SaaS Agreements – Data Protection – Update on the EU Draft Data Protection Regulation

SaaS suppliers should be aware of the recent changes made by the EU Parliament to the draft EU Data Protection Regulation (Regulation). If this amended version of the Regulation becomes law next year the obligations of SaaS suppliers who process personal data on behalf of customers will radically change. A summary of the current main proposed provisions is set out below.


The proposed fine for breaching data protection law will be increased to the higher of:

  • 5% of annual worldwide turnover; or
  • €100 million

Currently the maximum UK fine for a breach of data protection law is £500,000.

Data Protection Officer

A data protection officer must be appointed where:

  • a SaaS supplier processes the personal data of more than 5,000 individuals in any consecutive 12 month period; or
  • special categories of data, location data, data relating to children, or employee data in large scale filing systems is processed.

The data protection officer must be appointed for:

  • a minimum of 2 years; and
  • meet specific minimum requirements set out in the Regulation.

Notification of Data Protection Breaches

SaaS suppliers must notify breaches of data protection law without undue delay.

Data Processor Obligations

The obligations and duties of SaaS suppliers (data processors) have been more specifically defined. For example SaaS suppliers should:

  • only employ staff who have given confidentiality undertakings or commitments;
  • obtain permission from SaaS customers (data controllers) before employing a sub-processor i.e. using a third party hosting centre;
  • ensure that security measures are implemented; and
  • maintain documentation of all processing operations.

Data Transfers – Prism

The transfer of an individual’s personal data to third parties has been restricted in light of recent revelations about the NSA and Prism. No transfer of personal data will be permitted in relation to a third country court decision or administrative authority (i.e. under the Patriot Act or FISA) if this does not comply with a mutual legal assistance treaty or an international agreement.

Additionally, individuals will have the right to know if their personal data has been disclosed to a public authority.

Territorial Scope

The Regulation will apply to companies located outside of the EU whenever they process the personal data of individuals located in the EU. This means that if a UK SaaS supplier uses a data centre located outside of the EU to host EU SaaS customer data the provisions of the new Regulation will apply to both the SaaS provider and the data centre. For example if a SaaS supplier uses Microsoft to host EU customer data both will be directly subject to EU data protection law.

Right to be Forgotten

This has been changed to the right to be erased. This right will not apply to data which cannot be erased due to the type of storage technology used, provided that the technology was installed prior to the Regulation coming into force.


The above is a summary of the current status of the draft Regulation. The Regulation may be amended before it becomes law in 2014 and SaaS suppliers should continue to monitor the position to ensure they are ready to adapt their existing procedures and compliance regimes to comply with any change in their legal obligations.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 15 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To learn more about SaaS and cloud computing join me at the Berlin CloudConf 2013 on 5th of December.

To register for my newsletter click here


Other related articles: