In compliance with their respective obligations under the GDPR, SaaS suppliers and SaaS customers must only keep personal data for as long as necessary and as specified to data subjects. SaaS suppliers should include their obligations in relation to retention and deletion of personal data when acting as a data processor in their SaaS agreement and when acting as a data controller in their privacy policy.
Continue reading