SaaS Agreements – GDPR – Data Protection Act 2018

The UK Data Protection Act 2018 Act came into force on the 25th of May 2018 (DPA). The DPA replaced the Data Protection Act 1998 in its entirety and applies the standards of the General Data Protection Regulation (GDPR), whilst also attempting to prepare the UK data protection law for Brexit. SaaS customers and SaaS suppliers should familiarise themselves with the terms of the DPA in addition to the provisions of the GDPR – as both apply. The DPA also includes a number of derogations from the GDPR.


Each of the 28 EU member states is permitted to derogate from some of the provisions of the GDPR by enacting their own local data protection laws. SaaS customers and SaaS suppliers will need to be aware of the additional or differing rules in each of the EU countries in which they collect or process personal data.

Below is a summary of the main derogations in the UK that SaaS suppliers and SaaS customers should be aware of.

Age of Consent

Under the GDPR personal data cannot be collected from children under the age of 16 without obtaining parental consent. The DPA has lower the age of consent to 13 years of age in the UK. This means that SaaS customers may collect personal data from children from the age of 13, without the need to obtain parental consent. However, SaaS customers and SaaS suppliers should be aware that this derogation will only apply in the UK. SaaS customers. SaaS suppliers and SaaS customer will need to bear in mind when collecting and processing personal data from children in other countries within the EU that:

  • The GDPR restriction of 16 may apply; or
  • Other EU countries may have set a different age of consent.

Right to be Forgotten

Under the GDPR data subjects have the right to be forgotten. The DPA restricts a data subject’s right to access and delete data where there is a strong public policy justification, for example, national security.

Health Data

The DPA includes exceptions to the need to obtain consent from a data subject when processing medical information. Where the derogation applies, there will be no need to obtain advance consent from the data subject. SaaS suppliers and SaaS customers may process personal data concerning health for the purpose of insurance and pension policies.

Automated Processing/Profiling

The GDPR includes the right for a data subject to prevent processing based on automated decision making. The DPA includes exemptions, for example: for credit reference checking. However, data subjects must still be permitted to object to decisions made by automated means.

Criminal Convictions and Offences Data

Under the DPA, bodies other than public authorities will be lawfully permitted to process criminal convictions and offences data. For example, employers will be allowed to process criminal convictions data as part of their pre-employment checks and insurers can process criminal convictions data for anti-fraud purposes.

Criminal Offences

The DPA creates two new criminal offences for:

  • Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; or knowingly handling or processing such data; and
  • For a SaaS supplier or SaaS customer altering records with the intent of preventing disclosure under a subject access request.

Ensuring compliance

SaaS suppliers and SaaS customers should check that their privacy policies and data processing agreements reflect the UK derogations and that data processing activities reflect the obligations set out in such policies and agreements. Additionally, SaaS customers and SaaS suppliers must ensure that they also comply with other applicable laws which apply to the particular industry in which they operate, as such laws may impose mandatory additional responsibilities in relation to the age of consent, duration of storage and obligations to delete personal data.


Irene Bodle is an IT lawyer specialising in SaaS, with over 15 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles: