): mandatory for EU transfers without adequacy decision
Binding Corporate Rules (BCRs): for multinational groups
Data Protection Addendum (DPA): specifying all processing and storage locations

What should be included in data flow mapping?

Require a contractual annex with:

Complete list of countries where data will be processed or stored
Purpose of each transfer
Specific security guarantees for each location
Veto right: if the supplier adds new countries, you must be able to refuse without penalties

What incident notification SLA is acceptable?

The time between a security incident and its notification can be the difference between containing a problem and facing a complete regulatory crisis.

How quickly should the supplier notify about breaches?

Market standard is converging to:

Initial notification: 24–48 hours after incident detection
Preliminary report: 72 hours with estimated scope and impact
Complete report: 7–14 days with root cause analysis and corrective measures

The EU AI Act and GDPR require notification to authorities within reasonable time, generally interpreted as 72 hours. Your supplier needs to notify you before that so you can fulfill your own legal obligation.

What should be included in incident notification?

The clause should specify that every notification contains:

Nature of the incident (unauthorized access, breach, ransomware, etc.)
Types of affected data and estimated volume
Number of impacted data subjects
Measures already taken for containment
Detailed timeline of events
Technical contact point for ongoing communication

How to structure the Data Processing Agreement (DPA)?

The DPA is the heart of privacy protection in any software contract. It defines roles, responsibilities, and data processing limits.

What elements cannot be missing from the DPA?

A robust DPA should include:

1. Clear role definition:

Who is controller and who is processor
Limits of each role
Prohibition of processing outside documented instructions

2. Specific processing purposes:

Exhaustive list of why data is processed
Prohibition of secondary use without consent

3. Data and subject categories:

Types of personal data involved (identification, financial, sensitive)
Categories of people (employees, customers, partners)

4. Sub-processors:

Complete list of subcontractors
Veto right over new sub-processors
Joint liability for sub-processor failures

Why is the audit clause fundamental?

You need the right to verify if the supplier is complying with the DPA. The clause should allow:

Scheduled annual audits (on-site or remote)
Ad-hoc audits in case of suspected violation
Access to SOC 2, ISO 27001 reports and equivalent certifications
Right to hire independent auditor at supplier's expense in case of violation

What data subject rights must the supplier support?

Under the EU AI Act and GDPR, data subjects have rights that you, as controller, need to guarantee. But if the supplier doesn't cooperate technically, you'll be in an impossible position.

How to ensure technical support for data subject rights?

The clause should establish that the supplier will provide:

For right of access:

API or interface to extract data from a specific subject
Response time: maximum 5 business days
Format: machine-readable (JSON, CSV)

For right of erasure:

Hard delete functionality (not just soft delete)
Deletion confirmation in all systems
Deadline: maximum 15 days

For right of portability:

Export in structured and interoperable format
Deadline: maximum 15 days

How much can the supplier charge for fulfilling data subject rights?

Ideally, nothing. Fulfilling data subject rights is the supplier's legal obligation as processor. If there's a charge, it should be:

Limited to direct and proven costs
Exempt for reasonable volume of requests (e.g., up to 50/year)
Pre-approved before any work

How to establish responsibilities in case of violation?

When something goes wrong, clarity about who pays what is essential to avoid prolonged disputes while regulators and customers wait for answers.

What should be included in the liability limitation clause?

Attention: many suppliers try to limit liability for privacy violations to the same financial caps as other damages. This is unacceptable.

The clause should establish:

Unlimited liability for violations caused by supplier negligence or misconduct
Coverage of regulatory fines proportional to supplier's fault
Notification, credit monitoring, and incident response costs
Proven reputational damages and customer loss

Why require cyber-security insurance?

Suppliers should maintain cyber insurance policy covering:

Minimum: EUR 5–10 million depending on data volume
Coverage for privacy violations
Your company as additional insured
Proof of annual policy renewal

What technical security clauses are mandatory?

Beyond legal clauses, specific technical controls must be contractually guaranteed.

What security controls should be specified?

Encryption:

Data in transit: TLS 1.3 or higher
Data at rest: AES-256 or equivalent
Key management outside supplier environment when possible

Access controls:

Mandatory multi-factor authentication
Principle of least privilege
Access logs retained for minimum 1 year
Prohibition of supplier employee access without justified ticket

Security testing:

Annual third-party pentests
Continuous vulnerability scanning
Bug bounty program (ideal)
Results sharing (executive summaries)

How to create a practical negotiation checklist?

To facilitate your negotiations, use this checklist during contract review:

☐ AI training opt-out clause

Explicit prohibition of use for training
Opt-out without costs or penalties
Technical implementation confirmation

☐ Data retention

Defined period during validity
Maximum post-cancellation period (30–90 days)
Mandatory destruction certificate
Backup and disaster recovery coverage

☐ International transfer

List of processing countries
SCCs or BCRs attached
Veto right over new countries
Data flow mapping

☐ Notification SLA

Initial notification: 24–48h
Preliminary report: 72h
Complete report: 7–14 days
Minimum content specified

☐ Complete DPA

Clearly defined roles
Specific processing purposes
Sub-processor list with veto right
Audit clause

☐ Data subject rights

Technical support for access, erasure, portability
Defined deadlines (5–15 days)
No costs or limited costs

☐ Liability and insurance

Unlimited liability for violations
Cyber insurance with adequate amounts
Company as additional beneficiary

☐ Technical controls

Specified encryption (TLS 1.3, AES-256)
Mandatory MFA
Annual pentests
Access logs

What is each area's role in negotiating these clauses?

Effective negotiation of privacy clauses requires collaboration between multiple areas:

Legal:

Contractual structure and binding language
Interpretation of regulatory requirements
Risk and responsibility allocation

Privacy/DPO:

Technical compliance requirements
Processing risk assessment
International transfer approval

Information Security:

Necessary technical controls
Supplier security capability validation
Incident response requirements

Procurement:

Commercial negotiation and SLAs
Supplier relationship management
Contractual compliance tracking

Technology/Engineering:

Technical feasibility of clauses
Data integration and architecture
Validation of promised technical capabilities

Why do these clauses protect your company long-term?

Investing time in negotiating these clauses isn't bureaucracy — it's strategic risk management. Companies that neglect privacy in contracts face:

Regulatory fines: up to 4% of turnover (GDPR) or significant penalties under EU AI Act
Incident response costs: average of €1.5 million per breach in Europe
Customer loss: 65% of consumers stop buying after data violation
Reputational damage: years to recover market trust

On the other hand, well-structured contracts:

Create clear accountability between parties
Facilitate audits and compliance demonstration
Reduce incident response time
Protect against improper use of corporate data

Trust This developed the AITS (AI Trust Score), a methodology with 20 criteria to evaluate privacy practices of software suppliers. Among these criteria, contractual clauses represent a critical dimension to ensure commercial promises translate into real data protection.

The question isn't whether you can afford to negotiate these clauses. The question is: can you afford not to negotiate them?

Start today by reviewing your main software contracts. Use this checklist as a base and adapt according to each supplier's risk profile. And remember: every clause you secure today is a problem you avoid tomorrow.