SaaS, ASP Agreements – FAQs – Data Protection

Data protection issues must be adequately covered in any SaaS agreement to protect both the supplier and the customer.

Data Protection Act 1998

The Act applies to the processing of personal data, for example name/email addresses, dates of birth, national insurance number of any living individual. In a SaaS agreement, the customer will always be the data controller, as the customer is collecting data from its clients and deciding and controlling the purposes for which the data will be processed.

Supplier – Duties as Data Processor

The supplier is obliged to process data in accordance with the customer’s instructions and to take appropriate technical and organisational measures to protect the data. These duties must be included in the SaaS agreement, either in the data protection clauses or in a separate data processing agreement. The supplier should protect itself against liability to the customer for breaches of the data Protection Act which  arise due to the supplier  simply processing  data in accordance with the customer’s instructions.

Customer – Duties as Data Controller

The Customer must register as a data controller under the Data Protection Act if it collects personal data. Failure to register is a criminal offence.

The customer must also comply with the following 8 data protection principles:
Data must be,

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • kept for no longer than necessary;
  • processed in accordance with the data subject’s rights;
  • secure; and
  • transferred outside of the EEA only if there is adequate protection in that country.

The customer will be liable to its clients whose data it collects and processes (data subjects) for any breaches of the above principles. As the supplier will be carrying out the processing on behalf of the customer, the customer must ensure that adequate clauses are contained in the SaaS agreement to protect itself against data protection breaches, caused by the supplier.

Subject Access Request

Data subjects have the right to make a subject access request to find out what personal information is being held on them and to obtain a copy of this. This information must be provided within strict time limits and at a minimal cost to the data subject. The request is made to the data controller (the customer) as they are obliged to respond. However it may well be the supplier who needs to actually provide the information. The SaaS agreement needs to cover how and when such information will be released and to whom.

Data Transfers Outside of the EEA

If data is to be transferred outside of the EEA the specific consent of the data subject concerned must be obtained before the transfer takes place OR the transfer is permitted if the non-EEA country to which the data is being transferred has equivalent data protection legislation.

The European Economic Area means the 27 EU member states plus Norway, Iceland and Liechtenstein. Currently only Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey and Switzerland are recognised as countries having adequate protection. In addition companies registered under the Safe Harbor regime in the USA are also recognised.

Consent from data subjects can be obtained by the customer including relevant information in its privacy policy and ensuring that its clients actively consent to transfers of their data outside of the EEA when they register to use the customer’s products or services.

Any transfer of data to any other country or without the data subject’s consent will be illegal.


For assistance with data protection issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

To register for my newsletter click here



Other related articles:


Bodle Law
Assign a menu in the Left Menu options.