SaaS Agreements – Data Protection – New obligations for SaaS Customers

From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change UK data protection law. The GDPR will place further more onerous obligations on SaaS customers (data controllers) in relation to all data processing. SaaS customers need to amend the terms of their existing SaaS agreements and privacy policies and implement the changes into internal policies and procedures in order to comply with the upcoming changes in UK data protection law.

Data Subject Rights

Data subjects will have more extensive rights to access, rectify and object to the storage and processing of their personal data. New rights to delete, restrict processing, rights in relation to profiling and the right to data portability will be introduced. SaaS customers will also be required to provide a lot more information to data subjects about processing activities than in the past i.e. in their privacy policies.


Data subjects will be able to take direct action against SaaS customers and claim damages resulting from breaches by SaaS customers of their obligations under the GDPR.

In addition data protection authorities will be able to fine SaaS customers up to 4% of annual global turnover for some breaches.

Preparing for the Changes

SaaS customers should review the terms of their existing SaaS agreements and privacy policies to ensure that they comply with the new rules before the GDPR comes into force.

SaaS customers should ensure that existing and future agreements with any subcontractors (data processors) impose the same data processing obligations on further subcontractors (sub-processors), as the SaaS customer could be liable to the data subject for any breaches of the new rules caused by any subcontractors.

SaaS customers should ensure their insurance cover and the terms of their SaaS agreement with all SaaS suppliers include indemnities and limitations on liability relating to personal data that are sufficient to cover the higher level of fines and claims made directly by data subjects.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: