Legal Checklist for SaaS Platforms in the EU:

Legal architecture of a SaaS platform

The Czech legal team at ARROWS, a Prague-based law firm, deals with this core issue on a daily basis. In the EU, there are two key roles: the personal data controller (the party that decides how and why data is handled) and the processor (the party that processes data for the controller under its instructions). 

In SaaS solutions, the situation becomes more complex because there may be multiple controllers, while the SaaS platform operator acts as a controller, for example, where it administers customers’ user accounts for billing purposes.

On the other hand, if your customers use your platform to upload and process personal data of their employees, clients, or business partners, then your customer is the controller and you are the processor. For a broader compliance checklist that often overlaps with SaaS documentation (e.g., privacy notices, GDPR, and terms), see Legal Pitfalls for Czech E-Shops Selling Abroad: VAT, GDPR and T&Cs. This is precisely why it is essential to define these roles clearly in every contract—not only because Article 28 GDPR requires it, but also so it is clear who bears responsibility if an incident occurs.

The situation becomes even more complicated when third parties enter the picture. For example, if your SaaS platform runs in the cloud of a global provider, that provider becomes your additional processor (sub-processor). You must enter into your own data processing agreement with them, which must provide sufficient safeguards for data protection. For a practical overview of contractual and technical safeguards in SaaS (including DPAs and security measures), see ARROWS’ service page on It And Software Law, Cybersecurity. In practice, many SaaS operators overlook this chain entirely, and during an audit or incident it turns out they do not have a clear overview of who all has access to customer data.

Related questions on legal architecture

1. What is the difference between a controller and a processor under the GDPR, and why does it matter?
The controller determines the purposes and means of processing, while the processor carries out activities based on the controller’s instructions. In a SaaS environment, you are typically the processor of your customers’ data (data they upload into the system), but the controller of the customers’ own data (billing details, logins). This split is critical because it results in different obligations and liability.

2. Do I need an agreement also with the cloud provider that hosts my data?
Yes, absolutely. If the cloud provider has access to personal data (which it does in hosting), it is an additional processor. You must have a personal data processing agreement (DPA) in place or accept their Data Processing Addendum, which must meet the requirements of Article 28 GDPR. If your SaaS also uses automated decision-making or other AI features, the compliance mapping can be aligned with the obligations described in Novinky v Arrows.

3. What if I have multiple cloud providers or subcontractors?
Each of them that comes into contact with personal data is your additional processor. You must inform your customers (the controllers) about their involvement, and they must have the option to object to the engagement of a new processor. All of these entities form your processing chain.

GDPR and SaaS: When is data processing lawful

Processing personal data in a SaaS environment is not legally neutral. The GDPR sets a clear rule: without a legal basis, processing is prohibited. Because the chosen legal basis often needs to be reflected in customer-facing terms and internal documentation, it can be helpful to coordinate this work under Gdpr. This means that if you want to store employee data, collect clients’ email addresses, or log IP addresses, you must have a legal reason for each such purpose.

The GDPR provides six legal bases. In practice, in a SaaS environment, four legal bases are used most often: performance of a contract, compliance with a legal obligation, legitimate interest, and the data subject’s consent. One of the biggest risks lies precisely in legal bases, as many SaaS providers mistakenly believe they can use data freely.

For example, “improving the service” using customer data requires a careful assessment of whether this still qualifies as a legitimate interest, or whether the data needs to be anonymised. The attorneys at ARROWS, a Prague-based law firm, regularly address this issue and know the practical limits of so-called balancing tests (legitimate interest assessments), which you must carry out and document if you rely on this legal basis.

Main obligations when processing personal data

Once you have a legal basis, a number of further obligations follow. You must maintain Records of Processing Activities (under Article 30 GDPR), in which you record for each processing activity the purpose, data categories, retention period, recipients, and security measures. If your SaaS application uses AI features that learn from user interactions, you should explicitly define this purpose and its risks in the records.

You must also meet your transparency obligations through a Privacy Policy, where you must clearly explain to users how you handle their data. In practice, this means that if a user exercises the right to erasure, you must be technically able to actually delete the data from the database.

One important obligation is the data protection impact assessment (DPIA). If you operate a SaaS platform that is likely to result in a high risk to the rights and freedoms of individuals (e.g., large-scale processing of sensitive data or profiling), the GDPR requires you to carry out a DPIA before processing begins. The absence of a DPIA for high-risk systems is a frequent target of supervisory authority audits in the EU.

Data security in a SaaS environment

In the EU, SaaS personal data security requirements are strict. Under Article 32 of the GDPR, you must implement appropriate technical and organisational measures. This includes encryption of data at rest and in transit, which in practice means the database should not be stored in plain text and all communication must take place via secure protocols.

Access management and authentication are also required. A SaaS application should have audit logs that record who logged in and what data they viewed or changed, which is essential for tracing the causes of security incidents.

You must also have a plan for handling security incidents. The GDPR requires you to notify the Office for Personal Data Protection (ÚOOÚ, the Czech data protection authority) within 72 hours of becoming aware of a personal data breach that poses a risk to individuals’ rights and freedoms. If you act as a processor, you must report the incident to your customer (the controller) without undue delay so that they can meet their legal obligations under Czech and EU data protection rules.

What you risk if you do not comply with the GDPR

AI Act: Obligations for artificial intelligence in 2026

In 2026, the Artificial Intelligence Regulation (AI Act) is already fully in force and enforceable across the EU. If your SaaS platform uses AI (chatbots, recommendation algorithms, generative models, image analysis), you must comply with this legislation. Breaches of the rules on prohibited practices may result in a fine of up to EUR 35 million or 7% of worldwide annual turnover; for other obligations, up to EUR 15 million or 3% of turnover.

The AI Act classifies systems by risk level. Your SaaS application will likely fall into one of the following categories distinguished by the AI Act based on the level of risk.

• Prohibited systems: e.g., social scoring, biometric categorisation of sensitive data, or manipulative techniques. You must not offer these features in the EU.
• High-risk systems (High-Risk AI): e.g., systems used in recruitment, credit scoring, education, or critical infrastructure. This is where the strictest obligations apply.
• Limited-risk systems: e.g., chatbots or deep fakes. Here, transparency obligations primarily apply.
• General-purpose models (GPAI): If you integrate powerful models (LLMs), specific rules apply to their providers.

If you operate a high-risk system, you must implement a risk management system, maintain technical documentation, ensure accuracy and cybersecurity, and above all enable human oversight over the system’s decision-making.

Classification and roles in the AI value chain

It is crucial to determine whether you are the provider of an AI system or its deployer. If you develop your own AI model or substantially modify a third-party model under your brand, you are a provider with all related obligations (certification, registration in the EU database).

If you only use an API (e.g., from a global model provider) and integrate it into your SaaS without materially changing its intended purpose, you are in the position of a deployer, who must ensure the system is used in accordance with the instructions and ensure human oversight and user awareness. The Czech legal team at ARROWS, a Prague-based law firm, helps clients correctly determine their role and risk category, which can save substantial compliance costs.

Transparency and content labelling

Article 50 of the AI Act requires transparency. The user must know they are communicating with a machine (chatbot). There is also an obligation to label AI-generated outputs so that they are machine-detectable (watermarks, metadata), which is particularly relevant for image, video, and audio generators (deep fakes). If your SaaS generates content, you must ensure it is identifiable as artificial.

Copyright and AI-generated content

One of the most pressing issues for SaaS operators is who owns AI-generated content. Under Czech law, the answer in 2026 remains relatively strict. Under the Czech Copyright Act (Section 5), only a natural person can be an author.

Case law (e.g., a decision of the Municipal Court in Prague regarding an AI-generated image) confirms that an output created by artificial intelligence without substantial human creative input is not a copyrighted work. Entering a text prompt alone is generally not sufficient for copyright to arise in the result.

This has major implications for your SaaS platform. If you want to provide your users with an AI feature that generates content (texts, graphics) and you want to “assign copyright” to them contractually, you face the legal reality that no copyright has arisen. You cannot transfer what does not exist.

How to address this in licence terms

The solution is transparency and proper drafting of your Terms and Conditions.

• Do not create an impression of exclusivity: Inform users that AI outputs may not be protected by copyright and that the same prompt may generate a similar output for another user.
• Human creative input: If your platform allows the user to further edit and modify the output, copyright may arise in the final, human-edited work.
• Training data: The AI Act requires providers of GPAI models to publish a summary of the content used to train the model.

General Terms and Conditions and data processing agreements

Terms and Conditions for SaaS are not just a formality. They are the documents that define your commercial relationship. In the EU, Terms and Conditions for B2B SaaS are commonly structured as follows:

• Scope of the service: SaaS is a service (subscription-based access), not a sale of goods. The customer does not acquire ownership of the software.
• Licence terms: Scope of use, number of users, prohibition of reverse engineering.
• Availability (SLA): Availability guarantees and penalties for outages.
• Liability for damages: A key section. In B2B relationships, liability can be limited, which protects you against potentially ruinous claims.
• Data protection (DPA): Often provided as an annex addressing GDPR compliance.

Data Act and portability

From September 2025, the Data Act regulation will apply in full. For providers of cloud services (including SaaS), it introduces an obligation to remove obstacles to switching providers. You must ensure that the customer can easily move to a competitor—i.e., enable export of their data in a structured, commonly used, and machine-readable format. Customer lock-in practices (vendor lock-in) are sanctioned under this regulation.

Practical steps: How to set up SaaS correctly

If you want your SaaS platform to be legally robust, proceed as follows:

• Define roles: When are you a controller and when a processor under GDPR? Have you mapped your data flows?
• Classify AI: Does your solution fall under the EU AI Act? Is it high-risk?
• Create tailored documentation: Copying a competitor’s Terms and Conditions will not protect you. You need Terms and Conditions, a DPA, and a Privacy Policy that match your technical solution and Czech/EU compliance requirements.
• Map subcontractors: Have contracts in place with cloud providers and other processors.
• Set up processes: Incident response plan, handling data subject rights, data export under the Data Act.
• Secure the application: Encryption, logging, backups.

If it feels like a lot, you are right. Technology law is complex. Our Czech legal team at ARROWS, a Prague-based law firm, deals with these matters every day. If you are not sure where to start, email us at consultation@arws.cz—we will be happy to assist with a legal assessment and the preparation of documentation.

Notice: The information contained in this article is of a general informational nature only and is intended for basic orientation based on the legal position as of 2026. Although we take the utmost care to ensure accuracy, legal regulations and their interpretation evolve over time. We are ARROWS advokátní kancelář, an entity registered with the Czech Bar Association (our supervisory authority), and for maximum client protection we maintain professional liability insurance with a limit of CZK 400,000,000. To verify the current wording of regulations and their application to your specific situation, it is necessary to contact ARROWS advokátní kancelář directly (consultation@arws.cz). We accept no liability for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also:

• Digital Inspections and AI in 2026: New EU Compliance Duties for Firms
• AML/CFT Compliance for Online Marketplace Operators Under Czech and EU Law
• Legal Pitfalls for Czech E-Shops Selling Abroad: VAT, GDPR and T&Cs
• Handling Negative Online Reviews Under Czech and EU Law: Compliance Guide
• Customs Detention and ČOI Labelling Notices: How to Defend Your Import