SaaS Agreements – FAQs – Data Controller

It is important for a SaaS supplier to understand the legal obligations imposed upon a data controller when negotiating a SaaS agreement as the duties of a data controller are not the same as the duties of a data processor. In a SaaS relationship the supplier is always the data processor of the SaaS customer. The SaaS customer is always the data controller. Below is a summary of the obligations of a data controller.

Data Protection Act 1998

A definition of data controller is set out in the Data Protection Act (“Act”). The Act applies to all processing of personal data (i.e. name, email addresses, dates of birth, national insurance number) of any living individual. The data controller decides and controls the purposes for which personal data is to be collected and processed.

The Act sets out the following 8 data protection principles that a data controller must comply with.

Personal data must be,

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and kept up to date;
  • kept for no longer than necessary;
  • processed in accordance with the data subject’s rights;
  • protected against unauthorised or unlawful processing, loss or destruction using appropriate technical and organisational measures; and
  • transferred outside of the EEA only if there is adequate protection in the receiving country.

Liability for Personal Data

A SaaS customer will be liable to its clients/end users (whose personal data it is collecting and processing) for any breaches of the above 8 principles. As the SaaS supplier will be carrying out the processing on behalf of the SaaS customer, the terms of the SaaS agreement should include adequate clauses to protect the SaaS supplier and the SaaS customer against data protection breaches, bearing in mind the differing responsibilities of the data controller and the data processor.

Registration under the Data Protection Act

The Act requires every data controller who is processing personal information to register with the ICO, unless an exemption applies. A SaaS Customer must register as a data controller under the Act as they will be collecting and/or processing personal data. Failure to register is a criminal offence.

There is an annual fee for registration which depends upon the size and turnover of the SaaS customer. The fee is currently £35 unless the SaaS customer:

  • has a turnover of £25.9M and more than 249 members of staff; or
  • is a public authority with more than 249 members of staff.

In which case the annual fee is currently £500.

Subject Access Request

Data subjects (clients of the SaaS customer) have the right to make a subject access request to:

  • find out what personal data is being held about them; and
  • obtain a copy of the information held.

This information must be provided within strict time limits and at a minimal cost to the data subject. The request is made to the data controller (the SaaS customer) and they are obliged to respond. However, it is often the SaaS supplier who actually needs to provide the information stored on its servers. The terms of the SaaS agreement need to cover how and when such information will be released and to whom.


When considering SaaS customer requests to change clauses relating to liability, indemnities, data and data protection in a SaaS agreement it is essential that a SaaS supplier understands the statutory obligations of the data controller and data processor and the implications of changing any terms of the SaaS agreement.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:


Bodle Law