SaaS Agreements – Data Protection – New Proposed EU Rules – Part 1

On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU.  I have summarised the major changes this will make to EU data protection law in two articles, part 1 of which is set out below and how this will effect SAAS suppliers and customers.

Data Protection Authority

Currently each EU country has its own data protection agency which enforces that country’s law. Processing of personal data by businesses established in more than one EU country will in the future be monitored by one single data processing authority (DPA) – the “lead authority”. Generally the lead authority will be the DPA of the country where the business has its main establishment.

The main establishment of a business will be determined according to objective criteria, such as where the central administration of a business is located i.e. the headquarters where management decisions are usually made. However, individuals located in other EU countries, will still be able to refer privacy complaints to their local supervisory DPA.

One EU-wide Data Protection Law

If the Regulation is adopted, there will be one EU data protection law that SaaS suppliers will need to comply with. The new rules will apply throughout the EU and SaaS suppliers established in more than one EU country will no longer need to cope with the national rules of each relevant EU country. In the long term this means that current local data protection provisions – mainly exemptions that have been introduced by EU countries for national reasons – would disappear.

Non-EU Companies

The new data protection rules will also apply to non-EU based businesses who offer their goods or services to EU customers based in the EU (or who monitor their behaviour). For example a US company with a subsidiary in the EU will be required to comply with the new EU data protection law as well as their own local US laws.

There are exceptions where the data controller (SaaS customer) is established in a country outside the EEA that ensures an adequate level of protection (for example a business registered under the Safe Harbor scheme in the USA), or if the data controller acts for a small or medium sized business or public authority.

Penalties for Breaches 

A breach of the new data protection rules could result in a fine of up to €1 million or 2% of the global annual turnover of a company. Fines will be imposed by the DPA. Currently the maximum fine in the UK for a breach of data protection law is £500,000.


Serious data protection breaches must be notified to both the DPA and data subjects, although it is not clear whether the lead authority or the company itself will be obliged to inform the public of data protection breaches.

Notification should be without undue delay and, where feasible, within 24 hours. Companies will need to have adequate procedures in place to deal with these new requirements and it may be worth considering purchasing obtaining cyber risk insurance.

When will the Rules Change

The draft Regulation must be approved by all EU countries and the European Parliament before it comes into effect, possibly in about 3 years time. The rules will introduce significant and onerous new obligations upon SaaS suppliers and customers, who will need to implement time consuming measures to ensure compliance, in order to avoid the risks of facing substantial fines.

Preparing for Change

Although the proposals could be substantially amended before they are approved, it is advisable that SaaS suppliers and customers start to prepare for the proposed changes. For example, by devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects and revising all data processing agreements.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: