If you are negotiating sales of SaaS solutions with German customers, you may be surprised by their insistence on having a separate written data processing agreement in addition to your SaaS agreement. This is a mandatory requirement under German data protection law (The BDSG) which imposes onerous obligations far beyond those found in most other EU data protection laws on the SaaS customer and the SaaS supplier.
Obligations under the BDSG
Under German data protection law in addition to many provisions which are similar to those existing under the English law the data processor (SaaS supplier) is also obliged to:
- keep all personal data secret;
- take necessary technical and organisational measures (as set out in the BDSG section 9 and its Annex) to protect data;
- permit automated retrieval processes;
- appoint a data protection officer who monitors data processing;
- have a written agreement with the data controller setting out the scope of the personal data being processed, the way in which and the purpose for which personal data is collected, used and processed. The agreement must also specifically set out the issues (listed in section 11(2) of the BDSG) and identify the necessary technical and organisational measures referred to in the Annex to section 9 of the BDSG);
- permit the SaaS customer to use independent and approved experts to carry out data protection and security audits.
Written Agreement with the Data Processor
There must be a written data processing agreement in place between the SaaS supplier and the SaaS customer. This must set out the technical and organisational measures used by the SaaS supplier for the processing of personal data as generically listed in the Annex to section 9 of the BDSG.
No details or guidelines are provided in the BDSG on what specific information should be included. This will depend on the type of personal data a SaaS supplier stores and the current state of the art at the time you enter into the SaaS agreement with the SaaS customer.
In addition the data processing agreement must specifically include the following:
- the subject and duration of the processing;
- the extent, type and purpose of the intended collection, processing or use of personal data;
- the type of personal data and category of data subjects;
- the right to rectify, erase and block personal data;
- any right to sub-contract;
- the right of the SaaS customer to appoint independent third parties to audit compliance with data protection laws, including the right to publish the results of any audits;
- the obligation of the SaaS supplier to notify breaches of data protection law; and
- the return of personal data and deletion.
Appointment of a Data Protection Officer
A SaaS supplier must appoint a data protection officer if it:
- collects, processes or uses personal data in the course of business for the purpose of transfer or for the purpose of transfer in an anonymised form; or
- processes sensitive personal data, (e.g., information on a person’s racial and ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life) or personal data that is intended to appraise the data subject’s personality are automatically processed.
The appointment of a data protection officer must be made in writing. The data protection officer must monitor the proper use of the data processing programmes and familiarise the persons dealing with data processing with the relevant data protection provisions. The data protection officer is also responsible for providing information on stored data and dealing with data protection complaints.
Secrecy and Confidentiality
The SaaS supplier and its employees involved in collecting, processing or using personal data must give confidentiality undertakings to the SaaS customer that obliges them to keep data secret in the same way as the SaaS customer is obliged to the data subjects during and after the customer contract terminates.
As this law is specific to German SaaS customers, SaaS suppliers do not need to amend their SaaS terms generally but should instead create a separate data processing agreement specifically for use with German customers.
The advantages of having a separate document are that:
- this document can be updated as and when the BDSG is changed or amended; and
- the agreement will be in the form “expected” by German customers.
This will encourage the SaaS customer to sign your data processing agreement rather than giving you their own more onerous version full of extra non-mandatory clauses, such as indemnities and unlimited liabilities.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – GDPR – New German Data Protection Law (BDSG)
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Prism and US Laws
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA Customer Concerns
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1