SaaS Agreements – GDPR – New German Data Protection Law (BDSG)

The General Data Protection Regulation (GDPR) will replace the existing EU Data Protection Directive and aims to harmonise European data protection law from the 25th of May 2018. In Germany, the Government has already amended the existing German Data Protection Act (BDSG) and from the 25th of May 2018 the New German Data Protection Act (New BDSG) and the GDPR will apply together in Germany.

Compliance with the New BDSG

Both SaaS suppliers and SaaS customers who provide services to German clients or who collect or process personal data of German data subjects on behalf of international SaaS clients, will need to comply with the terms of the New BDSG in addition to the terms of the GDPR. The New BDSG sets out derogations from certain parts of the GDPR and additional obligations. Below is a summary of the main derogations and additional obligations that SaaS suppliers and SaaS customers should be aware of.

Data Protection Officer

In addition to the obligation to appoint a data protection officer in certain circumstances under the GDPR, the New BDSG imposes additional circumstances in which a data protection officer must be appointed:

  • By any business with 10 or more employees permanently processing personal data;
  • Where data controllers are required to carry out privacy impact assessments;
  • Where data controllers process personal data in a commercial context for the purpose of transfer (whether or not the data is anonymised).

Sensitive Data

Sensitive data is referred to in the GDPR as special categories of personal data (Sensitive Data). Sensitive Data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation. The GDPR only allows processing of Sensitive Data where specific exceptions apply. The New BDSG extends the scope of the exceptions.

Employee Data

Employee data protection rules under the New BDSG generally correspond to the existing rules under the BDSG, with some changes. For example: Any collective agreements, (an agreement between a company and its works council) which allows the company to process employee data, must comply with the GDPR obligation to ensure that the employee’s human dignity, legitimate interests, and fundamental rights are properly safeguarded.

Dealing with Derogations

Each of the 28 EU member states are permitted to derogate from some of the provisions of the GDPR. SaaS customers and SaaS suppliers who collect or process personal data from data subjects located in Germany need to be aware of such additional or differing rules in Germany and/or any other EU countries in which they collect or process personal data.

SaaS suppliers and SaaS customers should ensure that their privacy policies and data processing agreements reflect these differences and that data processing activities reflect the obligations set out in such policies and agreements. SaaS customers and SaaS suppliers must also ensure that they comply with other applicable laws which apply to the particular industry in which they operate, as such laws may impose mandatory additional responsibilities in relation to personal data.


Irene Bodle is an IT lawyer specialising in SaaS, with over 15 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles: