SaaS Agreements – Data Protection – New Proposed EU Rules – Part 2

On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. Following on from my first article – part 1, I have summarised the remainder of the major changes this will make to EU data protection law below and how this will effect SaaS suppliers and customers.

Data Protection Officer

An independent data protection officer must be appointed by public authorities and businesses with 250 or more employees or businesses whose core activities involve processing operations which require regular and systematic monitoring. The data protection officer must maintain an internal register which the DPA has the right to inspect.

Data Controller                                                                                             

Stricter express duties will be imposed on data controllers. For example they must:

  • maintain documents regarding all processing;
  • implement specific data security requirements;
  • perform data processing impact assessments; and
  • obtain prior authorisation for certain processing activities.

Data Processor

The obligations and duties of data processors will be more specifically defined. For example they should:

  • only employ staff who have given confidentiality undertakings or commitments;
  • obtain the permission of the data controller before employing a sub-processor;
  • ensure that security measures are implemented; and
  • maintain documentation of all processing operations.


Explicit consent must be obtained from data subjects by SaaS customers. It will not be acceptable for customers to assume consent from a data subject’s silence or inactivity or through generic terms and conditions. Consent must be given by a data subject in a clear statement or via an affirmative action (i.e. ticking a consent box when visiting a website). The data subject must have the right to withdraw consent at any time.

There is an additional requirement that explicit parental consent must be given when processing the data of a child under the age of 13.

Right to be Forgotten

Data subjects will have the right to be forgotten. This will allow individuals to have all personal data that a SaaS supplier holds on them deleted. This will include all photos and any public links to, or copies of, personal data that can be found on the Internet, for example in social networks or via search engines.  SaaS suppliers will be required to permanently delete the individual’s data unless there are legitimate grounds for retaining it.

Right to Copy of Personal Data

In certain circumstances individuals will be able to obtain a copy of their personal data. They will also have the right to have their data transferred automatically between SaaS suppliers, for example from one social network to another. This means that SaaS suppliers will need to implement data exporting tools to enable users to download their data and move it to another provider.

When will the Rules Change

The draft Regulation must be approved by all EU countries and the European Parliament before it comes into effect, probably in about 3 years time. The rules will introduce significant and onerous new obligations upon SaaS suppliers, who will need to implement time consuming measures to ensure compliance, in order to avoid the risks of facing substantial fines.

Preparing for Change

Although the proposals could be substantially amended before they are approved, it is advisable that businesses start to prepare for the proposed changes now. For example by appointing a data protection officer (where appropriate), devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects and revising all data processing agreements.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: