SaaS Agreements – Terms and Conditions – Data Processing Agreement

UK SaaS suppliers currently have limited obligations to SaaS customers when processing personal data as part of their SaaS services. Under the General Data Protection Regulation (GDPR) many new data processing obligations are imposed on SaaS suppliers. In particular, the obligation for SaaS suppliers to enter into a written data processing agreement with SaaS customers and subcontractors.

GDPR applies to UK SaaS Suppliers despite Brexit

Regardless of when and how Brexit takes place, the GDPR will apply to SaaS suppliers located within the UK if:

  • They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 EU Member States); or
  • They monitor the behaviour of EU data subjects;

Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.

GDPR applies to non-EU SaaS Suppliers

The GDPR automatically applies to all SaaS suppliers located outside of the EU i.e. in the USA, if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects;

Even though the SaaS supplier is not located within the EU.

Written Data Processing Agreement

Under the GDPR SaaS suppliers and SaaS customers must include detailed data processing obligations in a written data processing agreement. This can form part of the SaaS Agreement or be a separate schedule or agreement.

SaaS Suppliers should be aware that they need to enter into written data processing agreements not just with all SaaS customers, but also with all entities or persons who process personal data on their behalf, such as:

  • All subcontractors i.e. data centres, penetration testing providers;
  • All subsidiaries i.e. providing customer support, software maintenance and support.

Fines for Breach

Data subjects can claim damages directly from SaaS suppliers who breach:

  • Any obligations under the GDPR; or
  • Any lawful instructions of a SaaS customer.

In addition data protection authorities can fine SaaS suppliers or SaaS customers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

Preparing for Change

To ensure compliance with the new obligations placed on SaaS suppliers (data processors) under the GDPR, SaaS suppliers should taking the following steps:

  • Review existing data protection policies and procedures for compliance with the GDPR;
  • Adapt existing privacy, security and data breach policies to comply with the new rules before the 25th of May 2018;
  • Create a written data processing agreement which reflects the above polices and which is compliant with the GDPR;
  • Review existing SaaS agreements to check limitations on liabilities and indemnities for data protection breaches;
  • Identify any subcontractors and subsidiaries who process personal data;
  • Audit compliance of subcontractors and subsidiaries with new policies and procedures; and
  • Add written data processing agreements to all existing agreements with SaaS customers, subcontractors and subsidiaries.


Irene Bodle is an IT lawyer specialising in SaaS, with over 15 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles: