SaaS, ASP Agreements – FAQs – Data Protection

Data protection issues must be adequately covered in any SaaS agreement to protect both the SaaS supplier and the SaaS customer.

Data Protection Act 2018 and the GDPR

The Data Protetion Act 2018 and the GDPR apply to the processing of personal data, for example name/email addresses, dates of birth, national insurance number of any living individual. In a SaaS agreement, the SaaS customer will always be the data controller, as the SaaS customer is collecting data from its clients and deciding and controlling the purposes for which the data will be processed.

Supplier – Duties as Data Processor

The SaaS supplier is obliged to process personal data in accordance with the SaaS customer’s instructions and to take appropriate technical and organisational measures to protect the personal data. These duties must be included in the SaaS agreement, either in the data protection clauses or in a separate data processing agreement.

In addition, since the 25th of May 2018 under the GDPR the data processor and data controller are obliged to enter into a written data processing agreement that contains mandatory information set out in the GDPR.

Customer – Duties as Data Controller

The SaaS customer must register as a data controller under the Data Protection Act 2018 if it collects personal data. Failure to register is a criminal offence.

The SaaS customer must also comply with its duties set out in the GDPR, which should be included in a written data processing agreement, entered into with the SaaS supplier.

Subject Access Request

Data subjects have the right to make a subject access request to find out what personal information is being held on them and to obtain a copy of this. This information must be provided within strict time limits and at no cost to the data subject. The request is made to the data controller (the SaaS customer) as they are obliged to respond. However it may well be the SaaS supplier who needs to actually provide the information. The SaaS agreement needs to cover how and when such information will be released and to whom.

Data Transfers Outside of the EEA

If data is to be transferred outside of the EEA the specific consent of the data subject concerned must be obtained before the transfer takes place OR the transfer is permitted if the non-EEA country to which the data is being transferred has equivalent adequate data protection legislation.

The European Economic Area means the 28 EU member states plus Norway, Iceland and Liechtenstein. Currently only Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are recognised as countries having adequate protection. In addition companies registered under the EU-US Privacy Shield in the USA are also recognised.

Consent from data subjects can be obtained by the SaaS customer including relevant information in its privacy policy and ensuring that its clients actively consent to transfers of their data outside of the EEA when they register to use the SaaS customer’s products or services.

Any transfer of data to any other country or without the data subject’s consent will be illegal.


For assistance with data protection issues, SaaS, GDPR, ASP, software on demand contracts or any other IT legal issues contact me at:

To register for my newsletter click here


Other related articles: