Software and Database Law: The Complete Guide

For a manager or a corporate executive, understanding the protection mechanisms offered by French and European law is not a theoretical luxury: it is an operational necessity. Unprotected software can be copied with impunity. A poorly managed database may be subject to wild extraction by a competitor. A poorly written license agreement can deprive you of your rights to your own work tool.

This guide is intended to offer you a complete, structured and concrete vision of software law And of database law, from the foundations of legal protection to contractual and litigation aspects, including issues related to the GDPR and counterfeiting.

What is software in the sense of intellectual property law?

Legal definition of software

The Intellectual Property Code (CPI) does not give a formal definition of software. It's the French Terminology Commission, in works published in the Official Journal on 17 January 1982, which provided the first details. Software is described as a set of programs, processes, and rules — as well as associated documentation — relating to the operation of a data processing system.

In practice, software includes several legally distinct components:

The Source code, i.e. instructions written in a computer language understandable to humans (Python, Java, C++, etc.). It is the core of the developer's intellectual creation.

The object code, obtained by compiling the source code, which makes it machine readable. French doctrine and courts consider the object code to be a simple translation of the source code into magnetically coded language, and as such protect it in the same way.

La user documentation, that is to say the manuals, guides and instructions that accompany the program. It can benefit from copyright protection as long as it is detailed enough to reflect the intellectual contribution of developers.

The preparatory design materials, which includes the preparatory work leading to the development of the program — functional models, technical architecture, organization charts — provided that they are such as to enable the implementation of the program at a later stage.

Finally, the graphical interfaces (screen pages, icons, visual layout) may be subject to independent protection by common copyright law, if they constitute an intellectual creation specific to their author.

Concrete example: a company has an inventory management application developed. The source code written by the developers, the user manual, the initial mockups validated by the project manager, and the graphical interface of the application are all potentially protectable elements — but each according to a legal regime that may differ.

What is not protectable: ideas, features, and algorithms

A fundamental principle of copyright applies here with particular force: Ideas are free. This means that a feature, no matter how innovative, cannot be protected as such by copyright. Only the original form in which this idea materializes is capable of protection.

The algorithm, as a calculation method or logical process, is not protected by either common copyright law or by special software law — unless it is formalized in the form of a sufficiently detailed flowchart. However, it may, at the margin, benefit from patent law protection when it is integrated into a patentable invention.

Concrete example: two publishers each offer automatic invoicing software. The fact that both software offers the same functionality (automatically generating invoices from purchase orders) does not pose any legal problem. On the other hand, if one has taken over the source code, architecture or graphical interface of the other, there is a potential counterfeiting.

What are the rights to software? Copyright protection

Why copyright and not patent?

In France, it is protection by the copyright which was selected for the software, not the patent. This choice, enshrined by the European Directive 91/250/EEC of 14 May 1991 (replaced by Directive 2009/24/EC), then transposed into French law by the law of 10 May 1994, is explained by both economic and technical reasons.

From an economic point of view, the legislator feared that American publishers would flood the French market with patent applications, thus blocking national research. From the point of view of legal technique, it would have been very difficult to assess the “state of the prior art” in the field of software, an indispensable condition for claiming patentability. Finally, the drafting of technical claims, necessary to delineate the scope of patent protection, would have proved to be extremely complex in the context of software.

That is why theArticle L. 611-10 of the CPI expressly provides for the exclusion of the patentability of software “as such”. Article L. 112-2, 13° of the CPI, for its part, includes software — including preparatory design hardware — in the list of intellectual works protected by copyright.

However, it should be noted that software can be protected by a patent when it is an integral part of a technical invention to which it makes an inventive contribution. We then speak of “invention implemented by computer”. This is the case, for example, of software integrated into a medical device that improves the accuracy of a diagnosis.

The originality condition of the software

Like any intellectual work, software must be quirky to benefit from copyright protection. However, the concept of originality has been interpreted in a flexible manner to adapt to the technical nature of the software.

It is not a question of looking for an “artistic expression” or a “subjective imprint” as for a literary or musical work. The originality of the software lies in a own intellectual effort, a personalized assessment in the structuring of the code, the choice of algorithms, the architecture of the program and the sequence of instructions.

It was the decision of the Plenary Assembly of the Court of Cassation of 7 March 1986, known as “Pachot”, which established this principle by recognizing that software is protectable by copyright in the same way as a literary work, as long as it reflects the intellectual contribution of its author.

Concrete example: a freelance developer creates a CRM tool with an original architecture, unique code structuring choices and an innovative organization of modules. This software is original and protected from the moment it was created, without formality. On the other hand, a very basic script that simply assembles standard functions without any personal input will have more difficulty claiming originality.

What are the 3 types of rights attached to the software?

The protection of software by copyright gives its author two main categories of rights, in addition to a right specific to software:

1. Patrimonial rights

These are the rights to economic exploitation of the software. The author has the exclusive right to perform and authorize (article L. 122-6 of the CPI):

— The permanent or temporary reproduction of the software, in whole or in part, by any means and in any form. This includes loading, displaying, running, running, transmitting, or storing the program.

— The translation, adaptation, arrangement, or other modification of the software, as well as the reproduction of the software resulting from these operations.

— The placing on the market for a fee or free of charge, including the rental of the copy or copies of software.

These economic rights are transferable and may be the subject of license agreements.

2. Moral law

Contrary to the common law regime applicable to literary and artistic works, the moral right of the author of software is significantly reduced. Article L. 121-7 of the CPI limits the moral right of the author of software to the sole right of authorship (the right to put his name on the work) and to the right to oppose any modification prejudicial to his honor or reputation. The right to disclose and the right to withdraw and repent do not apply.

3. The right to backup and decompile

The law provides exceptions to the author's monopoly, specific to the software:

— The legitimate user can carry out a backup copy when it is necessary to preserve the use of the software (article L. 122-6-1 of the CPI).

— The Decompilation (reconstruction of the source code from the object code) is authorized under very strict conditions: it must be essential to obtain the information necessary for the interoperability of the software with other programs, and the information obtained cannot be used for other purposes or communicated to third parties (article L. 122-6-1, IV of the CPI).

Concrete example: a company buys a software license and wants to connect this software to its internal ERP. If interoperability information is not otherwise accessible, decompilation is legally permitted for this specific purpose. On the other hand, decompiling competing software to reproduce its functionalities would constitute counterfeiting.

The duration of protection of the software

The software is protected throughout the life of the author and 70 years after his death, in accordance with common copyright law (article L. 123-1 of the CPI). For software created by legal entities, the term is 70 years from the date of publication.

Software created by an employee: who do the rights belong to?

The principle of automatic devolution to the employer (article L. 113-9 of the CPI)

This is one of the most important — and often the most unknown — particularities of software law. Unlike the ordinary copyright regime, where the natural person author is in principle the owner of the rights to his creation, software is the subject of a Exemption regime provided for in article L. 113-9 of the CPI:

“Unless otherwise provided by law or stipulations to the contrary, the economic rights in software and its documentation created by one or more employees in the exercise of their duties or on the instructions of their employer are vested in the employer who is the only one authorized to exercise them.”

This text operates a automatic devolution property rights for the benefit of the employer, without the need to include a transfer clause in the employment contract. For this devolution to take place, three cumulative conditions must be met:

— It must be a Software work (source code, object code, associated documentation).

— The software must have been created by one or more earners.

— The software must have been developed in the exercise of duties of the employee or according to the instructions from the employer.

Concrete example: A developer employed by an ESN (digital services company) creates, during his working time and with the tools provided by the company, a planning management software. The economic rights to this software are automatically vested in the employer. On the other hand, if this same developer creates a video game at home, outside of his working hours and without any instructions from his employer, it belongs to him.

The extension to non-employees: article L. 113-9-1 of the CPI

Ordinance No. 2021-1658 of December 15, 2021 expanded the field of automatic devolution by creating a new Article L. 113-9-1 of the CPI. This extends the devolution mechanism to non-employed persons welcomed under an agreement by a legal entity carrying out research (interns, foreign doctoral students, emeritus professors, etc.), provided that these persons receive compensation and are placed under the authority of a manager of the structure.

However, the corporate officers, non-employee founders and independent service providers are not a prima facie targeted by this reform. For these cases, it remains essential to provide contractually for an assignment of intellectual property rights in accordance with the requirements of Article L. 131-3 of the CPI.

Point of vigilance for the manager: if you have software developed by an external service provider (freelancer, agency), the rights are not yours not automatically transferred. It is imperative to include a clause for the transfer of intellectual property rights in the service contract, with a precise description of the rights transferred, the media, the duration and the territory.

What is database right? The double protection of databases

Legal definition of the database

Article L. 112-3 of the CPI defines the database as “a collection of works, data, or other independent items, arranged in a systematic or methodical manner, and individually accessible by electronic means or by any other means”.

This definition is deliberately broad. It covers classical computer databases (a CRM, a customer file, a product database) as well as more traditional collections (a directory, a catalog, a compilation of legal texts), as long as they meet the criteria of systematic layout and individual accessibility.

French law, in transposition of European Directive 96/9/EC of 11 March 1996, has set up a double protection for databases:

— Protection by copyright, which focuses on the original structure of the base.

— Protection by sui generis producer right, which focuses on the content of the database due to the investment made.

These two protections are independent and cumulative : they are exercised without prejudice to each other.

The protection of the structure by copyright

The database may be protected by copyright when, by the choice or arrangement of materials, it constitutes an intellectual creation specific to its author (article L. 112-3 of the CPI).

So it's theoriginality of architecture — the ranking plan, the selection criteria, the layout of the data — which is protected, not the data itself.

Concrete example: a publisher of tourist guides creates a database of restaurants classified according to an original rating system combining gastronomic criteria, atmosphere and value for money, with new categories. This original architecture may be protected by copyright. On the other hand, a simple alphabetical compilation of restaurants without any creative input will not be.

The right of the database producer: the sui generis right

This is where the major specificity of database protection lies. The Sui generis law (literally, “of its own kind”) ensures the protection not of the form, but of The investment made for the establishment, verification or presentation of the contents of the database.

Article L. 341-1 of the CPI states that:

“The producer of a database, understood as the person who takes the initiative and the risk of the corresponding investments, benefits from protection of the content of the database when the constitution, verification or presentation of the database attests to a substantial financial, material or human investment.”

The key terms are as follows:

The producer is the person (natural or, more often, legal) who takes the initiative and the risk of the investment. He is not necessarily the intellectual author of the database: he is the one who finances, organizes and bears the economic risk of its creation.

Substantial investment can be financial (budget devoted to data collection and processing), hardware (servers, technical infrastructures) or human (teams mobilized for verification and updating). This investment should focus on building, verifying, or presenting content — not creating the data itself.

Concrete example: a company invests 200,000 euros and mobilizes a team of five people for two years to collect, verify and structure a database of contacts in the real estate sector. It is the producer of this database and benefits from sui generis right. On the other hand, if a company automatically generates data as part of its own business (sensor readings, billing data), the investment in “creating” the data will not be taken into account.

The rights conferred on the producer

The producer of a database benefits from the right toprohibit (article L. 342-1 of the CPI):

— THEextraction, by permanent or temporary transfer, of all or a qualitatively or quantitatively substantial part of the content of the database to another medium, by any means and in any form.

— The reuse, by making available to the public all or a qualitatively or quantitatively substantial part of the content of the database, regardless of its form.

Extraction or reuse is also prohibited. repeated and systematic of non-substantial parts of the content, when these operations exceed the conditions of normal use of the database.

Concrete example: a competitor uses scraping software to vacuum product sheets from your e-commerce site on a daily basis. Even if each extraction taken in isolation covers only a limited part of the database, the systematic repetition of these operations constitutes an infringement of the producer's right.

Duration of protection of sui generis right

Producer law applies for a period of 15 years as of the completion of the manufacture of the base or its availability to the public (article L. 342-5 of the CPI). However, each substantial new investment in updating, verifying or presenting the database, an additional period of 15 years is required. In practice, this allows almost perpetual protection as long as the producer continues to invest in his database.

What are the 3 principles of the GDPR applicable to software and databases?

When a software or a database processes personal data, the General Data Protection Regulation (RGPD, EU Regulation 2016/679) applies. Business leaders should pay particular attention to three fundamental principles:

The principle of legality, loyalty and transparency

Any processing of personal data via software or a database must be based on a legal basis (consent, contract execution, legitimate interest, legal obligation, etc.). Data subjects must be informed in a clear and understandable manner about how their data is used.

Concrete example: commercial management software that records the contact details of prospects must be accompanied by an accessible privacy policy and a mechanism for collecting consent if the data is used for commercial prospecting purposes by electronic means.

The principle of data minimization

The data collected and processed by the software must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Only data that is strictly useful should be collected.

Concrete example: online appointment scheduling software does not need to collect the user's social security number or family situation. If these fields appear in the database without justification, the company is liable to a sanction from the CNIL.

The principle of security and confidentiality

The data controller must implement appropriate technical and organizational measures to guarantee a level of security adapted to the risk: encryption, pseudonymization, access control, backups, etc.

This principle has a direct impact on the design of software and databases: it is the concept of Privacy by design (data protection by design), enshrined in article 25 of the RGPD.

Concrete example: A SaaS publisher who develops payroll software must integrate, from the design phase, appropriate security measures (encryption of payslips, restricted access to sensitive data, logging of accesses), and not add them afterwards.

RGPD challenges in license and SaaS contracts

When software is operated in SaaS mode (Software as a Service), the publisher is generally qualified as subcontractor in the sense of the GDPR, while the customer is data controller. The contract must contain a Data Processing Agreement (DPA) in accordance with article 28 of the RGPD, specifying in particular:

— The object and duration of the processing, the nature and purpose of the data processed.

— The obligations of the subcontractor in terms of security, confidentiality and notification of violations.

— The conditions for subsequent subcontracting.

— The procedures for returning and deleting data at the end of the contract (clause of reversibility).

Software contracts: license, transfer and SaaS

The software license agreement

A license agreement is the most common legal mechanism for the commercial exploitation of software. It is fundamentally different from the transfer contract: the Software remains the property of its author (or from the publisher), but the latter grants its use to the user, generally against the payment of a fee or a price.

The essential terms of a software license agreement include:

— The Scope of the license : precise identification of the software (version, modules), number of authorized users, territory of use.

— The terms of use : what is allowed (installation, backup copy) and what is forbidden (modification, reverse engineering, sublicense, transfer to third parties).

— The timeframe : determined (with or without renewal) or undetermined.

— The prices and terms of payment : package, proportional fee, price per user.

— The maintenance and updates : obligations of the publisher in terms of technical support, corrective and evolutionary maintenance.

— The intellectual property : reminder of the publisher's rights, anti-counterfeiting clause, guarantee of peaceful enjoyment.

— The limitations of liability And the termination.

Example of license clause:

“The Licensor grants the Licensee a non-exclusive, non-transferable and non-transferable right to use the X Software, in its version 3.0, for a maximum of 25 user computers, on the territory of metropolitan France, for a renewable period of 24 months. The Licensee shall not reproduce, modify, adapt, adapt, translate, translate, decompile, or reverse engineer the Software, except as expressly authorized by law.”

The contract for the transfer of rights to a software

Unlike the license, the divestiture involves a definitive transfer of economic rights to the software. Article L. 131-3 of the CPI requires that the transfer be formalized in writing and that it separately mentions each of the rights transferred, their extent, their destination, and the place and duration of the transfer.

Sales often take place in the context of tailor-made development contracts, takeovers of technological startups or business transfers.

Point of vigilance: in accordance with article L. 131-4 of the CPI, the remuneration of the author of the software can be evaluated at a flat rate — which constitutes an exception to the principle of proportionate remuneration applicable to other works.

The SaaS contract: a specific legal regime

The SaaS contract does not transfer ownership or even a copy of the software: it grants a right of access to an IT service hosted in the cloud, usually in the form of a subscription. This model raises specific legal issues:

— The availability of the service : a service level agreement (SLA) must guarantee an availability rate (generally 99.9%) and provide for penalties in the event of a breach.

— The reversibility : the SREN law of May 21, 2024 now imposes stronger obligations on cloud service providers in terms of data portability and reversibility, in order to limit the technological dependence of customers.

— The security and data protection : the contract must include a DPA in accordance with the GDPR and specific commitments in terms of computer security.

— The data location : the issue of data transfer outside the European Union is particularly sensitive, especially when the SaaS provider uses servers located in the United States.

Software and database counterfeiting: sanctions and remedies

Acts constituting counterfeiting

In terms of softwares, any unauthorized reproduction, modification, translation, translation, adaptation or marketing of the program is an infringement. Article L. 335-3 of the CPI provides that “the violation of the rights of the author of software defined in article L. 122-6 is an offense of counterfeiting”.

Counterfeiting can take various forms: illegal copying of software, use of more licenses than authorized, decompiling for unauthorized purposes, marketing of pirated copies, or even copying the source code into competing software.

In terms of databases, the infringement of the producer's rights is constituted by the unauthorized extraction or reuse of all or a substantial part of the content of the database.

Criminal sanctions

The sanctions are heavy and should encourage any leader to be extremely vigilant:

Civil sanctions and precautionary measures

In civil matters, the counterfeiter may be sentenced to:

— The payment of damages intended to compensate for the harm suffered, evaluated in particular according to the profits made by the counterfeiter and the victim's loss of earnings.

— The forfeiture counterfeit software and hardware used for counterfeiting.

— The Publication of the judgment in professional journals.

— THEProhibition to prosecute infringing acts, where applicable under penalty of penalty.

The rights holder may also use the procedure of forgery seizure (articles L. 332-1 and L. 343-1 of the ICC), which allows a bailiff, assisted by an expert, to ascertain the existence of infringing acts, even before the proceedings are brought on the merits. This procedure is a very effective evidentiary tool.

Concrete example: a company discovers that a former subcontractor is marketing software that substantially uses its source code. She can urgently obtain an order authorizing a bailiff to go to the counterfeiter's premises to ascertain the resumption of the code, before initiating an action for infringement on the merits.

Open source software: freedom does not mean no rights

Open source licenses and their constraints

Open source software is not royalty-free software. It remains subject to copyright and distributed under a specific license which defines the terms of use, modification, and redistribution of the code.

It is essential to distinguish the main families of licenses:

Les permissive licenses (MIT, Apache 2.0, BSD) offer a great deal of freedom, including the freedom to integrate code into proprietary projects. The main obligation is generally limited to the mention of the original author and the license.

Les copyleft licenses (GPL, AGPL, LGPL) impose stronger constraints: any modification or distribution of the code must be done under the same license. In other words, software that incorporates GPL-licensed code must itself be distributed under the GPL — including its own source code. This is sometimes called the “contaminating” effect of copyleft.

Concrete example: A startup integrates a library under the GPL into its proprietary application without checking the license conditions. If it then distributes its application, it is required to make all of its source code public — which can compromise its business model. Failure to comply with these conditions constitutes counterfeiting.

Corporate compliance obligations

In 2025, managing compliance with open source licenses became a strategic issue for businesses, reinforced by the evolution of the European regulatory framework (in particular the Cyber Resilience Act). Businesses need to put in place processes foridentification and traceability of all open source components integrated into their products or services, and ensure compliance with the obligations imposed by each license.

Concretely protecting your software and databases: good reflexes

The probationary deposit

Although copyright protects software Since its creation without formality, it is strongly recommended to provide proof of the date of creation and of the content of the work. Several options exist:

— The deposit with theProgram Protection Agency (APP), a reference organization in France, which issues a time-stamped certificate of deposit.

— The deposit with theINPI via a Soleau envelope (or e-Soleau).

— The use of a bailiff or to a Report of the Commissioner of Justice.

— The use of solutions of Blockchain to timestamp the source code in an unfalsifiable manner.

Essential contractual clauses

Whether it is an employment contract, a service contract, a license or a SaaS contract, some clauses are essential:

— Intellectual property clause: clear identification of the rights holder, transfer or license conditions, beyond specific developments.

— Confidentiality clause: protection of source code, technical data and know-how.

— Non-competition clause: prohibition for the service provider to develop competing software based on the knowledge acquired.

— Eviction guarantee clause: commitment of the transferor or licensee that he is the owner of the rights he is transferring and that the software does not infringe the rights of third parties.

— Reversibility clause: particularly critical in SaaS contracts, it guarantees the return of data at the end of the contract in a usable format.

Technical protection measures (DRM)

Les technical protection measures (or DRM, for Digital Rights Management) are technical devices intended to prevent unauthorized use of the software or the database (illicit copies, automated extraction, etc.). Their circumvention is criminally sanctioned by article L. 335-3-1 of the CPI.

For databases, an additional protection technique consists in inserting “trick” data (false email addresses, voluntary grammatical errors) which will make it easier to demonstrate illicit extraction in the event of litigation.

Why use a software and database lawyer?

The software and database law is a highly technical and regulated subject, at the crossroads of intellectual property law, contract law, digital law and the protection of personal data. The applicable texts are numerous (Intellectual Property Code, European directives, European directives, RGPD, RGPD, SREN law, etc.), their coordination is complex, and the consequences of an error can be considerable — both financially (criminal sanctions of up to 300,000 euros, or even 750,000 euros in organized crime) and at the strategic level (loss of rights to an essential intangible asset).

Whether it's about protect software developed in-house, of negotiating a license or SaaS contract, of secure a customer database, of managing an infringement dispute or to set up a RGPD compliance policy adapted to your digital tools, the advice of a specialized lawyer is essential to anticipate risks and secure your transactions.

FAQ: frequently asked questions about software and database law

What are the rights to software?

The software is protected by the copyright from its creation, provided it is original. Its author has economic rights (reproduction, modification, marketing) and a reduced moral right (right of authorship and right to oppose a harmful modification). The legitimate user benefits from a right to a backup copy and, under strict conditions, a right to decompile for interoperability. When the software is created by an employee in the exercise of his duties, the economic rights are automatically vested in the employer (article L. 113-9 of the CPI).

What are the 3 principles of the GDPR applicable to software and databases?

The three fundamental principles of the GDPR to remember for the management of software and databases are: the principle of legality, loyalty and transparency (all processing must be based on a legal basis and individuals must be informed); the Principle of minimization (only collect data that is strictly necessary); and the principle of security and confidentiality (implement appropriate technical and organizational measures). The concept of privacy by design requires these principles to be integrated as early as the software is designed.

What are the 3 types of intellectual property rights in software?

There are three types of rights: property rights (economic exploitation: reproduction, modification, distribution), the moral law (reduced for software to the right of authorship and the right to oppose harmful modifications) and the legal rights of the user (backup copy and decompilation for interoperability). In addition, for databases, there is the copyright on the original structure and the sui generis right of the producer on the content.

What is database right?

Database law refers to the set of legal rules protecting databases. In French law, it is based on a double protection : copyright protects the original structure of the base (the choice and arrangement of materials), while the sui generis producer right protects the content of the database when its constitution, verification or presentation attests to a substantial investment. These two protections are independent and cumulative.

What is the right of the database producer?

The database producer — that is, the person who takes the initiative and the risk of the investment — benefits from a Sui generis law which allows it to prohibit the unauthorized extraction and reuse of all or a substantial part of the content of the database. This right lasts 15 years, renewable with each substantial new investment. Violation of this right is punishable by 3 years of imprisonment and a fine of 300,000 euros (article L. 343-4 of the CPI).

Why use a software and database lawyer?

Software and database law is a complex subject, at the crossroads of intellectual property, contract law, digital law and the GDPR. A specialized lawyer accompanies you in protection of your intangible assets (deposits, compliance audits), the drafting and negotiating contracts (licenses, SaaS, transfers), the dispute management (counterfeiting, illicit extraction) and regulatory compliance. Its intervention makes it possible to anticipate risks and to secure your operations at each stage.

‍

Article written by Guillaume Leclerc, business lawyer in Paris, 34 Avenue des Champs-Elysées