1. Does GDPR Apply to Your SaaS?

The short answer: almost certainly yes, if any of your users or your customers' users are in the EU. GDPR applies when you process personal data of individuals in the EU/EEA, regardless of your location. Article 3 of the GDPR gives the regulation extraterritorial reach. You do not need an EU office, EU servers, or EU employees to fall within scope.

Your SaaS is in scope if it does any of the following:

•        Collects user account details (names, emails, IP addresses) from EU-based users

•        Processes personal data on behalf of EU-based customers (B2B)

•        Tracks behavior, runs analytics, or stores cookies for EU visitors

•        Sends marketing communications to people in the EU

2. Controller vs. Processor: Know Your Role

One of the most common compliance mistakes SaaS companies make is misunderstanding whether they are a data controller, a data processor, or both. Under GDPR Articles 24 and 28, the distinction determines your legal obligations.

Most B2B SaaS companies operate as both controller and processor simultaneously. You are a controller for the data you collect for your own purposes (account management, billing, product analytics, marketing). You are a processor for the data your customers feed into your platform on behalf of their end users.

This dual role matters because each carries different obligations. As a controller, you need a lawful basis for every processing activity. As a processor, you must follow documented instructions from your customer (the controller) and sign a compliant Data Processing Agreement.

3. Establish a Lawful Basis for Every Processing Activity

GDPR Article 6 requires that every instance of processing personal data be grounded in one of six lawful bases. You cannot retroactively switch bases, so get this right from the start.

For most SaaS companies, the workhorses are contract performance (for core features), consent (for marketing and optional tracking), and legitimate interest (for security and basic analytics).

A critical point: consent for cookies and tracking must be obtained before the cookies fire, not after. This means implementing a cookie consent banner with pre-blocking technology, not a banner that loads tracking scripts on page load and asks forgiveness later.

4. Sign a Data Processing Agreement (DPA) with Every Customer

If you act as a data processor for your customers, Article 28 of the GDPR requires a binding written contract between you (the processor) and your customer (the controller). This is called a Data Processing Agreement (DPA). Operating without one is an infringement on its own, carrying fines of up to EUR 10 million or 2% of global annual turnover.

Your DPA must cover, at minimum, the following elements as set out in Article 28(3):

Enterprise buyers expect a ready-made DPA as part of their procurement process. According to Secure Privacy's DPA guide, the absence of a comprehensive DPA immediately signals immaturity and can disqualify you from consideration. Custom DPA negotiations can extend sales cycles by 4 to 12 weeks on average.

Best practice: Publish a self-serve trust center where prospects can download your standard DPA, review your sub-processor list, and access security documentation without back-and-forth emails.

5. Handle International Data Transfers Correctly

If your SaaS is hosted outside the EU/EEA (which includes most US-based companies using AWS, GCP, or Azure in US regions), you are transferring personal data internationally. GDPR Chapter V (Articles 44-49) imposes strict rules on such transfers. There are three main mechanisms:

5a. Adequacy Decisions

The European Commission can declare that a non-EU country offers adequate data protection, allowing data to flow freely. Countries with adequacy decisions include Andorra, Argentina, Canada (commercial organizations), Japan, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (for organizations certified under the Data Privacy Framework).

For US-based SaaS companies, the EU-US Data Privacy Framework (DPF) is the most streamlined path. The European Commission adopted its adequacy decision in July 2023. On September 3, 2025, the EU General Court upheld the DPF's validity in the Latombe v. Commission case (T-553/23). To benefit, your company must self-certify through the US Department of Commerce.

However, the DPF has faced political uncertainty. As CMS Law-Now has noted, changes to the Privacy and Civil Liberties Oversight Board and executive orders reviewing predecessor national security decisions have raised questions about the framework's long-term stability.

5b. Standard Contractual Clauses (SCCs)

Standard Contractual Clauses are pre-approved legal templates issued by the European Commission. The current SCCs, adopted on June 4, 2021, use a modular structure:

Most SaaS companies will use Module 2 (your EU customer transfers data to you, the processor) and Module 3 (you transfer data to a sub-processor).

Since the Schrems II ruling in July 2020, signing SCCs alone is not sufficient. You must also conduct a Transfer Impact Assessment (TIA) for every transfer, evaluating whether the laws of the destination country could compromise the protections in the SCCs. If the assessment reveals risks, you must implement supplementary measures such as strong encryption, pseudonymization, or contractual commitments.

