SaaS Agreements – FAQs – Data Controller

It is important for a SaaS supplier to understand the legal obligations imposed upon a data controller when negotiating a SaaS agreement and data processing agreement (“DPA“) as the duties of a data controller are not the same as the duties of a data processor. In a SaaS relationship the SaaS customer is always the data controller and the SaaS supplier is always the data processor of the SaaS customer.

Who is a data controller

A data controller is defined in Article 4(7) of the GDPR as follows:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

The data controller always decides and controls the purposes for which personal data is to be collected and processed. A data processor acts on behalf of, and only on the instructions of the data controller.

Controller obligations under the GDPR

The GDPR sets out the following 7 data protection principles that a data controller must comply with.

  • Lawfulness, fairness and transparency;
  • Purpose limitation;
  • Data minimisation;
  • Accuracy;
  • Storage limitation;
  • Integrity and confidentiality (security);
  • Accountability.

Need for a Data Processing Agreement

Since the GDPR and the UK Data Protection Act 2018 came into force on the 25th of May 2018 the obligations of data controllers have become more onerous. It is now mandatory for the data processor and the data controller to enter into a written agreement – DPA, setting out each party’s obligations. The DPA must include specific minimum terms.

Liability for Personal Data

A SaaS customer will be liable to its clients/end users (whose personal data it is collecting and processing) for any breaches of the GDPR. As the SaaS supplier will be carrying out the processing on behalf of the SaaS customer, the terms of the SaaS agreement should include adequate clauses to protect the SaaS supplier and the SaaS customer against data protection breaches, bearing in mind the differing responsibilities of the data controller and the data processor.

Registration under the Data Protection Act

The UK Data Protection Act 2018 requires every data controller who is processing personal data to register with the UK Information Commissioners Office (“ICO“), unless an exemption applies. It is not just a SaaS supplier who must register. A SaaS customer must also register where it acts as a data controller, in addition to being a data processor. Failure to register is a criminal offence.

There is an annual fee for registration. Current fees are determined by the ICO and a self assessment tool on the ICO website can be used to help you determine whether or not you are a data controller who needs to pay the fee.

Subject Access Request

Data subjects (clients of the SaaS customer) have the right to make a subject access request to the data controller.

Information must be provided within strict time limits and at no cost to the data subject. The request is made to the data controller (the SaaS customer) and the SaaS customer is obliged under the GDPR to respond. However, it is often the SaaS supplier who actually needs to provide the information stored on its servers either to the SaaS customer or their clients, on the SaaS customer’s behalf.


When considering SaaS customer requests to change clauses relating to liability, indemnities, data and data protection in a SaaS agreement or DPA it is essential that a SaaS supplier understands the statutory obligations of the data controller and data processor and the implications of changing any terms of the SaaS agreement or DPA.


Irene Bodle is an IT lawyer specialising in SaaS agreements and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: