The General Data Protection Regulation (GDPR)  will replace the existing EU Data Protection Directive and aims to harmonise European data protection law from the 25th of May 2018. In the UK, the GDPR will replace the Data Protection Act 1998 from the 25th of May 2018. This will have a significant effect on both SaaS suppliers and SaaS customers who will need to comply with the terms of the GDPR.


SaaS suppliers and SaaS customers should be aware that the GDPR will not fully harmonise data protection law throughout the EU, as each EU member state may introduce their own requirements in certain instances. For example, in the UK, the Government has just published a Draft Data Protection Bill (Draft Law) which aims to incorporate the GDPR into a new UK data protection law which will replace the DPA from the 25th of May 2018. The Draft Law sets out derogations from certain parts of the GDPR. Below is a summary of the main derogations that SaaaS suppliers and SaaS customers should be aware of.

Age of Consent

Under the GDPR personal data cannot be collected from children under the age of 16 without obtaining parental consent. The Draft Law intends to lower the age of consent to 13 years of age. This means that SaaS customers may collect personal data from children from the age of 13, once the Draft Law is in force, without the need to obtain parental consent. However, SaaS customers and SaaS suppliers should be aware that this derogation will only apply in the UK. SaaS customers and SaaS suppliers will need to bear in mind when collecting and processing personal data from children in other countries within the EU that:

  • The GDPR restriction of 16 may apply; or
  • Other countries may have set a different age of consent.

Right to be Forgotten

Under the GDPR data subjects have the right to be forgotten. The Draft Law intends to make this obligation more onerous in relation to social media platforms. SaaS customers who operate social media platforms will be obliged, on request, to remove posts made by individuals when the data subject was under the age of 18. SaaS customers and suppliers should be aware that this is an additional condition and it will only apply in the UK, unless other EU member states adopt a similar obligation.

Automated Processing/Profiling

The GDPR includes the right for a data subject to prevent processing based on automated decision making. The Draft Law intends to include exemptions, for example: for credit reference checking. However, data subjects must still be permitted to object to decisions made by automated means.

Criminal Offences

The Draft Law creates two new criminal offences for:

  • Intentionally or recklessly re-identifying individuals from anonymised or pseundonymised data; or knowingly handling or processing such data; and
  • For altering records with the intent of preventing disclosure under a subject access request.

Dealing with Derogations

In light of the fact that each of the 27 EU member states are permitted to derogate from some of the provisions of the GDPR, SaaS customers and SaaS suppliers will need to be aware of the additional or differing rules in each of the EU countries in which they collect or process personal data. SaaS suppliers and SaaS customers should ensure that privacy policies and data processing agreements reflect these differences and that data processing activities reflect the obligations set out in such policies and agreements. Additionally, SaaS customers and SaaS suppliers must ensure that they also comply with other applicable laws which apply to the particular industry in which they operate, as such laws may impose mandatory additional responsibilities in relation to the age of consent, duration of storage and obligations to delete personal data.


Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

To register for my newsletter click here


ASP Agreements – Essential Elements”>Other related articles: