Overview
IT law and technology law are critical for businesses in the digital age. Whether you’re a tech company developing software, a business implementing IT systems, or an organization handling data privacy compliance, specialized legal guidance protects your innovations and ensures regulatory compliance.
At Law & More, we advise tech companies, startups, and businesses on all aspects of IT law, cybersecurity, and digital compliance. Located in the Brainport Eindhoven tech ecosystem, we work extensively with software companies, SaaS providers, hardware manufacturers, and digital innovators. Our IT lawyers combine technical understanding with legal expertise to protect your business in the digital landscape.
Need Expert Advice?
Our corporate law specialists are ready to help. Get personalized legal guidance today.
Quick Navigation
What We Do
Software licensing and SaaS agreements
GDPR compliance and data protection
Privacy policies and data processing agreements
IT contracts and vendor agreements
Cybersecurity and data breach response
Intellectual property and source code protection
Cloud computing agreements
E-commerce and online platform regulation
AI and emerging technology law
Technology disputes and liability
Why Choose Law & More
Deep expertise in tech industry and digital business models
Located in Brainport Eindhoven tech ecosystem
Practical understanding of software development and IT operations
Experience with startups, scale-ups, and enterprise clients
Multilingual service for international tech companies
Frequently Asked Questions
Common questions about IT law answered by our experts
The General Data Protection Regulation (GDPR) requires organizations processing personal data of EU residents to comply with strict data protection principles. Key requirements include: lawful basis for processing (consent, contract, legitimate interest, etc.), transparency through clear privacy policies, data minimization (collect only what's necessary), purpose limitation (use data only for stated purposes), storage limitation (don't keep data longer than needed), and security measures appropriate to the risk.
Practical compliance steps: maintain a processing register documenting what data you collect and why, implement privacy by design in systems, establish data processing agreements with vendors, enable data subject rights (access, correction, deletion), conduct Data Protection Impact Assessments for high-risk processing, and have a breach notification procedure. Many organizations require a Data Protection Officer. Non-compliance risks fines up to €20 million or 4% of global turnover. We help organizations achieve and maintain GDPR compliance efficiently.
A comprehensive software license agreement should define: scope of license (which software/modules, number of users, permitted use cases), license type (perpetual vs. subscription, exclusive vs. non-exclusive), intellectual property rights (who owns what, including improvements and customizations), restrictions on use (no reverse engineering, no competing products, geographic limits), support and maintenance obligations, warranties and liability limitations, and termination conditions.
For SaaS agreements, also address: service levels (uptime guarantees, response times), data ownership and portability, security measures, updates and new features, scalability, and exit procedures. Licensing models vary: per-user, per-device, consumption-based, or flat-fee. Enterprise agreements need additional provisions for integration, customization, escrow arrangements (access to source code if vendor fails), and compliance with the customer's policies. Well-drafted license agreements prevent disputes and protect both parties' interests.
Data breach response requires immediate action following a structured protocol. First 24 hours: contain the breach (isolate affected systems, stop data loss), assess the scope (what data was accessed, how many people affected, what type of data), document everything, and assemble your response team (IT, legal, communications). Under GDPR, you must notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours if the breach poses a risk to individuals' rights.
Next steps: notify affected individuals if high risk exists, implement remediation measures, investigate root cause, strengthen security, and preserve evidence for potential legal proceedings. Communication is critical - prepare clear statements for customers, employees, regulators, and potentially media. Failure to properly report can result in significant fines on top of reputational damage. Having a pre-prepared incident response plan drastically improves outcomes. We help organizations prepare response plans and guide them through actual breach situations to ensure compliance and minimize liability.
By default under Dutch law, the developer retains copyright in custom-developed software even when paid by a client. The client receives only a license to use the software, not ownership. This often surprises clients who assume they own what they paid for. To transfer ownership, the contract must explicitly state that all intellectual property rights transfer to the client ("all rights, title and interest").
Hybrid models are common: client gets full rights to custom code, developer retains rights to reusable components/libraries, or client gets exclusive license with developer keeping technical ownership. Employment creates different rules - employers automatically own IP created by employees during work (but contractors don't automatically transfer rights!). Source code access is negotiable - clients often want source code deposited in escrow accessible if the developer ceases operations. Clear IP provisions in development agreements prevent expensive disputes. We recommend addressing ownership explicitly before development begins.
IT contracts commonly limit vendor liability through caps, exclusions, and disclaimers. Under Dutch law, liability limitations are generally enforceable between businesses (B2B) but face strict scrutiny in consumer contracts (B2C). Common limitations include: capping total liability to fees paid (e.g., 12 months of subscription fees), excluding indirect damages (lost profits, business interruption, data loss), excluding liability for third-party components, and limiting the claims period.
However, you cannot limit liability for: intent or gross negligence (opzet of grove schuld), death or personal injury, violations of mandatory law, or in consumer contracts for defects known to the vendor. Disclaimer language must be clear, specific, and prominent. Boilerplate "no warranties" clauses are often unenforceable. For enterprise contracts, negotiate tiered liability: unlimited for security breaches and IP infringement, higher caps for direct damages, standard caps for other claims. Insurance requirements can provide additional protection. We help both vendors and customers negotiate balanced liability provisions that protect their interests while remaining enforceable.
Source code and technical know-how are protected through a combination of copyright, trade secret law, and contractual measures. Copyright automatically protects the expression of code (but not the underlying ideas or functionality). Trade secret protection requires proving the information: has commercial value, isn't generally known, and you took reasonable steps to keep it secret.
Practical protection measures: implement strict access controls (need-to-know basis, secure repositories, multi-factor authentication), use confidentiality agreements with employees and contractors, include non-compete and non-solicitation clauses for key technical staff, mark materials as confidential, segregate trade secrets from other information, conduct exit interviews and disable access when employees leave, and maintain audit trails. For outsourced development, use strong NDAs and ensure IP assignment clauses. Consider code escrow for critical vendor relationships. Document your security measures - the better your protection, the stronger your trade secret rights. We help companies establish comprehensive IP protection programs tailored to their technology and business model.
The EU AI Act, entering into force in stages from 2025-2027, creates a risk-based regulatory framework for AI systems. The Act categorizes AI into four risk levels: unacceptable risk (banned - e.g., social scoring, real-time biometric surveillance in public spaces), high risk (strict requirements - e.g., critical infrastructure, employment tools, credit scoring, law enforcement), limited risk (transparency obligations - e.g., chatbots must disclose they're AI), and minimal risk (no specific requirements - e.g., AI-enabled games).
High-risk AI systems must comply with strict requirements: risk management systems, high-quality training data, technical documentation, record-keeping, transparency, human oversight, accuracy and robustness, and cybersecurity. Providers must conduct conformity assessments and register systems in an EU database. General-purpose AI models (like large language models) face additional transparency and evaluation requirements. Non-compliance can result in fines up to €35 million or 7% of global turnover. Most business AI tools currently fall under limited or minimal risk, but this may change as the regulation evolves. We help companies assess their AI systems' risk classification and implement necessary compliance measures.
Electronic signatures are legally valid in the Netherlands under eIDAS regulation, which recognizes three types: simple electronic signatures (any electronic method of indicating approval - e.g., typing your name, clicking "I agree"), advanced electronic signatures (uniquely linked to signatory, capable of identifying them, under their sole control, detectable if data is changed), and qualified electronic signatures (advanced signatures using qualified certificates and secure devices, legally equivalent to handwritten signatures).
For most commercial contracts, simple electronic signatures suffice (DocuSign, Adobe Sign, even email confirmation). Advanced signatures provide stronger evidence and are required for certain regulated transactions. Qualified signatures are mandatory for specific legal acts like notarial deeds or certain government filings. Key factors for enforceability: intent to sign, identity verification appropriate to the transaction, secure audit trail, and tamper-evident technology. Some documents still require wet signatures or notarization (real estate transfers, certain corporate resolutions). Digital signature services compliant with eIDAS are widely accepted across the EU. We advise on appropriate signature levels for different transaction types and help implement compliant signature workflows.
Key Legal Terms
Important terminology explained in plain language
GDPR (General Data Protection Regulation)
EU-wide regulation governing personal data processing, effective since May 2018. Applies to any organization processing personal data of EU residents, regardless of the organization's location. Key principles: lawful basis for processing, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability. Requires transparency (privacy policies), enabling data subject rights (access, rectification, erasure, portability), Data Protection Impact Assessments for high-risk processing, and appointing a Data Protection Officer in certain cases. Breaches must be reported to supervisory authorities within 72 hours. Fines can reach €20 million or 4% of global annual turnover. Enforced by national Data Protection Authorities - in Netherlands, the Autoriteit Persoonsgegevens.
