If your business uses a SaaS platform that processes personal data of EU residents, the contract between you and the provider must address GDPR compliance — and specifically, how data subject rights requests will be handled. You remain the data controller; the SaaS provider is typically the data processor. That means the legal liability for failing to respond to a data subject access request (DSAR) falls on you. The contract's data processing terms determine whether the provider will actually help you meet your obligations or leave you scrambling when a customer demands their data be deleted.
What is a GDPR Data Subject Rights?
Under the GDPR (Articles 12-23), data subjects have rights including access, rectification, erasure ('right to be forgotten'), data portability, restriction of processing, and objection to processing. When you use a SaaS provider as a data processor, Article 28 GDPR requires a written data processing agreement (DPA) specifying how the processor will assist you in fulfilling these rights. The DPA should detail response timeframes, technical capabilities for data export and deletion, sub-processor management, and breach notification procedures.
Red flags to watch for
Article 28(3) GDPR requires a written DPA with specific mandatory provisions. Without one, both controller and processor are in breach, and supervisory authorities can impose fines up to €10 million or 2% of global turnover.
If the platform can't technically support DSARs — for example, it has no way to export one user's data or delete records on request — you'll be unable to comply with Articles 15 and 17 GDPR, exposing you to complaints and fines.
Article 28(2) GDPR requires either specific or general prior written authorisation for sub-processors. Blanket consent with no notification mechanism means a new sub-processor in a non-adequate country could process your data without your knowledge.
The DPA should specify that data is returned or deleted within a defined period after the contract ends. 'Reasonable time' without a specific deadline can mean your customer data sits on the provider's servers indefinitely.
If the provider transfers data outside the EEA, they must rely on an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. Since Schrems II, additional supplementary measures may be required.
Your legal rights
The GDPR (Regulation (EU) 2016/679) provides the legal framework. Article 28 mandates the terms a data processing agreement must contain. Articles 12-23 define data subject rights. Article 33 requires breach notification within 72 hours. Article 82 grants data subjects the right to compensation for GDPR violations. The European Data Protection Board (EDPB) has issued guidelines on data processing agreements, international transfers (post-Schrems II), and data subject rights. National supervisory authorities (DPAs) enforce the GDPR and can impose fines under Articles 83-84.
Questions to ask before you sign
- 1Does your contract include a GDPR-compliant Data Processing Agreement?
- 2Can you technically support individual data access, export, and deletion requests?
- 3What is your response time for assisting with data subject rights requests?
- 4Where is our data stored, and do any sub-processors transfer data outside the EEA?
- 5How will we be notified of new sub-processors, and can we object?
- 6What is the data deletion timeline after contract termination?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.