SaaS Agreements – Data Protection – What SaaS Suppliers need to know about the GDPR

From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing data protection laws in all 28 EU member states. The GDPR will place direct obligations on SaaS suppliers (data processors) in relation to data processing activities. In addition SaaS customers (data controllers), their clients (data subjects) and local data protection authorities will be able to enforce breaches of the new rules directly against SaaS suppliers.

SaaS suppliers need to amend the provisions of their existing SaaS agreements in order to comply with the upcoming changes in data protection law.

Written Data Processing Agreement

SaaS suppliers will need to include the following minimum terms in a written data processing agreement with all SaaS customers:

  • The duration, nature and purpose of the data processing;
  • The types of data being processed;
  • The obligations and rights of the customer.

The written data processing agreement must state that:

  • Personal data will only be processed in accordance with documented instructions from the SaaS customer;
  • The SaaS supplier will assist the SaaS customer in complying with its own obligations as a data controller;
  • The SaaS supplier is obliged to inform the SaaS customer if it believes an instruction to give personal data to the SaaS customer breaches the GDPR or any other EU or Member State law.

Record Keeping

Unless one of the exceptions applies, the main one being that the SaaS supplier has less than 250 employees, SaaS suppliers must keep records of all categories of processing activities that they carry out.

The following details must be recorded:

  • Information about the SaaS customer and any other data processors;
  • Names of relevant data protection officers (DPOs);
  • The categories of data processing carried out;
  • Any transfers to third countries; and
  • The general technical, organisational and security measures used by the SaaS supplier.

If requested by a supervisory authority, SaaS suppliers must provide such records.


SaaS suppliers will need to obtain prior written consent to the subcontracting of any data processing activities: for example the using a third party hosting centre such as AWS or Microsoft Azure. Although SaaS suppliers can include a general consent to subcontracting in the provisions of their SaaS agreeents, SaaS suppliers will still be obliged to inform SaaS customers before adding or replacing any sub-processors in order to give customers time to object to a change.

Breach Notification

SaaS suppliers will be required to notify SaaS customers of any breach of their obligations, without undue delay, after becoming aware of the breach.

Data Protection Officers

SaaS suppliers will be obliged to appoint a data protection officer (DPO) in some specific circumstances: for example where the SaaS supplier is processing special data (sensitive data) or if required to do so under a Member State law.

The contact details of any DPO appointed must be published and communicated to the applicable supervisory authority.

Deletion or Return of Data

SaaS suppliers must allow SaaS customers to choose between deletion or return of all personal data on termination or expiry of the SaaS agreement (unless applicable mandatory law requires storage). SaaS customers will be entitled to check compliance with this requirement.

Transfers outside the EEA

Although SaaS suppliers are required to follow a SaaS customer’s instructions with regard to data processing, SaaS suppliers may only transfer personal data outside of the EEA if the SaaS supplier or SaaS customer has provided appropriate safeguards: for example by using of EU model clauses or Binding Corporate Rules (BCRs).

Fines and Compensation

  • Data subjects will be able to take action against SaaS suppliers directly and claim damages for the SaaS supplier’s breach of any obligations under the GDPR; or
  • SaaS suppliers will be potentially liable to both the SaaS customer and data subjects for the same breach.

In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover for some breaches.

Preparing for Change

SaaS suppliers need to review the terms of their existing SaaS agreements and their internal procedures to ensure that they comply with the new rules on the use of subcontractors, data security requirements, appointment of DPOs and having in place appropriate organisational and technical measures.

SaaS suppliers should ensure that existing and future agreements with their sub-processors impose the same data processing obligations on all subcontractors, as the SaaS supplier will be liable to the SaaS customer and data subjects for any breaches of the new rules caused by any subcontractors.

SaaS suppliers should ensure that their insurance cover and indemnities and limitations on liability contained in existing SaaS agreements relating to use of personal data are sufficient to cover the higher levels of fines and direct claims for damages by data subjects.


Irene Bodle is an IT lawyer specialising in SaaS, with over 15 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles: