SaaS Agreements – FAQs – EU Standard Contractual Clauses

When negotiating a SaaS agreement with SaaS customers a SaaS supplier will often need to transfer customer data outside of the European Economic Area (EEA). This could be at the request of a SaaS customer or more usually because the SaaS supplier uses a sub-contractor such as a data centre which is located outside of the EEA. SaaS suppliers and SaaS customers should use EU standard contractual clauses in the circumstances set out below in order to comply with their duties under UK and EU data protection laws.

The Data Protection Act

The Data Protection Act 1998 (DPA) applies to the processing of personal data, i.e. names, email addresses, dates of birth or national insurance numbers of any living individual. The DPA sets out different duties for data controllers and data processors. In a SaaS agreement, the customer is always the data controller and the SaaS supplier is their data processor.

A data controller is not permitted to transfer personal data of EU citizens outside of the EEA unless:

    • it has the specfic consent of the data subject,
    • the transfer is to a country which has adequate protection, (currently Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are recognised by the EU data protection authorities as countries with adequate protection); or

EU Standard Contractual Clauses

EU standard contractual clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU standard contractual clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).

Where personal data is transferred from:

    • a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
  • a SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU standard contractual clauses with the SaaS customer or SaaS sub-processor, as applicable.

When EU standard contractual clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met and no specific consent will need to be obtained from individual data subjects.

This is a common scenario in a SaaS agreement where a SaaS customer based in the UK is accessing SaaS software provided by a SaaS supplier who uses a hosting centre in the USA or outsourced IT development centre located in India or Asia to process the SaaS customer’s personal data.

Binding Corporate Rules

Please note that BCRs only cover international transfers of personal data between companies within the same group.

EU-US Privacy Shield

Please note that since the 16th of July 2020, the EU-US Privacy Shield was declared invalid by the European Court of Justice and can no longer be used for the transfer of personal data to US entities.


Any transfer of personal data by a SaaS customer or SaaS supplier to any country outside of the EEA or which is not approved by the EU Commission as having adequate protection will be illegal, unless specific consent is obtained or EU model clauses or BCRs are used.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: