Software as a Service: Negotiating a data processing agreement

Madeleine Weber of Zscaler looks at the practicalities involved in ensuring that contracts with cloud-based SaaS platforms are data protection compliant.

Organisations often find themselves subject to the obligation to enter into data processing agreements since the adoption of the EU General Data Protection Regulation (GDPR), the resulting UK GDPR and many other similar data protection legislation introduced by other jurisdictions.

As an in-house counsel of a software-as-a-service (SaaS) vendor, negotiating and agreeing data processing agreements is one of the most common activities I am tasked to do. By way of background, SaaS is software that is hosted, managed, and run in the cloud by the software provider. A good example is Netflix, which is a subscription service hosted online that provides access to films and series in exchange for a subscription fee. Depending on the nature and purpose of the SaaS, personal data may be inputted, and therefore, can be said to be processed by the SaaS provider. For example, where user names and personal details are uploaded to the SaaS to create user profiles, these constitute personal data that are controlled by SaaS customers. They are data controllers, as they control which personal data is inputted into the SaaS. This data is deemed to be processed by the software providers who are the data processors, as they process any personal data uploaded to the SaaS by virtue of running and hosting the software. It can therefore be said that, in most cases, purchasing SaaS involves the processing of data by the SaaS providers. Hence, in many jurisdictions, when purchasing SaaS, the vendor and buyer will be required to enter into a data processing agreement.

Continue Reading

UK Report subscribers, please login to access the full article


If you wish to subscribe, please see our subscription information.