Does GDPR apply to my SaaS?

GDPR applies if you (1) have an establishment in the EU, (2) offer goods or services to people in the EU regardless of payment, or (3) monitor behavior of people in the EU. Almost every modern B2B SaaS with EU customers, EU website visitors, or EU employees falls in scope.

Data controller vs data processor — what am I?

You are typically a data processor when your customers upload their users' personal data into your product (you process on their behalf). You are a data controller for data you collect directly: employee data, marketing leads, website visitors, and account holders. Most SaaS are both simultaneously — which is why both Article 28 and direct obligations apply.

Do I need a DPA with every customer and vendor?

Yes, whenever personal data is processed. You sign DPAs with (1) enterprise customers (you as processor), (2) subprocessors that handle customer data on your behalf (Stripe, AWS, Segment), and (3) any vendor touching your own employee or lead data.

What is the DSAR deadline?

One calendar month from receipt of the request. You can extend by two further months for complex requests if you notify the subject within the first month. Build workflows around a 30-day clock, not 30 business days.

A Data Protection Officer is mandatory only when you (1) are a public authority, (2) your core activities require large-scale systematic monitoring, or (3) your core activities involve large-scale processing of special category data. Most B2B SaaS do not need a formal DPO but should designate a privacy lead.

GDPR Compliance for B2B SaaS: The Operational Resource

Every playbook a SaaS team needs for GDPR as an operational discipline — Article 28 DPAs, DSAR workflow, DPIAs, subprocessor management, and cross-border transfer guardrails. Curated by the CertifyOps compliance delivery team.

Book a GDPR scoping call Check my DPA

TL;DR
GDPR applies to any SaaS with EU customers, EU employees, or EU website traffic. Territorial scope is broad.
Most B2B SaaS are both processor (for customer data) and controller (for employee + marketing data) simultaneously.
DSAR deadline is one calendar month; breach notification to regulators within 72 hours.
DPA + subprocessor list + DSAR workflow + DPIA process + breach playbook = the five operational artifacts.

Fundamentals

GDPR Operations for SaaS: Not Legal Theory

How to run GDPR as an operational discipline, not a legal exercise.

Read guide →

GDPR Compliance Checklist for SaaS

Eight-week implementation plan covering every operational requirement.

Read guide →

Data Subject Rights

GDPR DSAR Workflow That Scales

Build a Data Subject Access Request pipeline that survives a 30-day deadline.

Read guide →

Vendors & Subprocessors

Subprocessor Management Under Article 28

Build a vendor risk program that satisfies Article 28 and enterprise procurement.

Read guide →

Build a Trust Center for Enterprise Deals

Publish your subprocessor list, DPA, and privacy artifacts to accelerate procurement.

Read guide →

Procurement & Questionnaires

Security Questionnaire Response Playbook

Answer GDPR questionnaire items correctly on the first pass.

Read guide →

Pass Procurement Without Slowing Engineering

Architecture and privacy patterns that satisfy GDPR review and keep velocity.

Read guide →

Cost & Framework Selection

GDPR Compliance Cost Breakdown

Total cost of GDPR operational compliance for B2B SaaS at every stage.

Read guide →

Framework Comparison (GDPR overlaps)

How GDPR intersects with SOC 2 Privacy TSC and ISO 27001 Annex A.

Read guide →

Frequently asked questions

Does GDPR apply to my SaaS?: GDPR applies if you (1) have an establishment in the EU, (2) offer goods or services to people in the EU regardless of payment, or (3) monitor behavior of people in the EU. Almost every modern B2B SaaS with EU customers, EU website visitors, or EU employees falls in scope.
Data controller vs data processor — what am I?: You are typically a data processor when your customers upload their users' personal data into your product (you process on their behalf). You are a data controller for data you collect directly: employee data, marketing leads, website visitors, and account holders. Most SaaS are both simultaneously — which is why both Article 28 and direct obligations apply.
Do I need a DPA with every customer and vendor?: Yes, whenever personal data is processed. You sign DPAs with (1) enterprise customers (you as processor), (2) subprocessors that handle customer data on your behalf (Stripe, AWS, Segment), and (3) any vendor touching your own employee or lead data.
What is the DSAR deadline?: One calendar month from receipt of the request. You can extend by two further months for complex requests if you notify the subject within the first month. Build workflows around a 30-day clock, not 30 business days.
Do I need a DPO?: A Data Protection Officer is mandatory only when you (1) are a public authority, (2) your core activities require large-scale systematic monitoring, or (3) your core activities involve large-scale processing of special category data. Most B2B SaaS do not need a formal DPO but should designate a privacy lead.

Ready to operationalize GDPR?

Get a concrete plan, scope, and timeline within 24 hours.

Schedule a call See our services