GDPR Compliance for SaaS Products: What Actually Matters

Who GDPR applies to

The GDPR applies to any organisation that processes personal data of individuals located in the EU or EEA — regardless of where the organisation is incorporated. A startup incorporated in Delaware, Estonia, or Dubai that has EU users or EU business customers is subject to GDPR. This is a common misunderstanding: GDPR jurisdiction follows the data subject's location, not the company's registration address.

Lawful bases for processing

Every processing activity requires a lawful basis. The six available bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most SaaS products:

Contract is the basis for processing data necessary to deliver your service to the person who signed up. Account data, usage data needed to provide the service, billing information — these are covered by contract performance.

Legitimate interests covers processing that is not strictly necessary for the contract but where the company has a genuine business reason that is not overridden by the individual's rights — analytics, fraud prevention, product improvement. Legitimate interests requires a balancing test, which should be documented.

Consent is the basis for marketing communications to individuals, and for cookies beyond strictly necessary ones. GDPR consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes or consent bundled into terms of service do not qualify.

When you need a Data Processing Agreement (DPA)

If you are a SaaS company processing personal data on behalf of your business customers — you are a data processor, and your customers are data controllers. GDPR Article 28 requires a written DPA between you. This is not optional. Enterprise customers will ask for your DPA as a condition of procurement, and without one, you are in breach of GDPR on every B2B contract.

A DPA specifies: the subject matter, nature, and purpose of processing; the types of personal data processed; the obligations and rights of the controller; your obligations as processor (confidentiality, security, subprocessor management, assistance with data subject rights, breach notification, deletion on termination).

Cookie consent

Strictly necessary cookies (session cookies, authentication) do not require consent. All other cookies — analytics, advertising, personalisation — require prior, informed consent before placement. This means: a cookie banner that allows users to reject non-essential cookies must appear before those cookies are set, not after. Consent walls ("accept to use the site") are generally not compliant. Most regulators now expect granular consent options rather than all-or-nothing banners.

Data subject rights

GDPR gives EU individuals enforceable rights: access (get a copy of their data), rectification (correct inaccurate data), erasure ("right to be forgotten"), data portability, objection to processing, and restriction of processing. Your product must be technically capable of fulfilling these requests within 30 days. For B2B SaaS, you fulfil these on behalf of your customers (as the processor following controller instructions).

What matters most for early-stage B2B SaaS

In practice, for a B2B SaaS company at the pre-Series A stage: make sure your privacy policy is accurate; have a DPA ready for customer requests; implement a functioning cookie consent mechanism; and have a breach notification procedure (72 hours to the supervisory authority under GDPR Article 33). These four things resolve the majority of compliance exposure for most early-stage products.