GDPR for SaaS Providers: 10 Obligations 2026
TL;DR
- Standard SaaS = processor; analytics or pricing features may shift you to controller status — clarify in contract
- Standard DPA required (Art. 28 GDPR) covering all 8 mandatory contents plus sub-processor list and Schrems II annex
- Customer lockbox: support staff need per-access approval before viewing customer data
- EU data boundary: EU-only hosting plus EU-region sub-processors — activate the option at hyperscalers
- 24h customer notification on breach so the customer can hit the GDPR 72h supervisory deadline
1. Clarify Provider/Controller Role
Standard SaaS hosting positions you as a processor under Art. 28 GDPR. Adding analytics, pricing intelligence, or telemetry that benefits you may shift parts of the processing to controller status. Clarify each data flow contractually — joint controllership under Art. 26 is also possible.
2. Provide a Standard DPA
Offer a self-service DPA template covering all eight mandatory contents of Art. 28(3) plus a current sub-processor list and Schrems II annex (SCC, TIA reference). Customers should not have to negotiate the basics.
3. Document Sub-Processors
Maintain a public list: hosting (AWS, Azure, GCP), email (SendGrid, Postmark), analytics, support tools. Each must be governed by a back-to-back DPA. Notify customers of changes with a reasonable objection period.
4. Privacy by Design and by Default
Default-off for tracking and advertising features, pseudonymization in logs, encryption at rest and in transit. Provide privacy settings in the admin UI so customers can configure their tenant.
5. Customer Lockbox Capability
When support engineers need access to customer data, require per-access approval from the customer. Log every access. Apple, Microsoft and Google operate this pattern at scale; SMEs can build a lightweight equivalent with ticketing approvals.
6. Activate EU Data Boundary
Host all primary and backup data in EU regions. Choose sub-processors that offer EU regions and enable the option (AWS, Azure, GCP all support EU-only configurations). Document the boundary in your DPA appendix.
7. DPIA for High-Risk Features
AI features, profiling, automated decision-making, biometric processing — each triggers Art. 35 DPIA. Use a 7-step template: scope, necessity, risks, mitigations, residual risk, sign-off, review cycle.
8. Breach Procedure with 24h Customer Notification
Your customer must hit the 72h supervisory authority deadline under Art. 33. Build a breach playbook that notifies customers within 24 hours of detection so they have a 48h buffer.
9. Right to Audit
Provide a SOC 2 Type II report at minimum. For critical customers, allow on-site audits or independent third-party audits. Standardize the audit scope to avoid disruption.
10. Data Export API for Art. 20
Offer a machine-readable export (JSON, CSV, XML) so customers can fulfill their data portability obligations. Document the schema. ISO 27001 helps but does not replace GDPR — run both in parallel.
Summary
SaaS providers in the EU live or die by GDPR signaling: a clean DPA, transparent sub-processor list, EU data boundary, customer lockbox, and a fast breach pipeline. DPF certification helps reduce TIA effort for customers if you operate US sub-processors. Treat compliance as a sales-enablement asset, not a cost center.
Frequently Asked Questions
Is ISO 27001 sufficient?
Is DPF certification worthwhile?
Sources
- Regulation (EU) 2016/679 — GDPR (Art. 28 processor obligations) (As of: 2026-05-02)
- Commission Implementing Decision (EU) 2023/1795 — EU-US DPF (As of: 2026-05-02)
- German Federal Data Protection Act (BDSG) (as of: ongoing)