19. November 2019Data Protection, Information Technology

Software as a Service (SaaS) in the process of legal implementation

Software as a Service (SaaS) is not a new term, although the business model has gained in importance in cloud computing over recent years. In 2018, German companies were expected to invest more than 20 billion euros in cloud services. A not insignificant part of this relates to SaaS solutions.

What is Software as a Service (SaaS)?

SaaS is understood as the cloud or server-based provision of certain software services for an agreed period for a fee. As a rule, the software is used directly via the browser. Due to their handling, SaaS solutions can be used in all corporate divisions, in particular in customer relationship management (CRM), human resource management (HRM) and financial management. The SaaS provider is not necessarily the same as the software manufacturer, but does at least own the required copyright usage rights to the software. Issues of copyright and data protection law are therefore often raised in connection with SaaS contracts.

Application Service Providing (ASP) can be understood as the predecessor to SaaS. The main difference between SaaS and ASP is that, as part of an ASP solution, the user’s computer is usually assigned to the software, while the SaaS services can be used without this assignment to specific hardware resources, thereby offering greater flexibility.

Pros and cons of SaaS

From a customer’s viewpoint, the greatest advantage of SaaS solutions is the low acquisition costs. By outsourcing maintenance and updates of the software as well as the server administration to the provider, a higher cost control is created overall. In addition, the cloud-based or server-based solution guarantees comprehensive mobility for company employees. Despite these advantages, however, there are risks associated with the use of SaaS services, because the customers are dependent on the provider for the functionality of the software. Not only are service faults considered to be within the sphere of the provider, but also those related to the Internet connection. In addition, company data is usually also shared during use, requiring a certain degree of confidence in the provider’s data integrity.

Service level agreements

There are still many legal aspects unresolved in connection with SaaS. Even the question of the legal classification of the agreement between the supplier and the customer is disputed. The determination of the contractual nature not only has academic value, but is also extremely relevant from a practical viewpoint. While, for example, in the event of service faults in the rental contract which are present at the time the contract is concluded, the provider’s liability for defects, regardless of fault, is provided for by law, there is no such provision in the service contract. If, for example, the provider suffers server outages, the assertion of claims would depend on the classification of the contract. The prevailing opinion, taking into account case law of the Federal Court of Justice, accepts a lease agreement, but this is countered, however, by the fact that the decisions given here relate only to ASP contracts and, based on the technical innovation of the SaaS services, are not applicable to these.

In order to minimise risk, it is therefore advisable to expressly regulate questions of liability and compensation for damages in the event of service faults by means of service level agreements. These should include at least the following areas:

  • Availability of the service, including a measurement method for its determination
  • Definition of service faults
  • Response and recovery times in the event of service faults
  • Regulations on the distribution of the burden of proof in the event of service faults
  • Contractual penalties and termination options in the event of service faults

Copyright licence as subject of the SaaS contract

Copyright law is also to be considered within the scope of SaaS contracts. Specifically, the question is whether the customer must be granted an (at least) simple usage right to the software by the provider. This is assumed here in part, on the grounds that the right of reproduction in section 69 c no. 1 of the German Copyright Act (UrhG) is affected by the provision of the software, as in any case a “temporary reproduction” takes place on the customer’s main memory. However, against this is the fact that it is countered that the essential technical reproduction takes place on the provider’s server. Merely using the software applications by the customer is insufficient for this purpose.

As a result, the specific design and use of the software is probably decisive, e.g. when the software must be installed on the user’s computer. If the access software has been provided to the customer by the provider, it may therefore also be seen as the implied transfer of a right of reproduction. However, a regulation regarding the rights of use is nevertheless useful and recommended in a SaaS contract in order to create legal certainty for the SaaS provider and user.

SaaS and data protection law

In addition, the security of the customer’s data is of great importance, as it is first created and then stored on the provider’s systems. Not only the provider, but also the customer must take into account certain provisions of the data protection law when concluding a SaaS contract, specifically when the use of the software (also) involves the processing of personal data. In these cases, a job processing contract would have to be concluded in order to avoid possible fines for the violation of data protection regulations, taking into account section 11 of the German Data Protection Act (BDSG) or Article 28 of the GDPR.

Another important aspect is that the customer must convince itself of compliance with the organisational and technical measures when processing data by means of SaaS via preliminary inspection and then with regular checks. How exactly these checks should look and which are appropriate should be determined in individual cases. Among other things, which data is processed when using the SaaS solution plays a role. The provider may, for example, be obliged to comply with contractually agreed data security concepts, to present IT security certificates or to provide additional information obligations.

Conclusion and evaluation

As a result, the SaaS services have numerous advantages from the user’s viewpoint, but there are also certain legal risks involved. Not only does determination of the nature of the contract relevant for the liability remain controversial, but also the question as to whether the SaaS customer must be granted a usage right. In addition, the security of the customer’s data should be guaranteed and data protection regulations should also comply when processing personal data, because the data is no longer stored on the customer’s own computer, but on that of the provider. Selection of the SaaS service provider should therefore be made with care and, if necessary, regular checks should take place. It is also recommended that special care should be taken when preparing or examining the contracts used in order to avoid the existing risks as far as possible.

nach oben
More on this topic

Newsletter

Subscribe to our monthly newsletter with information on judgments, professional articles and events (currently only in german).

By clicking on "Subscribe", you consent to receive our monthly newsletter (with information on judgments, professional articles and events) as well as to the aggregated usage analysis (measurement of the opening rate by means of pixels, measurement of clicks on links) in the e-mails. You will find an unsubscribe link in each newsletter and can use it to withdraw your consent. You can find more information in our privacy policy.