top of page
  • Writer's pictureArno

Legal issues and mandatory requirements for SaaS businesses entering the German market

Updated: Apr 30, 2021

On the European SaaS software market, your marketing and sales efforts need to comply with mandatory legal and other requirements, such as copyright law and the General Data Protection Regulation (GDPR). As IT and SaaS competition is strong especially in Germany, UK, Spain, France and Poland, you should focus on core competencies and service quality rather purely on costs. Specialising and addressing verticals is also a good way to reduce competition.

Requirements for SaaS providers vary between countries, industries and segments. For example, different industry-specific standards, rules and regulations exist for the automotive industry, education, healthcare and public sector. As it would be impossible to list all possible requirements, we focus on the most common requirements at this point.

Mandatory requirements to comply with

Mandatory requirements for providing SaaS solutions within the European market can be divided into legal and non-legal mandatory requirements.

Legal requirements include legislation about copyright as well as personal data protection. Privacy is highly regulated and protected in Europe, via the 2018 established General Data Protection Regulation (GDPR) and the ePrivacy Directive. If you do not respect these directives, you may be subject to enforcement actions and/or possible claims – even though you are located outside of the European Union. Non-legal requirements mainly deal with security. Although you are not obliged to comply by law, they are considered minimum requirements to enter the European market.


The European Union has established specific legislation to protect computer programs by means of copyright. According to the Directive on the legal protection of computer programs, you have to make sure not to breach any copyright when placing your computer program on the market. At the same time, this directive also protects your products against unauthorised reproduction.


The General Data Protection Regulation came into effect on 25 May 2018. This regulation was designed to protect individuals in Europe from privacy and data breaches and to give people more control over their personal data. It also lets businesses benefit from a level playing field, where the laws and regulations are the same in every European country. The GDPR applies to all companies processing the personal data of individuals in Europe, regardless of the company’s location. This means it also applies to you directly.

Under the old directive, the protection of any data by which an individual can be identified was the sole responsibility of the data controller (owner). However, under the GDPR, any company or individual that processes data is also responsible for its protection. Examples of personal data that are protected by this regulation are names, email addresses, bank details, social media content, photos and IP addresses.

Some key consumer rights you must comply with include, but are not limited to:

  • Consent – consumers must explicitly consent by opting in, consent must be easy to withdraw and requests must be specific and in plain language;

  • Right to access – consumers are entitled to know whether companies process their personal data, where they do so and for what purpose;

  • Right to be forgotten – consumers are entitled to have their personal data erased and have processing and further dissemination halted;

  • Privacy by design – data protection should be included from the onset of designing systems. Data should be minimised and access limited.

While not all software projects and websites concern personal data, many of them do – especially in SaaS businesses. As the personal data aspect in software development is expected to grow in the coming years, complying with the GDPR is becoming increasingly relevant for this sector.

ePrivacy Directive

The ePrivacy Directive (2002/58/EC), commonly known as the “cookie law”, contains specific regulations for data protection in the electric communications sector. For example, the directive prohibits unsolicited commercial electronic mailings (“spam”). It contains strict rules on the use of cookies, and contact details may only be published with the subject’s consent.

A new ePrivacy Regulation was originally scheduled to enter into force along with the GDPR, but its implementation has since been delayed. The new regulation is intended to safeguard the confidentiality of electronic communications through stronger privacy rules. Unlike the current directive, it includes Internet-based voice and messaging technologies such as Skype, WhatsApp and Facebook Messenger.

The ePrivacy regulation specifically mentions software development in its current versions: “This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers of software permitting electronic communications, including the retrieval and presentation of information on the Internet.”


Data security is one of the main challenges for SaaS and IT solution providers. This includes both data protection and recovery systems. Many European buyers expect you to implement an information security and management system, especially in industries in which security is essential, such as finance and banking, healthcare or mobile applications. Although there is no specific legislation on this, the ISO 27000 series contains common standards and guidelines for information security.

ISO 27001 is an internationally recognised standard that provides requirements for an information security management system. Companies can become ISO 27001 certified if they comply with the standard. ISO 27002 is a supporting document to ISO 27001 that gives guidance and advice on the implementation of information security controls. Other supporting guideline documents in the ISO 27000 family are ISO 27003 and ISO 27004. ISO/IEC 27701:2019 is a certifiable privacy extension of ISO 27001, supporting the GDPR.

422 views0 comments


bottom of page