Legal Checklist for SaaS Platforms in the EU: GDPR, AI Act and Licensing

Mgr. Petr Hanzel, LL.M.
Mgr. Petr Hanzel, LL.M.
17.3.2026 | ARROWS law firm

Do you operate a SaaS platform in the European Union, or are you preparing to launch it on the market? Then you must address a complex set of legal obligations – from GDPR and copyright law through the AI Act Regulation to the proper drafting of Terms and Conditions and licensing arrangements. This article will provide you with clear answers on what you must not overlook, what risks you may be exposed to, and how to effectively avoid the most common mistakes when legally preparing your platform.

In the image, we see a lawyer / specialist in the legal obligations of a SaaS platform.

Quick summary

  • SaaS platforms in the EU must comply with at least three main legal frameworks: GDPR (personal data protection), the AI Act (the EU regulation on artificial intelligence) and copyright law—each with its own sanction risks that can reach tens of millions of euros.
  • General Terms and Conditions and data processing agreements are not an optional luxury, but mandatory documents that define the legal position of the provider and the customer, and without them you expose yourself to liability for damages.
  • Licensing arrangements for AI outputs remain a legal challenge, because content generated by artificial intelligence without demonstrable human creative input is not considered a copyrighted work under Czech law.

Legal architecture of a SaaS platform

If you asked attorneys one fundamental question—without which no other legal aspects of a SaaS platform can be set up correctly—it would be this: Who determines the purposes and means of processing personal data? The answer to this question drives all other obligations—from contract content to the way data is stored.

The Czech legal team at ARROWS, a Prague-based law firm, deals with this core issue on a daily basis. In the EU, there are two key roles: the personal data controller (the party that decides how and why data is handled) and the processor (the party that processes data for the controller under its instructions). 

In SaaS solutions, the situation becomes more complex because there may be multiple controllers, while the SaaS platform operator acts as a controller, for example, where it administers customers’ user accounts for billing purposes.

On the other hand, if your customers use your platform to upload and process personal data of their employees, clients, or business partners, then your customer is the controller and you are the processor. This is precisely why it is essential to define these roles clearly in every contract—not only because Article 28 GDPR requires it, but also so it is clear who bears responsibility if an incident occurs.

The situation becomes even more complicated when third parties enter the picture. For example, if your SaaS platform runs in the cloud of a global provider, that provider becomes your additional processor (sub-processor). You must enter into your own data processing agreement with them, which must provide sufficient safeguards for data protection. In practice, many SaaS operators overlook this chain entirely, and during an audit or incident it turns out they do not have a clear overview of who all has access to customer data.

Related questions on legal architecture

1. What is the difference between a controller and a processor under the GDPR, and why does it matter?
The controller determines the purposes and means of processing, while the processor carries out activities based on the controller’s instructions. In a SaaS environment, you are typically the processor of your customers’ data (data they upload into the system), but the controller of the customers’ own data (billing details, logins). This split is critical because it results in different obligations and liability.

2. Do I need an agreement also with the cloud provider that hosts my data?
Yes, absolutely. If the cloud provider has access to personal data (which it does in hosting), it is an additional processor. You must have a personal data processing agreement (DPA) in place or accept their Data Processing Addendum, which must meet the requirements of Article 28 GDPR.

3. What if I have multiple cloud providers or subcontractors?
Each of them that comes into contact with personal data is your additional processor. You must inform your customers (the controllers) about their involvement, and they must have the option to object to the engagement of a new processor. All of these entities form your processing chain.

GDPR and SaaS: When is data processing lawful

Processing personal data in a SaaS environment is not legally neutral. The GDPR sets a clear rule: without a legal basis, processing is prohibited. This means that if you want to store employee data, collect clients’ email addresses, or log IP addresses, you must have a legal reason for each such purpose.

The GDPR provides six legal bases. In practice, in a SaaS environment, four legal bases are used most often: performance of a contract, compliance with a legal obligation, legitimate interest, and the data subject’s consent. One of the biggest risks lies precisely in legal bases, as many SaaS providers mistakenly believe they can use data freely.

For example, “improving the service” using customer data requires a careful assessment of whether this still qualifies as a legitimate interest, or whether the data needs to be anonymised. The attorneys at ARROWS, a Prague-based law firm, regularly address this issue and know the practical limits of so-called balancing tests (legitimate interest assessments), which you must carry out and document if you rely on this legal basis.

Main obligations when processing personal data

Once you have a legal basis, a number of further obligations follow. You must maintain Records of Processing Activities (under Article 30 GDPR), in which you record for each processing activity the purpose, data categories, retention period, recipients, and security measures. If your SaaS application uses AI features that learn from user interactions, you should explicitly define this purpose and its risks in the records.

You must also meet your transparency obligations through a Privacy Policy, where you must clearly explain to users how you handle their data. In practice, this means that if a user exercises the right to erasure, you must be technically able to actually delete the data from the database.

One important obligation is the data protection impact assessment (DPIA). If you operate a SaaS platform that is likely to result in a high risk to the rights and freedoms of individuals (e.g., large-scale processing of sensitive data or profiling), the GDPR requires you to carry out a DPIA before processing begins. The absence of a DPIA for high-risk systems is a frequent target of supervisory authority audits in the EU.

Data security in a SaaS environment

In the EU, SaaS personal data security requirements are strict. Under Article 32 of the GDPR, you must implement appropriate technical and organisational measures. This includes encryption of data at rest and in transit, which in practice means the database should not be stored in plain text and all communication must take place via secure protocols.

Access management and authentication are also required. A SaaS application should have audit logs that record who logged in and what data they viewed or changed, which is essential for tracing the causes of security incidents.

You must also have a plan for handling security incidents. The GDPR requires you to notify the Office for Personal Data Protection (ÚOOÚ, the Czech data protection authority) within 72 hours of becoming aware of a personal data breach that poses a risk to individuals’ rights and freedoms. If you act as a processor, you must report the incident to your customer (the controller) without undue delay so that they can meet their legal obligations under Czech and EU data protection rules.

What you risk if you do not comply with the GDPR

Risks and penalties

How ARROWS can help (office@arws.cz)

Fine for lack of a legal basis: Processing without a valid legal basis may lead to a fine of up to EUR 20 million or 4% of worldwide annual turnover.

Audit and review of legal bases: ARROWS attorneys in Prague will conduct an audit, identify the correct legal bases, and help set up processes so that processing is lawful under the GDPR.

Fine for failure to meet information obligations: A non-transparent or missing Privacy Policy is a common reason for complaints and penalties.

Preparation of a Privacy Policy: ARROWS will draft clear and legally compliant documents that meet the information obligations towards users.

Penalties for insufficient security: A data leak caused by lack of encryption or weak passwords is a breach of Article 32 GDPR.

Legal support in setting up security: We will help define appropriate security measures and reflect them in your contractual documentation.

Fine for an unmanaged processor chain: Using subcontractors without contracts (DPAs) is a breach of the GDPR.

Review of supplier contracts: We will review and set up data processing agreements with your cloud and technology partners.

Missing DPIA for high-risk systems: Launching a high-risk technology (e.g., AI profiling) without a data protection impact assessment is an administrative offence under EU and Czech data protection rules.

Preparation of a DPIA: We will guide you through the entire impact assessment process, identify risks, and propose measures to mitigate them.

AI Act: Obligations for artificial intelligence in 2026

In 2026, the Artificial Intelligence Regulation (AI Act) is already fully in force and enforceable across the EU. If your SaaS platform uses AI (chatbots, recommendation algorithms, generative models, image analysis), you must comply with this legislation. Breaches of the rules on prohibited practices may result in a fine of up to EUR 35 million or 7% of worldwide annual turnover; for other obligations, up to EUR 15 million or 3% of turnover.

The AI Act classifies systems by risk level. Your SaaS application will likely fall into one of the following categories distinguished by the AI Act based on the level of risk.

  • Prohibited systems: e.g., social scoring, biometric categorisation of sensitive data, or manipulative techniques. You must not offer these features in the EU.
  • High-risk systems (High-Risk AI): e.g., systems used in recruitment, credit scoring, education, or critical infrastructure. This is where the strictest obligations apply.
  • Limited-risk systems: e.g., chatbots or deep fakes. Here, transparency obligations primarily apply.
  • General-purpose models (GPAI): If you integrate powerful models (LLMs), specific rules apply to their providers.

If you operate a high-risk system, you must implement a risk management system, maintain technical documentation, ensure accuracy and cybersecurity, and above all enable human oversight over the system’s decision-making.

Classification and roles in the AI value chain

It is crucial to determine whether you are the provider of an AI system or its deployer. If you develop your own AI model or substantially modify a third-party model under your brand, you are a provider with all related obligations (certification, registration in the EU database).

If you only use an API (e.g., from a global model provider) and integrate it into your SaaS without materially changing its intended purpose, you are in the position of a deployer, who must ensure the system is used in accordance with the instructions and ensure human oversight and user awareness. The Czech legal team at ARROWS, a Prague-based law firm, helps clients correctly determine their role and risk category, which can save substantial compliance costs.

Transparency and content labelling

Article 50 of the AI Act requires transparency. The user must know they are communicating with a machine (chatbot). There is also an obligation to label AI-generated outputs so that they are machine-detectable (watermarks, metadata), which is particularly relevant for image, video, and audio generators (deep fakes). If your SaaS generates content, you must ensure it is identifiable as artificial.

Copyright and AI-generated content

One of the most pressing issues for SaaS operators is who owns AI-generated content. Under Czech law, the answer in 2026 remains relatively strict. Under the Czech Copyright Act (Section 5), only a natural person can be an author.

Case law (e.g., a decision of the Municipal Court in Prague regarding an AI-generated image) confirms that an output created by artificial intelligence without substantial human creative input is not a copyrighted work. Entering a text prompt alone is generally not sufficient for copyright to arise in the result.

This has major implications for your SaaS platform. If you want to provide your users with an AI feature that generates content (texts, graphics) and you want to “assign copyright” to them contractually, you face the legal reality that no copyright has arisen. You cannot transfer what does not exist.

How to address this in licence terms

The solution is transparency and proper drafting of your Terms and Conditions.

  • Do not create an impression of exclusivity: Inform users that AI outputs may not be protected by copyright and that the same prompt may generate a similar output for another user.
  • Human creative input: If your platform allows the user to further edit and modify the output, copyright may arise in the final, human-edited work.
  • Training data: The AI Act requires providers of GPAI models to publish a summary of the content used to train the model.

General Terms and Conditions and data processing agreements

Terms and Conditions for SaaS are not just a formality. They are the documents that define your commercial relationship. In the EU, Terms and Conditions for B2B SaaS are commonly structured as follows:

  • Scope of the service: SaaS is a service (subscription-based access), not a sale of goods. The customer does not acquire ownership of the software.
  • Licence terms: Scope of use, number of users, prohibition of reverse engineering.
  • Availability (SLA): Availability guarantees and penalties for outages.
  • Liability for damages: A key section. In B2B relationships, liability can be limited, which protects you against potentially ruinous claims.
  • Data protection (DPA): Often provided as an annex addressing GDPR compliance.
Data Act and portability

From September 2025, the Data Act regulation will apply in full. For providers of cloud services (including SaaS), it introduces an obligation to remove obstacles to switching providers. You must ensure that the customer can easily move to a competitor—i.e., enable export of their data in a structured, commonly used, and machine-readable format. Customer lock-in practices (vendor lock-in) are sanctioned under this regulation.

Risks and penalties

How ARROWS can help (office@arws.cz)

No limitation of liability: You are liable for all damages and lost profit caused by an outage or an application error.

Setting liability limits: We will prepare valid liability limitation clauses (cap) that will stand up in Czech courts.

Missing data processing agreement (DPA): A fine from the Czech Data Protection Authority (ÚOOÚ) and a loss of trust from enterprise clients.

Preparation of GDPR documentation: We will deliver a DPA that complies with Article 28 GDPR and protects you even when engaging subprocessors.

Unclear copyright ownership: Users believe they own the software, or conversely you improperly claim their data.

Copyright clauses: We will clearly define what belongs to you (the platform), what belongs to the user (the data), and what regime applies to AI outputs.

Breach of the Data Act: Preventing data export or charging disproportionate fees for a client’s exit.

Data Act compliance: We will advise you on how to set up contract termination and data export processes in line with the new EU legislation.

Practical steps: How to set up SaaS correctly

If you want your SaaS platform to be legally robust, proceed as follows:

  • Define roles: When are you a controller and when a processor under GDPR? Have you mapped your data flows?
  • Classify AI: Does your solution fall under the EU AI Act? Is it high-risk?
  • Create tailored documentation: Copying a competitor’s Terms and Conditions will not protect you. You need Terms and Conditions, a DPA, and a Privacy Policy that match your technical solution and Czech/EU compliance requirements.
  • Map subcontractors: Have contracts in place with cloud providers and other processors.
  • Set up processes: Incident response plan, handling data subject rights, data export under the Data Act.
  • Secure the application: Encryption, logging, backups.

If it feels like a lot, you are right. Technology law is complex. Our Czech legal team at ARROWS, a Prague-based law firm, deals with these matters every day. If you are not sure where to start, email us at office@arws.cz—we will be happy to assist with a legal assessment and the preparation of documentation.

FAQ – The most common legal questions for a SaaS platform in the EU

1. Do I have to sign a paper contract with every customer?
No. In both B2B and B2C, a contract can be concluded electronically (so-called click-through), where the customer ticks consent to the Terms and Conditions. It is important to ensure that the Terms and Conditions are available before the contract is concluded and that the customer can save them. However, for large enterprise clients, individual master agreements are often concluded.

2. What is a DPA and why are Terms and Conditions alone not enough?
A DPA (Data Processing Agreement) is a specific agreement required by Article 28 GDPR if you process personal data on behalf of someone else. It can be part of the Terms and Conditions (as an annex), but it must contain the statutory requirements (subject matter of processing, obligations, confidentiality, subprocessors). Without it, the processing is unlawful.

3. What penalties apply under the AI Act?
Penalties are tiered. For prohibited practices, fines of up to EUR 35 million or 7% of turnover apply. For breaches of obligations for high-risk systems, up to EUR 15 million or 3% of turnover. For providing incorrect information to authorities, up to EUR 7.5 million or 1.5% of turnover.

4. Can I use customer data to train my AI?
Only with great caution. If personal data is involved, you must have a legal basis under GDPR (often only with consent or after thorough anonymisation). If copyrighted works or trade secrets are involved, this must be contractually addressed in your Terms and Conditions. Automated data extraction without the client’s knowledge is legally risky under Czech and EU law.

5. How do SLA and liability for outages work?
An SLA (Service Level Agreement) defines the guaranteed level of service (e.g., 99.9% availability). If you fail to meet it, the customer is usually entitled to a contractual penalty or a discount (credit). A well-drafted SLA also serves as a limit on your liability—if you meet the SLA (or pay the credit), the customer should not be entitled to further damages, provided this is agreed in the contract.

Notice: The information contained in this article is of a general informational nature only and is intended for basic orientation based on the legal position as of 2026. Although we take the utmost care to ensure accuracy, legal regulations and their interpretation evolve over time. We are ARROWS advokátní kancelář, an entity registered with the Czech Bar Association (our supervisory authority), and for maximum client protection we maintain professional liability insurance with a limit of CZK 400,000,000. To verify the current wording of regulations and their application to your specific situation, it is necessary to contact ARROWS advokátní kancelář directly (office@arws.cz). We accept no liability for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: