SaaS Agreements – Data Retention and Deletion

GDPR Obligations

In compliance with their respective obligations under the GDPR, SaaS suppliers and SaaS customers must only keep personal data for as long as necessary and as specified to data subjects. SaaS suppliers should include their obligations in relation to retention and deletion of personal data when acting as a data processor in their SaaS agreement and when acting as a data controller in their privacy policy.

Data Retention Policy

In order to determine how long personal data should be kept, SaaS suppliers should create a data retention policy that identifies:

  • the types of personal data it processes; and
  • the purposes for which personal data are processed.

Once this information is collected, a SaaS supplier can then decide how long each type of personal data will be kept. The factors considered in determining retention periods should be recorded in the data retention policy. Exceptions should also be recorded, for example where any personal data may need to be held longer to comply with particular laws that apply to the SaaS supplier.

Personal data must then be deleted in accordance with the data retention policy.

When to Delete

Before a SaaS supplier deletes any personal data, they should:

  • identify the relevant personal data to be deleted;
  • consider whether any personal data needs to be kept for longer; and
  • decide whether the personal data should be permanently deleted or anonymised.

The date of deletion or anonymisation of the personal data should be recorded by the SaaS supplier so that evidence of the deletion can be produced, if required in a later dispute or if a disclosure request is made.

How to Delete

Any personal data must be securely deleted by the SaaS supplier. This includes backup copies of the personal data being deleted.

If any personal data needs to be retained for longer, such data should be anonymised where possible. SaaS suppliers must ensure that any personal data they use to create aggregated statistics or historical analysis is anonymised. Anonymisation means that all personal identifiers are removed from the data, so that is it truly anonymised i.e. it cannot identify an individual even if linked with other information. If truly anonymised, the GDPR does not apply to the date – as anonymised data is no longer personal data.

Remember: Pseudonymised data is still personal data – as individuals can be re-identified from this. The GDPR applies to pseudonymised data.

What to Delete

SaaS suppliers should physically destroy all physical records i.e. shredding or burning. A third party can be used for the destruction process, provided there is a data processing agreement in place between the SaaS supplier and the third party – as the third party will be the SaaS supplier’s processor.

Electronic records such as emails, text messages and recordings will also need to be destroyed.


Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

To register for my newsletter click here


Other related articles:

SaaS Agreements – FAQs – EU Standard Contractual Clauses

SaaS Agreements – GDPR – Data Processing Agreement