SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers

From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR will place direct obligations on SaaS suppliers (data processors) in relation to data processing activities. In addition SaaS customers (data controllers) and their clients (data subjects) will be able to enforce breaches of the new rules directly against SaaS suppliers. SaaS suppliers need to amend the terms of their existing SaaS agreements in order to comply with the upcoming changes in data protection law.

Written Data Processing Terms

SaaS suppliers will need to include the following minimum terms in a written data processing agreement with all SaaS customers:

  • The duration, nature and purpose of the data processing;
  • The types of data being processed;
  • The obligations and rights of the SaaS customer.

The written data processing terms must state that:

  • Personal data will only processed in accordance with documented instructions from the SaaS customer;
  • The SaaS supplier will assist the SaaS customer in complying with its own obligations as a data controller;
  • The SaaS supplier is obliged to inform the SaaS customer if it believes an instruction to give personal data to the SaaS customer breaches the GDPR or any other EU or Member State law.

Record Keeping

Unless one of the exceptions applies, the main one being that the SaaS supplier has less than 250 employees, SaaS suppliers must keep records of all categories of processing activities that they carry out.

The following details must be recorded:

  • Information about the SaaS customer and any other data processors;
  • Names of relevant data protection officers (DPOs);
  • The categories of data processing carried out;
  • Any transfers to third countries; and
  • The general technical and organisational security measures used by the SaaS supplier.

If requested by a supervisory authority, SaaS suppliers must provide such records.


SaaS suppliers will need to obtain prior written consent to the subcontracting of any data processing activities. Although SaaS suppliers can include a general consent to subcontracting in their SaaS agreement, SaaS suppliers will still be obliged to inform SaaS customers before adding or replacing any sub-processors in order to give SaaS customers time to object to a change.

Breach Notification

SaaS suppliers will be required to notify SaaS customers of any breach of their obligations, without undue delay, after becoming aware of the breach.

Data Protection Officers

SaaS suppliers will be obliged to appoint a data protection officer (DPO) in some specific circumstances: for example where the SaaS supplier is processing special data (sensitive data) or if required to do so under a Member State law.

The contact details of any DPO appointed must be published and communicated to the applicable supervisory authority.

Deletion or Return of Data

SaaS suppliers must allow SaaS customers to choose between deletion or return of all personal data on termination or expiry of the SaaS agreement (unless applicable mandatory law requires storage). SaaS customers will be entitled to check compliance with this requirement.

Transfers outside the EEA

Although SaaS suppliers are required to follow a SaaS customer’s instructions with regard to data processing, SaaS suppliers may only transfer personal data outside of the EEA if the SaaS supplier or SaaS customer has provided appropriate safeguards. For example by the use of EU model clauses or Binding Corporate Rules (BCRs).

Fines and Compensation

Data subjects will be able to take action against SaaS suppliers directly and claim damages for the SaaS supplier’s breach of:

  • Any obligations under the GDPR; or
  • Any lawful instructions from the SaaS customer.

SaaS suppliers will be potentially liable to both the SaaS customer and data subjects for the same breach.

In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover for some breaches.

Preparing for Changes

SaaS suppliers need to review the terms of their existing SaaS agreements and their internal procedures to ensure that they comply with the new rules on the use of subcontractors, data security requirements, appointment of DPOs and having in place appropriate organisational and technical measures.

SaaS suppliers should ensure that existing and future agreements with their sub-processors impose the same data processing obligations on all subcontractors, as the SaaS supplier will be liable to the SaaS customer and data subjects for any breaches of the new rules caused by any subcontractors.

SaaS suppliers should ensure that their insurance cover and SaaS agreement indemnities and limitations on liability relating to use or personal data are sufficient to cover the higher levels of fines and direct claims for damages by data subjects.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: