SaaS, ASP Agreements – Data Protection Issues with Sub-contractors – Standard Contractual Clauses

Using a sub-contractor to process your SaaS customer data is a problem under data protection law, where the sub-processor is based outside of the European Economic Area (EEA). Incorporating EU standard contractual clauses into your SaaS agreement is NOT the solution to this common problem.

EU Standard Contractual Clauses

Under data protection law personal data may only be transferred to countries outside of the EEA where there is adequate protection. In order to deal with the problem of transfers of personal data from a customer (data controller) in the EEA i.e. in the UK, to a SaaS supplier (data processor) outside of the EEA i.e. a SaaS supplier in Asia, the EU drafted standard contractual clauses. When such clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met.

New EU Standard Contractual Clauses

In July 2010 the EU standard Contractual Clauses were amended to cover the position where personal data is transferred from a data controller in the EEA (customer) to a data processor outside of the EEA (supplier) and then a transfer to a sub-processor located outside of the EEA.

This is a common scenario in a SaaS agreement where a customer based in the UK is accessing SaaS software provided by a supplier outside of the EEA and the supplier is using a hosting centre or outsourced IT development centre located in India or Asia to process the customer data.

Sub-Processor located outside of the EEA

Despite the above changes to the EU model clauses, where a data processor (supplier) based inside the EEA, instructs a sub-processor based outside of the EEA, to process a customer’s data, the transfer of data is not covered by the new or old standard contractual clauses. This is a common scenario in SaaS agreements where the customer and supplier are both based in the EEA but the SaaS supplier uses a data centre or IT personnel outside the EEA i.e. in Asia to process the customer data.

The transfer of customer data to the sub-processor will not comply with data protection law if the new or old standard contractual clauses are used and an alternative solution will need to be found. This will usually take the form of an additional data protection agreement between the relevant parties.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: