SaaS Providers as Data Processors and the GDPR

SaaS Providers as Data Processors and the GDPR

In the UK the General Data Protection Regulation (“GDPR”) will replace the Data Protection Act 1998 from the 25th of May 2018, regardless of “Brexit”.

How will this affect suppliers of Software-as-a-Service (“SaaS”) solutions (each a “SaaS Provider”) and SaaS customers (each a “SaaS Customer”) (and where applicable, SaaS Customer’s customers i.e. Data Subjects).

SaaS Providers in a more direct 2/ 3 party arrangement (“Arrangement 1”) is more straightforward than a 3/4 + reseller arrangement (“Arrangement 2”) in terms of who the Data Processors, Data Controllers and Data Subjects are. Let’s look at each:

Arrangement 1

Data Subject & Data Controller → Data Processor

(SaaS Customer – one and the same party) → (SaaS Provider)


Data Subject → Data Controller → Data Processor

(SaaS Customer’s customer) → (SaaS Customer) → (SaaS Provider)

This is more typical of a direct B2B SaaS arrangement where the Data Controller is a business that has end customers (or employees) and the Data Controller engages the Data Processor to process data pertaining to those end customers (or employees) also known as “Data Subjects”.

Arrangement 2

Data Subject → Data Controller → Data Processor → Sub-Data Processor

(Reseller’s Customer’s customer) (Reseller’s Customer) → (Reseller) → (Reseller’s Sub-Data Processor)



In both arrangements, there will be a set of Service Ts & Cs or a Professional Services Agreement (PSA) in place as between each pair who sit beside each other in the chain, however, in Arrangement 2, there will be a Reseller Agreement which may incorporate (or keep separate) terms in the nature of a PSA. Each party effectively engages the party to its right to carry out services for it (either in its’ own right or on its’ behalf).

Whatever terms are put on the table, they must be GDPR compliant i.e. from SaaS Ts & Cs or SaaS Agreements, SaaS Uptime Service Level Terms, SaaS platform Privacy Statements, Reseller Agreements to Data Processing agreements. Be careful not to mix up the parties and their roles under the GDPR.

► Data Subject (the individual about whom personal data is processed e.g. end customer or employee)

► Data Controller (an organisation or individual that decides (alone or jointly) how and why PD is processed e.g. the employer) (Article 4(7))

► Data Processor (an organisation or individual that processes information on behalf of the DC e.g. the employer’s payroll company)


The GDPR does not make any reference to “Joint” Data Processors as it does to Data Controllers (Article 26).

Article 28 states:

‘The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’.

Therefore the Data Controller must have a contract in place with a Data Processor to ensure that each party complies with its obligations as prescribed for in the GDPR (Article 28(3)). Where this Data Processor engages another data processor, the same obligations apply (Article 28(4)):

Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.”

The relevant parties in the chain at Arrangement 1 or Arrangement 2 need to start making organisational changes now to their data processing activities in order to comply with the new rules on consent, audit rights, data exports, increased administrative requirements and the new obligations of Data Processors. Below is a summary of the main provisions of the GDPR that these parties need to be aware of in particular:

Provision Information


SaaS Providers (and SaaS Customers) relying on consent to process personal data will need to show that the consent is:

  • freely given;
  • specific and informed; and
  • an “unambiguous indication” of a Data Subject’s wishes and expressed either by a statement or a clear affirmative action (i.e. ticking a consent box when visiting a website).

Consent must be purpose limited i.e. related to explicitly specified purposes.

The default age for giving valid consent and using online services is 16, however each EU country will be able to reduce this to 13.

New Data Processor Obligations


The GDPR applies to Data Controllers and Data Processors (see how Arrangements 1 and 2 above illustrate these roles). SaaS Providers who are Data Processors need to be aware that some of the GDPR applies directly to them and they will be subject to compliance obligations and sanctions for non-compliance.
Recording Obligations


In order to demonstrate compliance with the GDPR, the Data Controller and the Data Processor should maintain records of processing activities under its responsibility (Article 30).

Processing personal data for organisations of 250 or more employees OR, regardless of the organisation’s size, Data Controllers or Data Processors are obligated to keep records if the processing is:

● likely to result in a risk to the rights and freedoms of Data Subjects; or,

● is not occasional; or,

● includes special categories of data or data relating to criminal convictions and offences.


Because the trigger is very broad, it is likely that it will apply to most organisations who process personal data on a day-to-day basis.

► Controller Recording obligations (Article 30(1)):

● Name and contact information of the Data Controller and the Data Protection Officer;

● Purposes of processing;

● Categories of Data Subjects, personal data and recipients of the data;

● International data transfers being made and the measures put in place to ensure they are lawful;

● How long the personal data is being retained and the timeline for deleting that data;

● A general description of technical and organisational security measures that have been implemented.

► Processor Recording obligations (Article 30(2)):

● Name and contact information of the Data Controller and the Data Protection Officer;

● Category of personal data being processed on behalf of the Data Controller;

● International data transfers being made and the measures put in place to ensure they are lawful; and,

● A general description of technical and organisational security measures that have been implemented.




The maximum penalty for a breach of the GDPR will be substantially higher than under current legislation. Fines of up to 4% of annual global turnover or up to 20m Euros (whichever is higher) can be imposed.


Applicable to Non-EU Entities


The GDPR will apply to EU (and non-EU) SaaS Providers and SaaS Customers (including resellers) who:

  • offer goods or services to Data Subjects in the EU; or
  • monitor the behaviour of EU citizens to the extent that the behaviour takes place in the EU.
Enforcement – Supervisory Authority


SaaS Providers (including resellers) will be regulated by a single regulator in the place of their main establishment, which shall be their main administrative location in the EU. Data subjects will be able to make complaints to regulators in their own EU country. In the UK, this is the ICO.
Data Protection Officer


An independent Data Protection Officer (“DPO”) must be appointed where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Each EU country may enact national provisions imposing further requirements regarding the appointment of DPOs.

Notification: There is no requirement for a SaaS Provider (including a reseller) to notify local data protection supervisory authorities of any data processing activities but there is a requirement to keep records of data processing activities.

Breach Reporting


A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” (Article 4(12))

A SaaS Provider (including resellers) who are Data Processors must report breaches to the Data Controller ‘without undue delay after becoming aware of a breach’ (Article 33). The Data Controller must in turn inform the supervisory authority of a personal data breach within 72 hours where ‘the breach is likely to result in a risk for the rights and freedoms of natural persons’ (Article 34).

Data subjects must be informed of breaches without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms unless:

  • the data has been rendered unintelligible to any third party (for example by encryption);
  • the data controller has taken steps to ensure the high risk is unlikely to materialise; or
  • it would involve disproportionate effort to inform data subjects individually, in which case a public announcement can be made.
Data Privacy Impact Assessments (DPIAs)


SaaS Providers (where such are Data Controllers) will be required to carry out data protection impact assessments (a “DPIA”) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of profiling. See more on DPIAs here:
Data Processing Contracts


The contract must set out:

● the subject matter and duration of the processing;

● nature and purpose of the processing; and,

● type of personal data, categories of data subjects and obligations/ rights of the Data Controller.


The contract must stipulate that:


● the personal data must only be processed on documented instructions from the Data Controller unless required by EU or member state law;

● those individuals authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and,

● appropriate technical and organisational measures as set out in Article 32 regarding security of processing must be implemented.


The contract must stipulate that the Data Processor must:


● delete or return all personal data at the end of the processing services or if instructed by the Data Controller;

● assist the Data Controller in ensuring compliance with obligations specifically related to security and prior consultation with supervisory authorities when required;

● make available to the Data Controller all information necessary to demonstrate compliance with Article 28 (these processor rules).

● contribute to audits carried out by the Data Controller and immediately inform the Data Controller if it believes any instruction infringes the GDPR or member state law.

Data Subject Rights


The following rights shall be granted to data subjects:

  • data portability;
  • the right to be forgotten;
  • the right to prevent profiling;
  • the right to object to processing;
  • the right to rectification and erasure.
  • Data Subject Access Requests (“DSARs”).

DSARs must be responded to by the Data Controller without undue delay and, at the latest, within one month of receipt of the request. The Data Controller only has the right to charge a reasonable fee to cover administrative costs where the requests are “manifestly unfounded or excessive”. It is wise for a Data Controller therefore to oblige their Data Processor to assist with DSARs within a lesser timeframe e.g. 15 – 20 days.

What should you do to be ready?

Although the GDPR will not come into force until the 25th of May 2018, it is essential that SaaS Providers start to prepare for the changes now. For example by:

  • Adding written data processing agreements to existing SaaS arrangements and future SaaS agreements with relevant customers;
  • Amending existing privacy policies to comply with the GDPR rules;
  • Appointing a data protection officer (where appropriate);
  • Devising a documentation system for recording data processing activities;
  • Reviewing how consent is obtained from data subjects.

Tel: 0800 6894168

twitter: @CloudLegals




By | 2018-03-05T15:46:46+00:00 March 5th, 2018|News|0 Comments