It is important for a SaaS supplier to understand the legal obligations imposed upon them as a data processor when negotiating a SaaS agreement and a data processing agreement (“DPA“) as the duties of a data processor are not the same as the duties of a data controller. In a SaaS relationship the supplier is always the data processor of the SaaS customer. The SaaS customer is always the data controller of the SaaS supplier.
Who is a Data Processor
Articel 4(8) of the GDPR defines a data processor as:
“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
A data processor acts on behalf of, and only on the instructions of a data controller. Whereas a data controller, determines the purposes and means of the processing of personal data.
Where a SaaS supplier does not have any purpose of its own for processing the personal data and they only act on a SaaS customer’s instructions, they are a data processor – even if the SaaS supplier make some technical decisions about how to process the personal data.
Need for a Data Processing Agreement
Since the GDPR and the UK Data Protection Act 2018 came into force on the 25th of May 2018 the obligations of data processors have become much more onerous. It is now mandatory for the data processor and the data controller to enter into a written agreement – DPA, setting out each party’s obligations. The DPA must include specific minimum terms.
Liability for Personal Data
A SaaS customer will be liable to its clients/end users (whose personal data it is collecting and processing) for any breaches of the GDPR. As the SaaS supplier will be carrying out the processing on behalf of the SaaS customer, the terms of the SaaS agreement and not just the DPA should include adequate clauses to protect the SaaS supplier and the SaaS customer against data protection breaches, bearing in mind the differing responsibilities of the data controller and the data processor.
Subject Access Request
Data subjects (clients of the SaaS customer) have the right to make a subject access request to the data controller.
Information must be provided within strict time limits and at no cost to the data subject. The request is made to the data controller (the SaaS customer) and the SaaS customer is obliged under the GDPR to respond. However, it is often the SaaS supplier who actually needs to provide the information stored on its servers either to the SaaS customer or their clients, on the SaaS customer’s behalf.
When considering SaaS customer requests to change clauses relating to liability, indemnities, data and data protection in a DPA or a SaaS agreement it is essential that a SaaS supplier understands the statutory obligations of the data controller and data processor and the implications of changing any terms of the DPA or SaaS agreement.
Irene Bodle is an IT lawyer specialising in SaaS agreements and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – FAQs – Data Controller
- SaaS Agreements – FAQs – Data Processor
- SaaS Agreements – FAQs – Personal Data
- SaaS Agreements – FAQs – What is SaaS?
- SaaS Agreements – FAQs – What is a SLA?
- SaaS Agreements – Essential Elements
SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – EU Model Clauses
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – IPR and Intellectual Property
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – FAQs – Applicable Law and Jurisdiction