SaaS Agreements – Data Protection – Does your DPA and Sub-Processor List need updating?

Meta were fined 1.2 billion Euros for breaches of EU data protection law and for transferring personal data of EU users to the US despite, using standard contractual clauses, (SCCs), having in place supplemental measures and carrying out data transfer impact assessments, (DTIAs). Google has also been pursued in various EU member states for similar breaches.

In light of these decisions, SaaS suppliers should review their own data protection practices and documentation to ensure that they are up to date and comply with the current rules.

Use of the correct SCCs


Since the 27th of December 2022 the new EU SCCs must be used for all transfers of EU personal data to a third country. Any SaaS agreements that still include the old EU SCCs must be updated to include the new EU SCCs.


All SaaS agreements concluded on or before the 21st of September 2022 must use the new UK SCCs.

SaaS suppliers and SaaS customers can only continue to use the old EU SCCs in existing SaaS agreements until the 21st of March 2024 provided that the processing operations that are the subject matter of the agreement remain unchanged.

Supplemental Measures

In addition to using the correct, and up to date SCCs, SaaS suppliers must carry out due diligence on any sub-processors they plan to use to process personal data, where the sub-processors rely upon SCCs to transfer personal data outside of the EEA. Details of the supplemental measures used must be included in the sub-processor list.

The only supplemental measures that are compliant with the European Data Protection Board, (EDPB) guidelines are:

  • Encryption of data at rest and in transit; and
  • Storage of encryption keys within the EEA.

Data Impact Transfer Assessments

Following the Schrems II decision, the court made clear that SaaS suppliers and SaaS customers must carry out and document data transfer impact assessments when using SCCs as a transfer mechanism for restricted transfers.

SaaS suppliers should check their Article 30 GDPR data mapping document to identify which sub-processors rely upon SCCs, then they must;

  • Carry out a Schrems II data transfer impact assessment, for each transfer from the EU;
  • Carry out an ICO data transfer assessment for each transfer from the UK, (DTA) using the ICO tool or using an EU DTIA.


When reviewing compliance with the above rules SaaS suppliers and SaaS customers should not just check their SaaS agreements with customers. They will also need to review existing group data transfer agreements and existing agreements and DPAs with all third parties, i.e. suppliers, resellers, partners and sub-contractors.


Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

To register for my newsletter click here