GDPR

GDPR for SaaS Companies: The 2026 Compliance Checklist

8 min readUpdated 6 May 2026

If you build SaaS and have EU customers, GDPR applies to you. It does not matter where your company is incorporated. If you process personal data of EU residents — names, emails, usage data, payment details, IP addresses — you are subject to the regulation.

This checklist covers every compliance requirement a SaaS company needs to address. Use it to identify gaps, not as a substitute for legal advice.

Controller vs Processor: Know Which You Are

Most SaaS companies are both.

You are a controller for data you collect and use for your own purposes — your marketing list, your user analytics, your sales CRM.

You are a processor when you process personal data on behalf of your customers — the data your customers' end-users generate inside your product. Your customers are the controllers for that data; you process it under their instruction.

This distinction matters because:

  • As a controller, you bear full responsibility for compliance with all GDPR principles
  • As a processor, you must have a signed Data Processing Agreement (DPA) with every controller customer
  • As a processor, you can only process data according to the controller's instructions

Core Compliance Checklist

Lawful Basis

  • Identify a lawful basis for every category of personal data you process (Article 6)
  • Common SaaS bases: contract (processing necessary to deliver the service), legitimate interests (usage analytics, security), consent (marketing)
  • Document the basis in your Records of Processing Activities
  • For special category data (health, biometric, religion, ethnicity, sexual orientation): identify an additional Article 9 basis — usually explicit consent or substantial public interest

Records of Processing Activities (RoPA)

  • Maintain a RoPA listing every processing activity (Article 30)
  • Each entry must include: the purpose, the categories of data, the categories of data subjects, any third-party recipients, international transfer mechanisms, and retention periods
  • Update the RoPA when you add new features that process personal data
  • If you have fewer than 250 employees, you still need a RoPA if processing is likely to result in a risk, is not occasional, or includes special category data — which applies to most SaaS

Privacy Notice

  • Publish a privacy notice on your website and in your product that satisfies Articles 13 and 14
  • Must include: identity of the controller, data protection contact, purposes and lawful bases, retention periods, data subject rights, right to lodge a complaint with a DPA, any international transfers
  • Review and update the privacy notice when processing activities change
  • Ensure the notice is written in plain language — not legal boilerplate

Data Processing Agreements

  • Sign a DPA with every customer where you process their users' personal data as a processor (Article 28)
  • DPA must specify: subject matter and duration, nature and purpose of processing, type of data and categories of data subjects, obligations and rights of the controller
  • Sign DPAs with your sub-processors — every vendor you use who processes customer personal data (cloud infrastructure, email providers, analytics tools, payment processors)
  • Include a sub-processor clause in your customer DPA — controllers must be notified of sub-processor changes

Data Subject Rights

  • Implement processes to handle all eight data subject rights:
    • Right of access (Article 15) — respond within 30 days
    • Right to rectification (Article 16) — correct inaccurate data
    • Right to erasure (Article 17) — delete where required
    • Right to restriction (Article 18) — limit processing where disputed
    • Right to portability (Article 20) — export data in machine-readable format
    • Right to object (Article 21) — particularly for legitimate interests processing
    • Right not to be subject to automated decisions (Article 22) — if applicable
    • Right to withdraw consent — must be as easy as giving it
  • Document your response times — 30 calendar days is the default; 3 months if complex (with notification)
  • Build a process for your processor obligations — when your customers receive DSARs about their users, you must be able to provide them with the data you hold

Data Protection Impact Assessment (DPIA)

  • Identify processing activities requiring a DPIA (Article 35):
    • Systematic and extensive profiling with significant effects on individuals
    • Large-scale processing of special category data
    • Systematic monitoring of publicly accessible areas
    • New technologies with high risk
  • Complete a DPIA before starting any high-risk processing activity
  • DPIA must assess: the necessity and proportionality of the processing, the risks to data subjects, and the measures to address those risks

Data Breach Response

  • Establish a breach response procedure — you have 72 hours from becoming aware of a breach to notify your supervisory authority (Article 33)
  • Assess severity — not all breaches require DPA notification; only those likely to result in a risk to individuals' rights and freedoms
  • Notify affected individuals without undue delay where the breach is likely to result in high risk to them (Article 34)
  • Log all breaches — even those not notified, with reasons for not notifying (Article 33(5))
  • Know your lead supervisory authority — if you have an EU establishment, this is the DPA where your main establishment is. If not EU-established, contact the DPA in each country where you have affected individuals.

International Data Transfers

  • Identify all transfers of personal data outside the EU/EEA (Article 44)
  • For transfers to countries without EU adequacy decisions (including the US for most transfers): implement Standard Contractual Clauses (SCCs)
  • Conduct a Transfer Impact Assessment (TIA) for transfers to the US or other countries with surveillance laws — assess whether SCCs provide effective protection
  • Review third-party vendor data locations — where does your cloud provider store data? Your email tool? Your support system?

Consent Management (If Applicable)

  • Only rely on consent where appropriate — not where contract or legitimate interests is the better basis
  • Where you rely on consent: it must be freely given, specific, informed, and unambiguous
  • Cookie consent requires a cookie banner with genuine choice — pre-ticked boxes and consent by continued browsing are not valid
  • Record consent — what was consented to, when, and how

SaaS-Specific Obligations

Cookie and Tracking Compliance

  • Audit all cookies and tracking technologies on your website and product
  • Categorise cookies: strictly necessary, functional, analytics, advertising
  • Implement a cookie consent mechanism for non-essential cookies
  • Implement consent before loading analytics scripts (Google Analytics, Mixpanel, etc.)
  • Review jurisdiction-specific requirements — Germany requires opt-in consent for analytics regardless of risk level

Sub-Processor Management

  • Maintain a sub-processor list — typically published as an appendix to your DPA or on your website
  • Implement a process for notifying customers of sub-processor additions (minimum 30 days notice is standard)
  • Ensure all sub-processors are bound by DPAs that mirror your obligations to controllers

Employee Data

  • Ensure HR data is processed with appropriate lawful basis
  • Implement a separate privacy notice for employees
  • Review any AI or automated processing of employee data (Article 22 applies to employees too)

Do You Need a Data Protection Officer (DPO)?

You are required to appoint a DPO if you are:

  • A public authority
  • Carrying out large-scale systematic monitoring of individuals
  • Processing special category data or criminal conviction data on a large scale

Most SaaS companies are not required to appoint a DPO. But you should designate a named person responsible for data protection internally.

EU Representative

If you are not established in the EU but process EU residents' data, you must appoint an EU representative (Article 27) — a person or company in the EU who can act as a point of contact for supervisory authorities and data subjects. This is typically a paid service available from law firms and specialist providers.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module