SaaS Agreements – Terms and Conditions – Data Processing Agreement

UK SaaS suppliers currently have limited obligations to SaaS customers when processing personal data as part of their SaaS services. However, from the 25th of May 2018 the General Data Protection Regulation (GDPR) will impose many new  data processing obligations on SaaS suppliers. In particular, the obligation for SaaS suppliers to enter into a written data processing agreement with SaaS customers and subcontractors.

GDPR applies to UK SaaS Suppliers despite Brexit

Regardless of when and how Brexit takes place, the GDPR will apply to SaaS suppliers located within the UK if:

  • They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 EU Member States); or
  • They monitor the behaviour of EU data subjects;

Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.

GDPR will apply to non-EU SaaS Suppliers

From the 25th of May 2018 the GDPR will automatically apply to all SaaS suppliers located outside of the EU i.e. in the USA, if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects;

Even though the SaaS supplier is not located within the EU.

Written Data Processing Agreement

Currently a SaaS supplier must include the mandatory written obligations imposed by the DPA within the terms of the SaaS Agreement.

From May 2018 SaaS suppliers and SaaS customers will need to include detailed data processing obligations in a separate written data processing agreement.

SaaS Suppliers should be aware that they need to enter into written data processing agreements not just with all SaaS customers, but also with all entities or persons who process personal data on their behalf, such as:

  • All subcontractors i.e. data centres, penetration testing providers;
  • All subsidiaries i.e. providing customer support, software maintenance and support.

Fines for Breach

From May 2018 data subjects will be able to claim damages directly from SaaS suppliers who breach:

  • Any obligations under the GDPR; or
  • Any lawful instructions of a SaaS customer.

In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

Preparing for Change

To ensure compliance with the new obligations placed on SaaS suppliers (data processors) under the GDPR, SaaS suppliers should start preparing for the changes to data protection law now, by taking the following steps:

  • Review existing data protection policies and procedures for compliance with the GDPR;
  • Adapt existing privacy, security and data breach policies to comply with the new rules before the 25th of May 2018;
  • Create a written data processing agreement which reflects the above polices and which is compliant with the GDPR;
  • Review existing SaaS agreements to check limitations on liabilities and indemnities for data protection breaches;
  • Identify any subcontractors and subsidiaries who process personal data;
  • Audit compliance of subcontractors and subsidiaries with new policies and procedures; and
  • Add written data processing agreements to all existing agreements with SaaS customers, subcontractors and subsidiaries before the 25th of May 2018.


Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles:

Bodle Law