SaaS Agreements – Data Protection – General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“GDPR”) will replace the existing EU Data Protection Directive and harmonise European data protection law from the 25th of May 2018. In the UK the GDPR will replace the Data Protection Act 1998 from the 25th of May 2018. This will have a significant effect on both SaaS suppliers and SaaS customers who will need to comply with the terms of the GDPR.


SaaS suppliers and SaaS customers should be aware that the GDPR will not fully harmonise data protection law throughout Europe, as each EU country may introduce their own requirements in certain instances. However, SaaS suppliers and SaaS customers will need to start making organisational changes now to their data processing activities in order to comply with the new rules on consent, audit rights, data exports, increased administrative requirements and the new obligations of data processors.

Below is a summary of the main provisions of the GDPR that SaaS suppliers and customers need to be aware of.

New Data Processor Obligations

The GDPR applies to data controllers (SaaS customers) and data processors (SaaS suppliers) and in particular SaaS suppliers should be aware that some of the GDPR applies directly to data processors who will be subject to compliance obligations and sanctions for non-compliance.


SaaS suppliers and SaaS customers relying on consent to process personal data will need to show that the consent is:

  • freely given;
  • specific and informed; and
  • an “unambiguous indication” of a data subject’s wishes and expressed either by a statement or a clear affirmative action (i.e. ticking a consent box when visiting a website).

Consent must be purpose limited i.e. related to explicitly specified purposes.

The default age for giving valid consent and using online services is 16, however each EU country will be able to reduce this to 13.


The maximum penalty for a breach of the GDPR will be substantially higher than under current legislation. Fines can be imposed on SaaS suppliers or SaaS customers. Fines of up to 4% of annual global turnover or up to 20m Euros (whichever is higher) can be applied.

Applicable to Non-EU Entities

The GDPR will apply not just to EU SaaS customers and suppliers but also to non-EU SaaS customers and suppliers who:

  • offer goods or services to data subjects in the EU; or
  • monitor the behaviour of EU citizens to the extent that the behaviour takes place in the EU.

Enforcement – One Stop Shop

SaaS suppliers and SaaS customers will be regulated by a single regulator in the place of their main establishment, which shall be their main administrative location in the EU. Data subjects will be able to make complaints to regulators in their own EU country.

Data Protection Officer

An independent data protection officer (“DPO”) must be appointed where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Each EU country may enact national provisions imposing further requirements regarding the appointment of DPOs. This will be particularly relevant in Germany where this is already a legal requirement.


There is no requirement for a SaaS supplier or SaaS customer to notify local data protection authorities of any data processing activities but there is a requirement to keep records of data processing activities (subject to limited exceptions).

Breach Reporting

SaaS customers and SaaS suppliers must report breaches to the relevant local regulator without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Data subjects must be informed of breaches without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms unless:

  • the data has been rendered unintelligible to any third party (for example by encryption);
  • the data controller has taken steps to ensure the high risk is unlikely to materialise; or
  • it would involve disproportionate effort to inform data subjects individually, in which case a public announcement can be made.

Data processors (SaaS suppliers) are required to inform data controllers (SaaS customers) of any breach without undue delay.

Impact Assessments

SaaS customers will be required to carry out data protection impact assessments (“DPIAs”) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of profiling.

Data Subject Rights

The following rights shall be granted to data subjects:

  • data portability;
  • the right to be forgotten;
  • the right to prevent profiling;
  • the right to object to processing;
  • the right to rectification and erasure.
  • subject access requests (“SARs”).

SARs must be responded to by the data controller (SaaS customer) without undue delay and, at the latest, within one month of receipt of the request. The data controller only has the right to charge a reasonable fee to cover administrative costs where the requests are “manifestly unfounded or excessive”.

Preparing for Change

Although the GDPR will not come into force until the 25th of May 2018, it is essential that SaaS customers and SaaS suppliers start to prepare for the changes now. For example, by appointing a data protection officer (where appropriate), devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects, adding written data processing agreements to existing SaaS agreements and future SaaS agreements with relevant customers and amending existing privacy policies to comply with the GDPR rules.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: