GDPR Compliance for SaaS Companies
If your SaaS product is used by EU residents — even if your company is US-based — GDPR applies. SaaS companies that process personal data as a service face dual obligations: as a Data Controller (for their own user data) and as a Data Processor (for customer data processed on behalf of customers). With EU fines exceeding €1.7B in 2024 and DPA investigations lasting years, GDPR compliance is not a checkbox — it is an ongoing operational requirement with legal and financial consequences for violations.
Penalty Range: Tier 1: Up to €10M or 2% of global annual turnover; Tier 2: Up to €20M or 4% of global annual turnover (whichever is higher, per Article 83)
Compliance Context for SaaS Companies
The Irish Data Protection Commission (DPC) — Europe's most active DPA — has levied over €3B in GDPR fines since 2022, including landmark decisions against Meta, LinkedIn, and WhatsApp. For SaaS companies, the most common enforcement triggers are inadequate DPAs, failure to handle DSARs within 30 days, and improper cookie consent. The EU AI Act (enforcement from August 2026) introduces additional obligations for SaaS companies building AI features — requiring transparency about AI processing and compliance with data subject rights in AI contexts.
Key GDPR Requirements for SaaS Companies
- Data Processing Agreements (DPAs) with all enterprise customers who are EU-based
- Privacy by Design: data minimization, purpose limitation baked into product architecture
- Cookie consent mechanism: explicit opt-in for non-essential cookies
- Privacy Policy and Terms of Service updated for GDPR (lawful basis, data subject rights)
- 72-hour breach notification to supervisory authority
- Data Subject Rights handling: access, erasure ('right to be forgotten'), portability within 30 days
- Sub-processor list maintained and disclosed to customers
- Data Subject Access Request (DSAR) handling procedure: intake, verification, fulfillment, and documentation within 30 days
- Sub-processor management: current list of all sub-processors with DPF certification or SCC documentation
- EU AI Act compliance: transparency requirements for AI features, documentation of automated decision-making
- Data Subject Access Request (DSAR) handling procedure: intake, verification, fulfillment, and documentation within 30 days
- Sub-processor management: current list of all sub-processors with DPF certification or SCC documentation
- EU AI Act compliance: transparency requirements for AI features, documentation of automated decision-making
- Data Processing Agreement (DPA): signed DPA with all enterprise customers who are EU-based data controllers
- Privacy by Design review: documented process for reviewing privacy implications before launching new features
- Cookie consent mechanism: documented implementation of explicit opt-in for non-essential cookies on the SaaS application
- Lawful basis documentation: documented process for identifying and documenting the lawful basis for each processing activity
- Data retention policy: documented data retention schedule with documented deletion procedures for EU personal data
- Privacy Policy update: current Privacy Policy reflecting GDPR requirements including lawful basis, data subject rights, and DPA contacts
- International transfer controls: documented procedures for verifying DPF certification or executing SCCs for all EU-to-US data transfers
- Data breach response: documented incident response plan with 72-hour supervisory authority notification procedure
- Processor obligations documentation: documented evidence of processor obligations including confidentiality, sub-processor restrictions, and breach assistance
- Records of processing activities: documented records of processing activities as required by GDPR Article 30
- Data portability procedure: documented procedures for fulfilling data subject portability requests within 30 days
- Right to erasure procedure: documented procedures for fulfilling erasure requests including technical deletion from all systems
- Vendor due diligence: documented process for assessing new sub-processors before granting access to EU personal data
- Privacy impact assessment: documented process for conducting PIAs before processing that poses high risk to EU data subjects
- Supervisory authority coordination: documented procedures for responding to inquiries from EU supervisory authorities within required timeframes
- Incident classification procedure: documented criteria for classifying security incidents as personal data breaches requiring notification
- DPO appointment assessment: documented evaluation of whether mandatory DPO appointment is required under GDPR Article 37
Common Violations & Pitfalls
- No DPA with enterprise customers processing EU personal data
- Analytics cookies firing without explicit consent
- No process for handling data subject access requests
- US-based data transfers without Standard Contractual Clauses (SCCs)
- No documented DSAR handling procedure with a 30-day fulfillment tracking mechanism
- EU personal data transfers to US sub-processors without DPF certification or SCC documentation
Check Your GDPR Readiness
Take our free 5-minute compliance quiz to see where SaaS Companies typically fall short.
Take the Quiz →Frequently Asked Questions
Does GDPR apply to a US-based SaaS company?
Yes, if your SaaS product is used by EU residents or targets EU customers. GDPR applies to any organization that processes personal data of EU residents 'in the context of' offering goods or services (Article 3(2)). If you market to EU customers, have EU users, or monitor EU resident behavior, GDPR applies — even if your company is US-incorporated. The test is not where you are incorporated; it is whether you target or monitor EU residents. DPAs with EU customers are mandatory even for US-based processors — you cannot process personal data of EU residents without a GDPR-compliant DPA in place.
What is the difference between a Data Controller and a Data Processor under GDPR?
A Data Controller determines the purposes and means of processing personal data — your SaaS company is a Controller for your own employees' data and for your marketing database. A Data Processor processes personal data on behalf of and under the instructions of a Controller — your SaaS company is a Processor when you process customer data on behalf of your customers (enterprise clients). As a Processor, you have strict obligations: only process on documented instructions, maintain confidentiality, assist Controllers with DSARs, and notify of breaches within 72 hours. Processors can be fined directly under GDPR — they are not shielded by Controller liability.
Can SaaS companies use US-based cloud infrastructure for EU user data?
Technically yes, but with conditions. As of August 2025, the EU-U.S. Data Privacy Framework (DPF) is in effect, allowing US companies to self-certify and receive adequacy — meaning transfers to DPF-certified US companies are deemed adequate. If your cloud provider (AWS, Azure, GCP) is DPF-certified, EU-to-US transfers are compliant. However, if you are transferring EU personal data to US sub-processors that are not DPF-certified, you need Standard Contractual Clauses (SCCs) in place. Always verify your specific infrastructure's certification status and maintain a sub-processor list with DPF or SCC documentation.
What happens if my SaaS company has a data breach affecting EU users?
GDPR requires you to notify the relevant supervisory authority (e.g., Ireland's DPC, Germany's BfDi) within 72 hours of becoming aware of a breach. If the breach poses high risk to individuals, you must also notify affected EU users directly. The notification to the DPA must include: nature of breach, categories and approximate number of data subjects, name and contact of DPO (if appointed), likely consequences, and measures taken/proposed. Penalties for failing to notify are Tier 1 (up to €10M or 2% of global turnover). For breaches involving sensitive data or large-scale processing, expect a DPA investigation and potential Tier 2 fines.