SaaS Agreements – FAQs – Transferring Data Outside the EEA

When negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your SaaS customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the UK Data Protection Act 2018 (DPA) and the GDPR.

The GDPR and the Data Protection Act

The GDPR and the UK Data Protection Act 2018 applies to the processing of personal data, i.e. names, email addresses, dates of birth or national insurance numbers of any living individual. The GDPR and the DPA set out different duties for data controllers and data processors. In a SaaS agreement, the customer is always the data controller and the SaaS supplier is their data processor.

Transfer outside of the EEA

The European Economic Area is the 28 EU member states plus Norway, Iceland and Liechtenstein. If data is transferred to any country outside the EEA the specific consent of each data subject whose data is being transferred must be obtained before the transfer takes place, unless the data is transferred to a country recognised by the EU as having adequate data protection laws.

Countries with Adequate Protection

Currently Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are recognised by the EU data protection authorities as countries with adequate protection. In addition companies registered under the EU-US Privacy Shield regime in the USA are also recognised.

Other ways of Obtaining Consent

Consent can be obtained from data subjects by the SaaS customer including relevant information in its privacy policy and ensuring that its clients actively consent to transfers of their data outside of the EEA when they enter into a contract to use the SaaS customer’s products or services.


Any transfer of SaaS customer data to any country not set out above will be illegal, unless specific consent has been obtained prior to the data transfer taking place.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: