GDPR and SaaS

"The product is ready, the marketing strategy to get the service to customers is final, we know what the business model of the whole app is. Now just upload the sample GDPR you downloaded from the web Frank, and we're going to release."

Are you running a Software as a Service solution and are you wondering how and what you need to be prepared for GDPR? In this article, we'll give you a basic overview so you don't have a cold sweat about whether or not you have everything prepared.

Wait is it different with SaaS than with other software?

The name Software as a Service makes it clear that you are not providing traditional software, but a service. Basically, you are delivering an application that is hosted somewhere (or you have it hosted).

And therein lies the crucial difference. In an app that users install (Back in they day - buy a "CeeDee"), the data is stored with the user. Not always, of course, but for the purposes of this article, let's just assume that as part of a SaaS service, the data is hosted somewhere.

If the data is personal data

Example: you run a recruitment platform and your customers are companies that use the app for recruitment. Through the platform, the customer receives information about potential candidates, the platform helps to select candidates and recruit them. The entire application is hosted on the cloud.

It will undoubtedly be the case that such an application processes personal data. Personal data is any information about an identified or identifiable natural person. And if you are recruiting to find out who is applying for a job, you will probably be able to identify the individual from the information obtained (or you should certainly know). Any information you then record about that person will be personal data (even technical information, if it relates to a particular person).

The question remains, who is responsible and how, in relation to the personal data stored. The legal lingo - to determine who is the controller and who is the processor of personal data. And to determine the necessary documentation accordingly.

Saas and the data controller

At the heart of the whole GDPR is the data controller. He is the one who determines the purposes and means of processing. The one who decides how the processing will take place, to what extent and why. 

In SaaS solutions, there can be several (two, respectively) administrators. Each in relation to different personal data. The operator of a SaaS solution is in the position of a data controller, for example, in situations where he creates user accounts for its customers. For these purposes, the operator needs personal data about the customer and determines what it needs from them and why.

The customer is then the data controller with respect to all personal data that is collected through the SaaS solution. You may be thinking that the customer is limited by what the SaaS solution can do, so they cannot completely determine how the processing will take place. However, from a more general perspective (in this particular case), it is the customer who decides to do the recruiting, and to use the SaaS solution for that recruiting.

What must the data controller comply with?

In addition to complying with all the obligations set out in the GDPR, the primary obligation is to provide information. It must inform individuals about why personal data are processed, how long they are stored, what rights the subject has, etc.

Applying this again to the example above, the SaaS solution provider should inform its customers about how it processes their personal data and the customer should inform job applicants about how it processes their personal data.

Are you unsure how to set up the information obligation? Details on how we can help you can be found here ↗.

And why isn't the SaaS solution provider responsible for informing?

Because he acts as a so-called personal data processor in relation to the personal data of potential applicants. In the whole process of processing personal data, it performs only one of the activities. Typically:

  • Provides their storage
  • Performs data analysis and visualisation
  • Provides export
  • Helps with contacting

However, he only does activities that are related to the whole recruitment process, but he does not decide how the whole recruitment process will take place.

The one who decided to use a SaaS solution was the customer. The customer determined the purposes and means of processing. And one of the means is the SaaS solution.

What does this mean for SaaS solution providers? A processing contract. It should be concluded with each customer. This is required by Article 28 of the GDPR. Of course, the primary obligation to conclude such a contract lies with the controller, i.e. the customer.

However, we recommend that each operator has its own processing conditions. Because there is nothing worse than having different terms and conditions with each customer.

What are the processing conditions? The scope and content can be read from Article 28 of the GDPR. Basically, the content is the obligation of the processor to process personal data according to the instructions of the controller (customer), not to use personal data for other purposes, it sets the scope of personal data processed, processing activities, methods of termination and deletion of personal data...

You can find out how we can help in preparing the processing conditions here ↗.

I'm an operator of a SaaS solution, however, I store personal data on a hosted cloud

The unraveling of the relationship setup is coming to an end. If a third-party server is used to run a SaaS solution, you just need to ask yourself a basic question:

Who has a contract with the cloud provider?

SaaS solution provider. In this case, the cloud provider is in the position of a sub-processor. In essence, the SaaS solution also includes a storage service, which is provided by the provider at the provider of its choice. 

What's the impact? At a minimum, this additional processor (cloud provider) needs to be approved in the processing conditions. A processing contract (terms and conditions) must also be in place with the cloud provider. This must also be at least as strict as the contract between the provider and the customer.

The customer provides the cloud himself. In this case, the cloud provider is a processor standing next to the SaaS solution provider. These are two separate entities with which the customer must have a processing contract.

"What should the processing contract look like? I'm not signing anything on paper."

You can also think of the terms as a contract in this case. The processing contract can be part of the terms of use (T&C) that the customer agrees to when they register for a SaaS account. It can be a separate check-box with separate terms and conditions when you register. The important thing is that nothing needs to be signed. Alternatively, it is sufficient to show that the customer has been made aware of the terms and has agreed to them.


SaaS solutions are specific in that the application itself is hosted somewhere other than the customer. From a GDPR perspective, this has a particular impact on the setup of the relationship between the controller and the processor of personal data.

When you complete your SaaS solution, be sure to prepare the necessary documentation. You will most likely be both the controller and the processor of personal data.

Of course, we'll be happy to help ↗you with the documentation , or read about the data protection services we offer ↗. Or, alternatively, you can contact us through this form:

SaaS a potřebná dokumentace? Máme bohaté zkušenosti

Napište nám -->