SaaS Agreement (Software as a Service)
Cloud-based software delivery model where customers access applications via the internet on a subscription basis rather than purchasing and installing software locally. SaaS agreements must address: service levels (uptime guarantees, support response times), data ownership and portability (customer retains ownership, can export data), security measures and certifications, functionality and updates, scalability, integration capabilities, termination and transition assistance, and pricing model. Critical differences from traditional licenses: customer doesn't own the software, vendor controls infrastructure and updates, data resides with vendor, and the relationship is ongoing rather than one-time. Common issues: service interruptions, data breaches, vendor lock-in, compliance with customer security requirements. Well-structured SaaS agreements balance vendor's need for operational flexibility with customer's need for reliability and data protection.
Data Processing Agreement (DPA)
Required contract under GDPR between a data controller and data processor governing how personal data will be processed. When you hire a vendor to process data on your behalf (e.g., cloud storage, email marketing, payroll services), you're the controller and they're the processor. The DPA must specify: subject matter and duration of processing, nature and purpose of processing, types of personal data and data subjects, controller's rights and obligations, and processor's obligations. Processors must: follow controller's instructions, implement appropriate security, only use approved sub-processors, assist with data subject requests and breach notifications, delete or return data when services end, and demonstrate compliance. Without a proper DPA, both parties risk GDPR violations. Standard processor terms often favor the vendor - controllers should negotiate protections aligned with their risk profile and regulatory obligations.
Source Code Escrow
Arrangement where a software vendor deposits source code with a neutral third party (escrow agent), which releases it to the customer if specified trigger events occur (vendor bankruptcy, failure to maintain software, breach of contract). Protects customers who depend on proprietary software from being stranded if the vendor can't support the product. The escrow agreement defines: what materials are deposited (source code, build instructions, documentation), deposit frequency (each major release), verification procedures (does the code actually compile?), and release conditions. Common in enterprise software deals, especially for mission-critical systems. Costs typically €2,000-€10,000 annually. Vendors resist escrow as it adds administrative burden and potentially exposes IP, but it's often necessary to close enterprise deals. Not a complete solution - even with source code, customers may lack expertise to maintain complex software. Alternatives include mandatory support terms and operational guarantees.
AI Act (EU Artificial Intelligence Act)
Comprehensive EU regulation for artificial intelligence systems, phasing in from 2025-2027. Creates risk-based framework: prohibited AI (social scoring, real-time biometric surveillance), high-risk AI (employment tools, credit scoring, critical infrastructure - requires conformity assessment, registration, ongoing monitoring), limited-risk AI (chatbots, deepfakes - transparency requirements only), minimal-risk AI (most applications - no specific rules). High-risk systems must meet requirements for: data quality, technical documentation, transparency, human oversight, accuracy, cybersecurity, and risk management. General-purpose AI models face additional obligations. Enforcement through national authorities with fines up to €35 million or 7% of global turnover. Applies to providers placing AI in EU market and users of high-risk systems in EU. Significant compliance burden for developers but provides legal certainty. International companies serving EU customers must comply.
eIDAS (Electronic Identification and Trust Services)
EU regulation establishing legal framework for electronic signatures, seals, timestamps, and other trust services across member states. Recognizes three signature levels: simple (any electronic indication of approval), advanced (uniquely linked to signatory, identifies them, created using secure means under sole control), and qualified (advanced signature with qualified certificate and secure device, legally equivalent to handwritten). Qualified trust service providers must meet strict security and audit requirements. E-signatures from one EU country must be recognized in all others. For contracts, simple signatures generally suffice; qualified required only for specific legal acts. Enables paperless transactions while maintaining security and legal certainty. Netherlands implemented through Electronic Signatures Act. Critical for digital economy and remote business. Replaced earlier E-Signatures Directive with more comprehensive framework.
Intellectual Property Assignment
Transfer of intellectual property rights from creator to another party. In Dutch law, IP rights don't automatically transfer - employment creates exception where employers own employee work product, but contractors retain rights unless contract explicitly assigns them. Written assignment must be clear and comprehensive: "assigns all right, title and interest in and to [defined work product], including all copyrights, patents, trademarks, trade secrets, and related rights." Assignments can be immediate or upon payment. Moral rights (attribution, integrity) generally can't be transferred in Netherlands but can be waived. Important to specify: what's being assigned (specific code, all work product, future improvements?), scope (worldwide? specific fields of use?), and consideration (payment, equity, other value exchange). Without proper assignment, companies may not own what they think they paid for. Essential in software development, content creation, and any commissioned creative work.
Have Questions About IT Law?
Our experienced lawyers are ready to help. Schedule a consultation to discuss your specific situation.
