Best practices for data privacy clause in Saas Agreements



By Amélie Tonneau

SKEMA Business School

Paris, France



The explosion of IT leaks and cyber-security attacks have risen the concerns from governments and Software-as-a-service (Saas customers’ which currently feel unsafe regarding the processing and the protection of the data they share and give access to their Saas suppliers. The objective of this report is to understand the different requirements from the current and new General Data Protection Regulation (GDPR) legislation regarding the matter of data privacy. This paper is based on a qualitative study using a multi-attribute decision-making and fishbone methods, websites and articles analysis.

Even though the legislation is changing, many medium-sized companies are yet not aware of these requirements they should comply with. Bear in mind that the new requirements will be mandatory to comply with on May 2018. This will lower Saas providers’ flexibility in terms of processing but increase Saas customers’ protection.

The different alternatives or requirements from both regulation will be analysed and therefore show you that a mix of requirements are necessary to draft the best data privacy clause for your next Saas agreements and to protect your customers.

Key words: Software-as-a-Service (Saas), data privacy, IT security, legislation, confidentiality


In a fast global changing environment, the Software-as-a-Service (Saas) industry is currently booming, expecting to reach $112.8 billion by 2019. Considered as a precise software distribution model, Saas providers use a third-party to host their applications on the Cloud, making their applications directly available to users over the Internet. With a significant decrease in cloud third-party prices, more and more small businesses are nowadays using Saas in order to boost sales and productivity.

While many Saas companies use collected data from their customers to help their growth, which might be very sensitive data, Saas agreements need to provide precise Data Privacy clauses. These data privacy clauses cover the requirements and obligations from the provider regarding data collection and their means for keeping their customers’ data secure. Unfortunately, current trends have shown that Saas providers are currently failing in keeping customers aware of their rights regarding the confidentiality of their own data. In this difficult context, choosing the right provider by evaluating risks should become a common practice from a customer point of view if Saas agreements don’t improve transparency. Before signing-up with Cloud computing services, companies and/or individuals will have now to think if the data they are giving up is confidential and to which extend.

In a context where IT security and cyber-attacks are consequently increasing, drafting Saas Agreements & their Data privacy clauses might be a challenge for small businesses. In a changing legal environment in the EU, what should a data privacy clause contains? What are the advantages of the new GDPR regulation?

In the following you will be able to understand the current trends about Data Privacy clauses in within the Saas industry. Then, we will raise the question of legal requirements and the new legislation in the European Union that will come into effect in May 2018. Finally, we will recommend you the best Data privacy clause for your business.


To read entire paper, click here


Editor’s note: Student papers are authored by graduate or undergraduate students based on coursework at accredited universities or training programs.  This paper was prepared as a deliverable for the course “International Contract Management” facilitated by Dr Paul D. Giammalvo of PT Mitratata Citragraha, Jakarta, Indonesia as an Adjunct Professor under contract to SKEMA Business School for the program Master of Science in Project and Programme Management and Business Development.  http://www.skema.edu/programmes/masters-of-science. For more information on this global program (Lille and Paris in France; Belo Horizonte in Brazil), contact Dr Paul Gardiner, Global Programme Director [email protected].

About the Author

Amélie Tonneau

SKEMA Business School
Paris, France



Amélie Tonneau is a Master’s degree student at Skema Business School (Paris), Msc Project and Programme Management and Business Development (PPMBD). She joined Skema in 2014 in Lille and through those years developed her knowledge about different fields as Marketing, Law, Finance, Business development before stepping into project management. She had the opportunity to work in Spain, Belgium, and The Netherlands but also lived in Taiwan for a year. Passionate with Tech trends and start-ups’ innovative ideas, she developed her professional experiences through different experiences in Sales and Marketing in Software as a Service (Saas) companies.