Data Protection and GDPR Compliance for SaaS Companies

AT A GLANCE

Every SaaS company processing personal data of EU users — which means every SaaS company with an EU user base — is subject to GDPR in full, including fines of up to 4% of global annual revenue for serious violations.
SaaS companies face a dual GDPR obligation: as data controllers for their own user data, and as data processors when handling their clients’ users’ data — each role carries distinct obligations that must be managed simultaneously.
A GDPR-compliant data processing agreement with every B2B client is a legal requirement under Article 28 — and a commercial requirement for any enterprise sales process where the client has legal counsel reviewing contracts.
We provide a complete SaaS GDPR compliance programme — from the initial gap assessment through to ongoing DPO function, sub-processor management, and data breach response.
All GDPR documentation is specific to the SaaS context — the privacy notice, DPA template, sub-processor list, and data retention policy reflect how a SaaS platform actually processes data, not a generic business with a website.

GDPR compliance for a SaaS company covers two simultaneous obligations: managing personal data that belongs to the company’s own users (as a data controller), and managing personal data that belongs to clients’ users and is processed through the SaaS platform (as a data processor). The compliance programme covers both roles — a privacy notice and cookie policy for the controller obligation, and data processing agreements, sub-processor management, and technical and organisational measures for the processor obligation. We design, implement, and maintain this programme for Lithuanian SaaS companies, and provide an outsourced DPO function where the company needs a designated expert to manage ongoing GDPR obligations.

The SaaS GDPR Dual Obligation: Controller and Processor

The most important GDPR concept for SaaS founders to understand is that a SaaS company is almost always both a data controller and a data processor simultaneously — and these roles carry different obligations that must be managed in parallel.

As a data controller — your own users

When a SaaS company collects personal data directly from users — account registration information, login details, usage analytics, billing data, support communications — the company determines the purpose and means of that processing. It is a data controller. As a controller, the company must have a lawful basis for each processing activity, provide a GDPR-compliant privacy notice to users, honour data subject rights requests (access, erasure, portability, objection), maintain records of processing activities, implement appropriate security measures, and notify the State Data Protection Inspectorate within 72 hours of a data breach.

As a data processor — your clients’ users

When a B2B SaaS company’s platform processes personal data that belongs to its clients’ customers — user records entered by the client, transaction data, communication logs, health records, or any other personal data that the client’s users submit to the platform — the SaaS company is processing data on behalf of the client. The client is the data controller; the SaaS company is the data processor. As a processor, the company must sign a data processing agreement with each client controller; process data only on the client’s documented instructions; implement appropriate technical security measures; notify the client of any data breach affecting their data without undue delay; ensure sub-processors are bound by equivalent obligations; and delete or return all data on termination.

Why both roles matter simultaneously

Most GDPR guides written for businesses focus on either the controller role or the processor role — rarely both. SaaS companies need to manage both simultaneously, and the obligations do not always align neatly. The privacy notice covers the controller role; the DPA covers the processor role. The data breach notification obligation applies in both directions — 72 hours to the SDPI as a controller, and notification to each affected client as a processor. Data retention periods may differ between controller data (usage analytics retained for business purposes) and processor data (client user data that must be returned or deleted at contract termination). The compliance programme must cover both dimensions and ensure they are internally consistent.

GDPR fine scale — the actual numbers

GDPR provides for two tiers of administrative fines. For violations of basic obligations — such as failing to have a DPA with a processor — fines can reach €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. For violations of fundamental principles — such as processing without a lawful basis or failing to respect data subjects’ rights — fines can reach €20,000,000 or 4% of total worldwide annual turnover, whichever is higher. EU data protection authorities have been actively fining businesses of all sizes since 2018. The 4% of global revenue ceiling makes GDPR the most financially consequential regulatory regime for most SaaS companies.

Our GDPR Compliance Services for SaaS Companies

We provide a structured GDPR compliance programme covering both the controller and processor dimensions of a SaaS company's data protection obligations. Each service area corresponds to a specific component of the compliance programme.

GDPR Compliance Programme Design and Implementation

A GDPR compliance programme is not a single document — it is a coordinated set of policies, procedures, documentation, and technical measures that collectively demonstrate compliance with GDPR principles. For a SaaS company, the programme must cover both the controller and processor dimensions and must evolve as the product, team, and client base grow. We design and implement the initial compliance programme and maintain it as the company develops.

GDPR gap assessment — reviewing current practices and documentation against the full GDPR obligation set
Data mapping exercise — identifying all personal data processed, for what purpose, on what legal basis, and for how long
Lawful basis analysis — confirming the applicable lawful basis for each processing activity (consent, legitimate interest, contract, legal obligation)
Records of processing activities (ROPA) — the Article 30 internal register of all processing operations
Privacy-by-design review — advising on new product features from a data protection perspective before build
GDPR compliance calendar — scheduling all ongoing obligations (annual review, training, retention checks) for the year
Accountability documentation — the internal evidence of GDPR compliance that must be available for SDPI audit
Annual programme review — updating all documentation and assessments to reflect regulatory guidance and product changes

Data Processing Agreements for B2B Clients

Every B2B SaaS client whose users' personal data flows through the platform is a data controller, and GDPR Article 28 requires a data processing agreement to be in place before processing begins — regardless of client size. Enterprise clients require DPAs as a standard commercial prerequisite, often provided as part of their own template for the SaaS company to sign. We prepare the standard DPA template for outgoing use and review and negotiate client-proposed DPAs.

SaaS DPA template — Article 28-compliant; covering subject matter, duration, nature and purpose of processing, data categories, and all mandatory processor obligations
Security annex (Technical and Organisational Measures) — detailing the security framework the SaaS company applies to client data
Sub-processor clause — listing current sub-processors; notification procedure for additions; client objection rights
International data transfer provisions — Standard Contractual Clauses for transfers of client data outside the EEA
Data return and deletion provisions — the obligation to return or delete client data on contract termination; timeline and format
Audit rights clause — client's right to audit the SaaS company's compliance; proportionate scope for practical operations
Enterprise DPA review — reviewing and responding to client-proposed non-standard DPA terms; written commentary and negotiation strategy
DPA portfolio audit — reviewing all existing client relationships to confirm DPA coverage

DPA as an enterprise sales requirement

Enterprise procurement teams consistently require a signed DPA before they will approve a new SaaS vendor. A DPA that is clearly structured, uses standard GDPR language, and addresses the standard enterprise concerns — security framework, sub-processor list, breach notification timeline, data deletion on termination — gets approved in days. A DPA that is missing mandatory Article 28 provisions, uses non-standard terminology, or has inadequate security provisions gets escalated to the client's DPO and legal team, adding weeks to the sales cycle. We draft DPAs for enterprise procurement, not just regulatory minimum compliance.

Sub-Processor Management

Every service provider that receives or accesses personal data processed by the SaaS company on behalf of its clients is a sub-processor. AWS, Google Cloud, Stripe, SendGrid, Intercom, Datadog, Segment, and every other SaaS tool in the infrastructure stack that touches client user data is a sub-processor. Each must be covered by a data processing agreement that imposes GDPR-equivalent obligations. The sub-processor list must be disclosed to clients and updated when new sub-processors are added — with clients given the opportunity to object.

Sub-processor identification — mapping all services in the technology stack that receive or access client personal data
Sub-processor DPA confirmation — confirming that each sub-processor has an adequate DPA in place (most major cloud providers do)
Sub-processor list drafting — a published list suitable for inclusion in the SaaS company's privacy documentation and client DPAs
Sub-processor change notification procedure — the process for notifying clients when new sub-processors are added
Client objection management — handling client objections to specific sub-processors; documenting the resolution
International transfer assessment — confirming the transfer mechanism for sub-processors based outside the EEA (SCCs, adequacy decision, BCRs)
Annual sub-processor review — confirming the list remains accurate and all sub-processor DPAs remain current

Data Subject Rights Procedures

EU data subjects have a defined set of rights under GDPR — the right to access their personal data, the right to erasure, the right to data portability, the right to object to processing, and others. A SaaS company must be able to respond to any data subject rights request within one month. The obligation applies to both the controller role (requests from the SaaS company's own users) and the processor role (requests from a client's users, which the SaaS company must assist the client in responding to). Without documented procedures, responses are inconsistent, slow, and likely to miss the mandatory deadline.

Data subject rights procedure — step-by-step process for receiving, validating, and responding to each type of DSR
Identity verification procedure — confirming the requestor's identity before disclosing or erasing personal data
Right of access procedure — producing the required data extract in a structured, commonly used format within the deadline
Right of erasure procedure — identifying and deleting all personal data relating to the subject across all systems and sub-processors
Right to portability procedure — exporting personal data in a machine-readable format (JSON, CSV) for the data subject
Right to object and restriction procedures — documenting the assessment and outcome for objection and restriction requests
DSR request log — maintaining the internal record of all requests received and their resolution status
Processor-to-controller escalation — procedure for routing client users' DSR requests to the appropriate client controller

Data Breach Response and Notification

A personal data breach — any incident involving the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data — triggers specific GDPR obligations. As a controller, the SaaS company must notify the State Data Protection Inspectorate within 72 hours if the breach is likely to result in a risk to individuals. As a processor, it must notify each affected client without undue delay. Having a documented breach response procedure determines whether the company handles a breach in a way that minimises regulatory and commercial damage — or discovers its obligations after the deadline has already passed.

Data breach response procedure — step-by-step incident triage, containment, assessment, and notification workflow
Breach severity assessment framework — criteria for classifying breach severity and determining notification obligations
SDPI notification template — pre-prepared notification form containing all information required by GDPR Article 33
Client notification template — Article 33(2) processor notification to client controllers; timed to allow the client to meet their SDPI deadline
Data subject notification template — for high-risk breaches requiring direct notification to affected individuals
Internal breach log — the Article 33(5) internal record of all breaches, including those below the SDPI notification threshold
Breach simulation exercise — tabletop exercise testing the breach response procedure against a realistic scenario
Post-breach review procedure — documenting lessons learned and implementing technical or procedural improvements

Outsourced Data Protection Officer (DPO)

The Data Protection Officer is the GDPR-designated expert responsible for monitoring compliance, advising on data protection obligations, training staff, and acting as the contact point for data subjects and the SDPI. GDPR explicitly permits the DPO role to be performed by an external service provider. For SaaS companies at the growth stage, an outsourced DPO provides the required expertise and designated accountability without the full-time hire that the volume of GDPR activity may not yet justify.

DPO designation — formal notification of the outsourced DPO to the SDPI where required
GDPR compliance programme oversight — monitoring ongoing compliance and flagging emerging issues
Data subject rights management — managing DSR responses within GDPR timeframes
Data breach management — leading breach assessment, notification decisions, and SDPI correspondence
DPIA oversight — reviewing Data Protection Impact Assessments for high-risk processing activities
Client DPA queries — responding to client GDPR questions about the platform's data processing
Staff training — annual GDPR training delivery with attendance records
SDPI liaison — responding to SDPI enquiries and cooperating with supervisory activities
Monthly DPO report — summary of GDPR activity, incidents, and open issues for the management team

SaaS GDPR Obligations: Controller vs. Processor

The table below maps the key GDPR obligations to whether they apply in the controller role (your own users), the processor role (your clients’ users), or both. Both dimensions must be covered for full compliance.

GDPR Obligation	Controller role (own users)	Processor role (client users)
Privacy notice / transparency	Required — published privacy policy	Not directly (client publishes their own policy)
Lawful basis for processing	Required — documented per activity	Not required — client is responsible for lawful basis
Records of processing (ROPA)	Required — Article 30(1)	Required — Article 30(2) (separate processor record)
Data Processing Agreement	Not required (you are the controller)	Required with every client before processing begins
Sub-processor DPAs	N/A	Required — must bind all sub-processors to GDPR obligations
Data subject rights response	Required — own users’ requests	Assist client in responding to their users’ requests
72-hour SDPI notification of breach	Required — if risk to individuals	Not directly (but must notify client without undue delay)
Client breach notification	N/A	Required — without undue delay after becoming aware
Data security measures	Required — appropriate to risk	Required — as specified in DPA and security annex
Data retention limits	Apply GDPR minimisation principle	Return or delete on instruction or contract termination
International transfer mechanism	Required for transfers outside EEA	Required for sub-processor transfers outside EEA
DPIA (high-risk processing)	Required where applicable	Support client DPIA where processing involves client data

GDPR Compliance as a Sales Enabler

GDPR compliance is often framed as a cost and a compliance burden. For B2B SaaS companies, it is also a commercial differentiator — particularly in enterprise sales where procurement teams evaluate data protection maturity as a vendor selection criterion.

What enterprise clients check

Enterprise procurement teams — particularly those in financial services, healthcare, legal, and government — conduct structured GDPR due diligence on new SaaS vendors. The standard questions cover: whether the company has a designated DPO or data protection contact; whether a GDPR-compliant DPA is available; what sub-processors are used and whether they have adequate data transfer mechanisms; what security measures are in place (encryption at rest and in transit, access controls, penetration testing); what the breach notification procedure is; and whether the data is stored within the EU or in adequacy-recognised countries. A SaaS company that can answer all of these questions with documentation — not just verbal reassurance — closes enterprise contracts faster.

Security questionnaires

Large enterprise clients frequently send security questionnaires alongside the DPA — asking for technical details about the platform’s security architecture, data handling practices, and compliance certifications. The questionnaire typically covers: encryption standards, access control policies, backup and recovery procedures, penetration testing frequency, incident response procedures, and sub-processor locations. Having documented technical and organisational measures (TOMs) — which the DPA security annex should reference — allows these questionnaires to be completed accurately and consistently. Without documentation, each questionnaire is answered from memory, producing inconsistent and sometimes inaccurate responses that raise flags in the client’s security review.

Data processing as a product feature

An increasing number of SaaS buyers — particularly in regulated industries — view GDPR compliance not as a minimum bar but as a product feature. Data residency options (EU-only data storage), ISO 27001 certification, SOC 2 Type II compliance, and demonstrable GDPR accountability are increasingly listed as requirements in enterprise RFPs. Building GDPR compliance into the product from inception, rather than retrofitting it under sales pressure, allows the company to compete in enterprise segments that would otherwise be inaccessible.

GDPR Compliance Pricing

Defined GDPR engagements are priced at fixed fees. Ongoing DPO function and complex multi-entity compliance programmes are quoted on request.

Service	Price
GDPR gap assessment — written report Full assessment of current GDPR compliance against both controller and processor obligations; prioritised action plan	€700
Data mapping and ROPA (records of processing) Identifying all processing activities; Article 30 register for both controller and processor records	€800
Lawful basis analysis Confirming the legal basis for each processing activity; legitimate interest assessments where applicable	€600
Full GDPR compliance programme setup Gap assessment + data mapping + lawful basis analysis + privacy notice + ROPA + breach procedure + DSR procedures	€2,000
Annual GDPR programme review Reviewing all documentation and processing activities against current regulatory guidance and product changes	€800
DPA template — SaaS-specific standalone Article 28-compliant; security annex; sub-processor provisions; SCC clause; data return/deletion	€700
Enterprise DPA review (client-proposed) Written commentary on material deviations; negotiating strategy	€600
International data transfer addendum (SCCs) Standard Contractual Clauses for processor-to-sub-processor EEA transfers	€600
DPA portfolio audit (existing clients) Reviewing all current client relationships; identifying gaps; issuing DPAs where missing	€800
Sub-processor mapping and list preparation Identifying all sub-processors; confirming DPA status; drafting published sub-processor list	€700
Annual sub-processor list review and update Confirming accuracy; updating for new additions; refreshing international transfer mechanisms	€500
Data subject rights procedures (full set) Access, erasure, portability, objection, and restriction procedures; DSR log template	€800
Data breach response procedure Triage workflow, severity assessment, SDPI notification template, client notification template, internal log	€700
Breach simulation exercise Tabletop exercise testing the breach response against a realistic scenario; written debrief	€800
Privacy notice — SaaS-specific Controller privacy notice specific to SaaS data processing; published-ready	€650
Cookie policy + consent banner specification Policy + technical specification for GDPR-compliant consent implementation	€550
Data Protection Impact Assessment (DPIA) For high-risk processing activities; quoted based on processing complexity	On request
Outsourced DPO — monthly retainer Full DPO function; based on user base size and expected SDPI/client interaction frequency	On request
DPO one-off consultation (breach or SDPI query) Per session — urgent data breach assessment or SDPI correspondence outside a retainer	€500
SaaS GDPR compliance bundle (programme setup + DPA template + sub-processor list + DSR procedures + breach procedure) Complete initial compliance programme — saving of €700 vs. individual items	€3,500

SaaS GDPR compliance bundle — what’s included
The €3,500 SaaS GDPR compliance bundle delivers the complete initial GDPR compliance programme for a B2B SaaS company: full gap assessment and ROPA, privacy notice, DPA template with security annex and sub-processor list, data subject rights procedures, and data breach response procedure. These seven deliverables cover both the controller and processor dimensions of the SaaS GDPR obligation. Commissioning them individually costs €4,200. The bundle saves €700 and produces an integrated, internally consistent programme — where the DPA cross-references the same sub-processors as the sub-processor list, and the breach procedure aligns with the notification timelines in the DPA.

Frequently Asked Questions

GDPR applies based on the location of the data subjects — not the location of the company. If your SaaS platform processes personal data of individuals who are located in the EU, GDPR applies — regardless of where your company is incorporated or where your servers are located. Conversely, if all of your users are based outside the EU (for example, exclusively in the US or Southeast Asia) and your platform processes no personal data of EU residents, GDPR’s territorial scope does not apply — though other privacy laws in those regions may. A Lithuanian SaaS company with a global user base almost certainly has EU users and is therefore fully subject to GDPR.

A privacy notice (or privacy policy) is a transparency document directed at the SaaS company’s own users — it describes what personal data the company collects directly from users, for what purposes, on what legal basis, and what the user’s rights are. It fulfils the controller’s transparency obligation under GDPR Articles 13 and 14. A data processing agreement (DPA) is a contract between the SaaS company (as processor) and a business client (as controller) — it governs how the SaaS company processes the client’s users’ personal data on the client’s behalf, and contains the mandatory provisions of GDPR Article 28. Both documents are required for a B2B SaaS company, but they serve entirely different purposes and are directed at entirely different audiences.

When a client’s user contacts the SaaS company directly to exercise a data subject right — requesting access to their data or asking for erasure — the SaaS company is in the processor role. In this role, it processes data on the client’s instructions and cannot respond to the data subject directly without the client’s authorisation. The correct procedure is to: acknowledge receipt of the request; notify the relevant client (the data controller) immediately; and provide the client with the technical assistance they need to respond — for example, running a data extract or deleting records for the specific user. The client then responds to the data subject within the GDPR deadline. We document this escalation procedure as part of the data subject rights procedures.

A Transfer Impact Assessment (TIA) is an analysis required when personal data is transferred from the EU to a country outside the EEA that does not have an EU adequacy decision — such as the US. TIAs became mandatory following the Schrems II judgment, which invalidated the EU-US Privacy Shield and required organisations using Standard Contractual Clauses for US transfers to assess whether the SCCs provide effective protection in practice. If the SaaS company uses US-based sub-processors — AWS us-east, Google Cloud, Stripe, SendGrid — and those sub-processors process EU personal data, TIAs may be required. In practice, most major cloud providers have published TIA documentation that organisations can rely on. We advise on TIA requirements for specific sub-processor arrangements as part of the international transfer assessment.

As a data processor, the SaaS company must notify each affected client of a breach involving their data — but only clients whose data was actually affected. If a breach involves the company’s own internal systems and does not compromise any client data, there is no obligation to notify clients in the processor capacity. However, if any client personal data is involved — even if only one client’s data was accessed or disclosed — that client must be notified without undue delay. The internal breach log should document all breaches, including those that do not meet the SDPI notification threshold, as these records must be available for SDPI audit.

Not ideally. Website visitors and product users have materially different data processing relationships with the SaaS company. Website visitors may be subject to cookie-based tracking and basic contact form processing. Product users are subject to more extensive processing — account data, usage analytics, product interactions, support communications, and potentially data they enter into the product. A single privacy notice that attempts to cover both audiences typically produces a document that is either too vague to satisfy GDPR transparency requirements for product users, or too detailed to be readable by website visitors. We recommend separate privacy notices for the website (visitor-focused) and the product (user-focused), with clear signposting from each context.

Privacy-by-design (PbD) is a GDPR principle — Article 25 — requiring that data protection is built into the design of processing systems and products, rather than added as an afterthought. For SaaS companies, this means: assessing the data protection implications of new product features before they are built; applying data minimisation (collecting only the data actually needed); implementing appropriate technical protections (encryption, pseudonymisation, access controls) from the outset; and conducting a Data Protection Impact Assessment (DPIA) for features that involve high-risk processing. Privacy-by-design is both a legal obligation and a commercial advantage — products built with it from the start require less retrofitting when enterprise clients conduct vendor security reviews.

Ready to build your SaaS GDPR compliance programme?

Contact us to book an initial GDPR gap assessment. We will review your current documentation and processing activities, identify the priority gaps, and provide a structured implementation plan. The full compliance programme bundle — covering both your controller and processor obligations — is available at €3,500.