Archive for July, 2013

SaaS Agreements – FAQs – Data Controller

It is important for a SaaS supplier to understand the legal obligations imposed upon a data controller when negotiating a SaaS agreement as the duties of a data controller are not the same as the duties of a data processor. In a SaaS relationship the supplier is always the data processor of the SaaS customer. The SaaS customer is always the data controller. Below is a summary of the obligations of a data controller.

Data Protection Act 1998

A definition of data controller is set out in the Data Protection Act (“Act”). The Act applies to all processing of personal data (i.e. name, email addresses, dates of birth, national insurance number) of any living individual. The data controller decides and controls the purposes for which personal data is to be collected and processed.

The Act sets out the following 8 data protection principles that a data controller must comply with.

Personal data must be,

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and kept up to date;
  • kept for no longer than necessary;
  • processed in accordance with the data subject’s rights;
  • protected against unauthorised or unlawful processing, loss or destruction using appropriate technical and organisational measures; and
  • transferred outside of the EEA only if there is adequate protection in the receiving country.

Liability for Personal Data

A SaaS customer will be liable to its clients/end users (whose personal data it is collecting and processing) for any breaches of the above 8 principles. As the SaaS supplier will be carrying out the processing on behalf of the SaaS customer, the terms of the SaaS agreement should include adequate clauses to protect the SaaS supplier and the SaaS customer against data protection breaches, bearing in mind the differing responsibilities of the data controller and the data processor.

Registration under the Data Protection Act

The Act requires every data controller who is processing personal information to register with the ICO, unless an exemption applies. A SaaS Customer must register as a data controller under the Act as they will be collecting and/or processing personal data. Failure to register is a criminal offence.

There is an annual fee for registration which depends upon the size and turnover of the SaaS customer. The fee is currently £35 unless the SaaS customer:

  • has a turnover of £25.9M and more than 249 members of staff; or
  • is a public authority with more than 249 members of staff.

In which case the annual fee is currently £500.

Subject Access Request

Data subjects (clients of the SaaS customer) have the right to make a subject access request to:

  • find out what personal data is being held about them; and
  • obtain a copy of the information held.

This information must be provided within strict time limits and at a minimal cost to the data subject. The request is made to the data controller (the SaaS customer) and they are obliged to respond. However, it is often the SaaS supplier who actually needs to provide the information stored on its servers. The terms of the SaaS agreement need to cover how and when such information will be released and to whom.


When considering SaaS customer requests to change clauses relating to liability, indemnities, data and data protection in a SaaS agreement it is essential that a SaaS supplier understands the statutory obligations of the data controller and data processor and the implications of changing any terms of the SaaS agreement.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:


SaaS Agreements – IPR – Software Patents

The issue of software patents has recently been highlighted by a proposal to change German patent and copyright law. The proposal recommends preventing computer software being registered as a patent, arguing that computer software should only be protected using copyright law, as this is sufficient to protect a software developer’s rights. In light of the current German proposal, below is a brief summary of patent and copyright law in relation to SaaS software in the UK, Germany and non-EU countries.


A patent protects a new invention and covers how things work, what they do, how they do it, what they are made of and how they are made. It gives the owner the right to prevent others from making, using, importing or selling the invention without permission. Generally SaaS software cannot be patented in the UK but there are limited exceptions which are set out below in more detail.

Software Patents in the UK

Despite the general presumption that SaaS software cannot be patented in the UK, it is possible to patent some computer software inventions in the UK. This is because software uses technology (computers) but often for non-technical purposes. Whether a computer software invention is patentable depends on the contribution the invention makes. For example, if computer software provided improved control of a car braking system, it would be likely to be patentable in the UK, but if it merely provided an improved accounting system, it would probably not be patentable in the UK.

Patents outside the UK

The law on what is patentable within the EU is generally the same as in the UK, as national patent laws are derived from the European Patent Convention (EPC). However, individual EU countries may interpret the terms of the EPC differently resulting in different rules actually applying in each EU country. For example, in Germany only software that substitutes a mechanical or electro-magnetic component is patentable. Outside of the EU in the US and Japan software patents can be registered with very few restrictions.

Copyright v Patent Law

Copyright alone does not adequately protect computer software as it does not protect the functionality of software. This is because copyright only protects the expression of ideas in the software NOT the ideas themselves. For example, if a third party substantially modified your SaaS software to create its own software that performed exactly the same function it would not breach your copyright as there is no ‘copying’ of your SaaS software.

The main objection to the use of patents to protect SaaS software, particularly in the open source software community and companies which use and contribute to open source, is that patents impede and/or prohibit the distribution of free software, as licence fees become payable for use of the patents. This results in technological progress being hindered and allows monopolies and powerful companies to exclude others from developing computer software e.g. Amazon “one-click” which is patented in the US but not in the EU.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

SaaS Agreements – Data Protection – Prism and US Laws

SaaS suppliers should be aware of relevant US laws when outsourcing SaaS services (data storage and hosting) to US companies or companies located in the USA. SaaS customers are becoming increasingly concerned about outsourcing in the USA following media reports about “Prism”. Namely, that the National Security Agency (NSA) accesses personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and a few other major US public companies. Below is a summary of the most relevant US laws that SaaS suppliers should be aware of.


If you outsource any SaaS services to a US public company the US government can access SaaS customer data pursuant to the Foreign Intelligence Security Act (FISA).

FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers (i.e. Amazon or Google). Public cloud providers must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not permitted to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.

The Patriot Act

If you are a SaaS supplier owned by a US parent company or you outsource any SaaS services to a US located data centre or a US based company, US law enforcers can access SaaS customer data pursuant to the Patriot Act.

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US subsidiary for data processing i.e. a US data centre.


If you are a SaaS supplier providing SaaS services to a US customer who is a health care provider you, and your sub-contractors, must comply with the security and privacy obligations of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”).

HIPAA applies to any SaaS supplier who creates, receives, maintains, or transmits protected health information (“PHI”), regardless of whether or not the SaaS supplier actually views the data. HIPAA applies even if the SaaS supplier is not located in the USA. Any subcontractors a SaaS supplier uses i.e. a data centre will also need to comply with HIPAA.

SaaS Suppliers must include the privacy and security obligations set out in HIPAA in their SaaS agreements with US health care provider customers. SaaS suppliers are directly liable for breaches of the HIPAA security and privacy rules, which includes failing to cooperate with DHHS investigations of HIPAA breaches. Liability is strict i.e. a SaaS supplier will be liable regardless of intent. The penalties for breach are severe and a SaaS supplier can be fined up to 1.5 million US dollars for all breaches in any calendar year.


Under the provisions of the US Patriot Act and FISA the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with English and EU data protection law. Under HIPAA SaaS suppliers must comply with detailed privacy and security provisions of a US law applicable to the health care industry or face severe fines.

It is therefore important that SaaS suppliers ensure they are aware of the extent of any US laws they will be subject to when:

  • contracting with US SaaS customers; or
  • outsourcing SaaS services to companies linked to or based in the USA; or
  • if they have a parent company based in the USA.

SaaS suppliers should have procedures and measures in place to deal with any applicable US laws. These procedures need to be set out clearly in the terms of the SaaS agreement with the Customer, bearing in mind mandatory obligations to comply with US laws.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

Other related articles:

Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.