Even if you rely on the DPF, maintaining SCCs as a backup is strongly recommended. Multiple law firms, including Heuking and DLA Piper, advise this dual approach given the DPF's uncertain political environment.

5c. Binding Corporate Rules (BCRs)

BCRs are internal rules for multinational corporate groups to transfer data within the group. They require approval from data protection authorities and are generally impractical for most SaaS startups and mid-market companies.

6. Implement Technical and Organizational Security Measures

Article 32 of the GDPR requires both controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Technical measures:

•        Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)

•        Access controls with role-based permissions and least-privilege principles

•        Multi-factor authentication for administrative and sensitive access

•        Regular vulnerability scanning and penetration testing

•        Logging and monitoring of access to personal data

•        Data isolation in multi-tenant architectures to prevent cross-tenant data leakage

•        Automated backup and disaster recovery procedures

Organizational measures:

•        Written information security policies

•        Employee training on GDPR and data protection

•        Incident response plan with defined roles and escalation paths

•        Vendor and sub-processor due diligence processes

•        Regular internal audits of data handling practices

Holding certifications like SOC 2 Type II and ISO 27001 is not required by the GDPR itself, but these certifications serve as strong evidence of appropriate security measures. As Drata's compliance guide notes, most enterprise buyers will not sign a contract without a SOC 2 report or equivalent.

7. Handle Data Subject Rights Requests

GDPR grants individuals a robust set of rights over their personal data. Your SaaS must be able to fulfill these requests within the required timeframes.

For B2B SaaS where you are the processor: your customer (the controller) is the one who must respond to data subject requests from their end users. Your obligation is to assist them. This means building features into your platform that allow customers to export, correct, and delete their end-user data efficiently.

8. Build a Breach Notification Process

Article 33 of the GDPR requires controllers to notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If the breach poses a high risk to individuals, Article 34 requires direct notification to the affected data subjects as well.

As the EDPB's breach notification guidelines clarify, the 72-hour clock starts when the organization has a reasonable degree of certainty that a breach has occurred, not when it has full forensic details. If you cannot provide all information within 72 hours, the GDPR allows phased reporting, but you must explain the delay.

Failure to notify is a standalone violation carrying fines of up to EUR 10 million or 2% of global annual turnover.

What your breach notification process needs:

•        Defined internal escalation paths so incidents reach decision-makers fast

•        Pre-drafted notification templates for supervisory authorities and data subjects

•        A breach register documenting all breaches (even those not reported), as required by Article 33(5)

•        Coordination procedures with customers, since your customers may also need to file their own notifications

9. Conduct Data Protection Impact Assessments (DPIAs)

Article 35 of the GDPR requires a Data Protection Impact Assessment before processing that is likely to result in a high risk to individuals' rights and freedoms. This includes systematic and extensive profiling, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas.

For SaaS companies, DPIAs are most commonly needed when launching new features that involve automated decision-making, behavioral profiling, or processing sensitive data categories.

A DPIA must describe the processing operations, assess the necessity and proportionality of the processing, evaluate risks to individuals, and document the measures you will take to mitigate those risks. If a DPIA reveals high residual risk that cannot be mitigated, you must consult your supervisory authority before proceeding (Article 36).

10. Appoint a Data Protection Officer (If Required)

Article 37 of the GDPR requires you to appoint a Data Protection Officer (DPO) if your core activities involve regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data.

Many SaaS companies that handle significant volumes of user data will meet the first criterion. The DPO can be an internal employee or an external service provider. They must report to the highest level of management, and their contact details must be published and communicated to the supervisory authority.

Even if a DPO is not legally required, designating someone to own data protection compliance is practical good sense, especially when navigating enterprise sales.

11. Manage Your Sub-processors

When you share customer data with third parties (cloud hosting, email services, analytics, payment processors), those are sub-processors. Under Article 28(2), you must not engage a sub-processor without the prior specific or general written authorization of your customer.

Best practice: Publish your sub-processor list on your website and implement an email notification system so customers are automatically alerted to changes.

12. Maintain Records of Processing Activities (ROPA)

Article 30 of the GDPR requires both controllers and processors to maintain written records of their processing activities. These records must be made available to supervisory authorities on request. For processors, the ROPA must include:

•        Name and contact details of the processor, each controller, and the DPO (if applicable)

•        Categories of processing carried out on behalf of each controller

•        Transfers of personal data to a third country, including the transfer mechanism used

•        A general description of technical and organizational security measures

13. Practical Implementation Checklist

The following checklist summarizes the key steps in priority order for a SaaS company preparing to sell to EU customers:

14. Common Mistakes to Avoid

Treating GDPR as a one-time checkbox. GDPR compliance is ongoing. Enforcement trends evolve, your product changes, your data flows change, and your sub-processors change. Build compliance into your development and release processes.

Relying on consent for everything. Consent is the wrong lawful basis for most core SaaS functionality. Use contract performance for features necessary to deliver the service. Reserve consent for optional processing like marketing and non-essential analytics.

Ignoring the ePrivacy Directive. Cookie consent is governed by the ePrivacy Directive, not just the GDPR. Non-essential cookies and trackers require prior, informed consent.

Assuming DPF certification alone is sufficient. While the DPF provides a valid transfer mechanism for now, its future depends on US political and legal developments. Maintaining SCCs as a fallback ensures business continuity.

Copying a competitor's privacy policy. Your privacy policy must accurately reflect your specific data processing activities, not a generic template. Inaccurate or incomplete privacy notices are a common enforcement target.

Neglecting to vet sub-processors. You are liable for your sub-processors' failures. Conduct due diligence and ensure contractual protections are in place.

15. Enforcement Trends to Watch

References

1.     GDPR Full Text - https://gdpr-info.eu/

2.     European Commission - Standard Contractual Clauses - https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

3.     European Commission - SCCs Q&A - https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

4.     EU-US Data Privacy Framework - https://www.dataprivacyframework.gov/Program-Overview

5.     DLA Piper - GDPR Fines and Data Breach Survey, January 2025 - https://www.dlapiper.com/en/insights/publications/2025/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2025

6.     CMS - GDPR Enforcement Tracker Report 2024/2025 - https://cms.law/en/int/publication/gdpr-enforcement-tracker-report/numbers-and-figures

7.     CMS GDPR Enforcement Tracker (Live Database) - https://www.enforcementtracker.com/

8.     EDPB - Guidelines 9/2022 on Breach Notification (Version 2.0) - https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf

9.     Bird & Bird - DPF Survives Legal Challenge (Latombe Decision) - https://www.twobirds.com/en/insights/2025/euus-data-privacy-framework-survives-legal-challenge-what-the-latombe-decision-means-for-internation

10.  Heuking - General Court Confirms EU-US Data Privacy Framework - https://www.heuking.de/en/news-events/newsletter-articles/detail/eug-confirms-effectiveness-of-eu-us-data-privacy-framework.html

11.  CMS Law-Now - Is the EU-US Data Privacy Framework in Danger? - https://cms-lawnow.com/en/ealerts/2025/01/is-the-eu-u.s.-data-privacy-framework-in-danger

12.  Epstein Becker Green - DPF Survives Challenge - https://www.workforcebulletin.com/adequacy-of-the-eu-u-s-data-privacy-framework-survives-challenge

13.  Steptoe - New SCCs for International Transfers Coming in 2025 - https://www.steptoe.com/en/news-publications/steptechtoe-blog/new-standards-contractual-clauses-for-the-international-transfer-of-personal-data-coming-up-in-2025.html

14.  ICO - Controller-Processor Contracts Guidance - https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/contracts-and-liabilities-between-controllers-and-processors-multi/what-needs-to-be-included-in-the-contract/

15.  ICO - Personal Data Breaches Guide - https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/

16.  Irish DPC - Practical Guide to Controller-Processor Contracts - https://www.dataprotection.ie/en/dpc-guidance/data-processing-agreements

17.  Scrut - GDPR Fines and Penalties Guide - https://www.scrut.io/hub/gdpr/gdpr-fines-penalties-us-eu-guide

18.  Data Privacy Manager - Biggest GDPR Fines - https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/

19.  Drata - SaaS Compliance Guide - https://drata.com/blog/saas-compliance

20.  Secure Privacy - DPA Guide for SaaS - https://secureprivacy.ai/blog/data-processing-agreements-dpas-for-saas