Blog Industry News GDPR Compliance for SaaS: How a Merchant of Record Helps

GDPR Compliance for SaaS: How a Merchant of Record Helps

11 min read
Reduce GDPR compliance risks for digital sales. Discover how a Merchant of Record takes on liability, manages data subject rights & ensures secure processing.

Businesses feel the pain of the General Data Protection Regulation (GDPR). A sobering reminder of the price of non-compliance, GDPR fines in 2023 alone reached over €1.78 billion. Are you having trouble navigating the nuances of GDPR as a software, video game, or SaaS company? 

This tutorial will assist you in comprehending the particular GDPR compliance issues you encounter and how a Merchant of Record may simplify data privacy management, lower financial obligations, and guarantee compliance with changing legislation.

It is not an option to ignore GDPR. Non-compliance can harm your reputation, undermine customer trust, and result in heavy fines (up to 4% of annual global turnover or €20 million, whichever is larger).

Key Definitions

GDPR (General Data Protection Regulation): An EU regulation governing the processing of personal data of individuals within the EEA. It aims to protect data privacy and security.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation or set of operations performed on personal data.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: The entity that processes personal data on behalf of the controller.

Merchant of Record (MOR): A third-party that takes on the legal and financial responsibilities of selling products or services online, including GDPR compliance. The MOR becomes the data controller for transactional data, helping companies offload many compliance responsibilities.

Data Privacy Impact Assessment (DPIA): A process to identify and minimize the data protection risks of a project or plan.

 

What is GDPR?

The GDPR regulates how personal data about persons is processed in the European Economic Area (EEA). It establishes stringent guidelines for the gathering, storing, using, and transferring of data. This creates a complicated web of compliance requirements for software, video game, and SaaS companies, particularly when working with overseas clients.

Any entity, regardless of location, that handles the personal data of EU citizens is subject to the GDPR. This means that even if they are based outside of the EU, SaaS, software, and video game companies that sell to EU customers have to comply. By serving as a barrier between your company and the dangers of EU enforcement, a Merchant of Record can be an essential ally in navigating these requirements.

Specific GDPR Hurdles in Digital Sales

Because of the nature of their business models, SaaS, software, and video game companies face particular GDPR challenges:

  • Subscription Management: Strong data governance and permission management procedures are necessary to handle user data across recurring subscriptions.
    - Example: Every time a player's subscription billing is renewed, the game studio must ask for their continued approval.
  • Global Data Transfers: Standard Contractual Clauses (SCCs) and other similar methods are necessary for transferring data outside of the EEA.
    - Example: SCCs are used by a SaaS company to host analytics data on servers located in the United States.
  • Data Localization: Local data storage is required in countries like Germany.
    - For instance, in order to comply, a software provider stores the data of German users in Germany.
  • Clear consent and user control: They are necessary for user tracking and analytics.
    - Example: Before tracking player activity for customisation, a game app requests permission.

Microtransactions and in-app purchases: These entail managing private payment information.
- Example: Ensuring card information is processed securely when buying mobile games.

1 Specific GDPR Hurdles in Digital Sales

Recent GDPR Enforcement Actions

Here are three examples of famous GDPR enforcement actions: 

Amazon (2021): €746M fine for invalid consent in advertising.

Meta (2023): €1.2B fine for unlawful international data transfers to the US.

H&M (2020): €35M fine for employee data misuse.


The Merchant of Record Advantage

A Merchant of Record (MoR) is crucial to making GDPR compliance easier, especially for companies that sell online and conduct business internationally. Here is a breakdown of problems and solutions offered by the MOR:

Complicated GDPR regulations for data transfer and processing

  • Solution: MOR complies with GDPR when handling processing.
  • Result: Reduced legal and regulatory risk.

Managing consent appropriately

  • Solution: MOR keeps auditable records and puts in place compliance consent workflows.
  • Result: Increased openness and user trust.

Addressing requests from data subjects

Complying with data transmission and localization regulations

  • Solution: MOR guarantees legitimate transfer techniques and local hosting.
  • Result: International adherence to developing norms, particularly those resulting from pending Schrems III

GDPR-related financial responsibility

  • Solution: MOR takes over the liability and compliance responsibilities.
  • Result: Peace of mind and protection from fines.
    Your Dedicated
    eCommerce Partner

    Thrive with the industry's most innovative all-in-one SaaS & Digital Goods solution. From high-performing payment and analytics tools to complete tax management, as well as subscription & billing handling, PayPro Global is ready to scale your SaaS.

    Sell your SaaS globally with PayPro Global!

    MOR and Data Subject Rights: The Right to Be Forgotten

Here is a breakdown of the procedure:

Request intake and confirmation: MOR logs and authenticates requests to delete data.

Coordination of data: Works with the client to remove data from every system.

Confirmation and logging: Keeps records for regulatory audits by notifying the requester and documenting the erasure.

 

Conducting DPIAs for SaaS and Software Sales

Conducting Data Protection Impact Assessments (DPIAs) for software and SaaS sales is an essential procedure, particularly in light of the growing significance of data privacy laws such as the GDPR. Here is the process:

Steps to take:

  1. Determine whether a DPIA is necessary.
  2. Explain the scope of the processing.
  3. Evaluate proportionality and need.
  4. Assess the risks to people.
  5. Put precautions in place.
  6. Keep a record of everything.

If necessary, get advice from regulators.

2 Conducting DPIAs for SaaS and Software Sales

Introducing a Geo-Based Feature as an Example DPIA

In order to provide users with local weather alerts, your app tracks their locations.

Risks: privacy invasion and unauthorized tracking.

Mitigations: encrypting messages, anonymizing location data, and requiring user consent.


GDPR Compliance Timeline (Simplified)

 

  • Create a data flow map.
  • Perform DPIA.
  • Select your MOR.
  • Put consent gathering into action.
  • Test the deletion flows of data.
  • Start with dashboard monitoring for compliance.

Tips and Best Practices

Consider these best practices when implementing and monitoring GDPR compliance:

    1. Reduce the amount of data that is collected.

    2. Include privacy in the design of your products.

    3. Conduct routine system audits.

    4. Keep an eye on legal developments such as Schrems III.

    5. Educate your team.

    6. Make sure GDPR provisions are included in vendor contracts.

Common Mistakes

Here are some mistakes that SaaS, software, and video game companies make:

  • Assuming that GDPR is not relevant.
  • Pre-checked consent forms.
  • Lacking a plan for data breaches.
  • Disregarding user requests to be deleted.
  • Believing without confirmation that third-party tools are compliant.

Conclusion 

GDPR is here to stay, and as international data rules change, so does its complexity. Software, gaming, and SaaS companies must be proactive about compliance or face severe penalties. Working with a Merchant of Record offers a scalable and realistic route to customer confidence and data protection.
Your Dedicated
eCommerce Partner

Thrive with the industry's most innovative all-in-one SaaS & Digital Goods solution. From high-performing payment and analytics tools to complete tax management, as well as subscription & billing handling, PayPro Global is ready to scale your SaaS.

Sell your SaaS globally with PayPro Global!

 

Disclaimer: Please bear in mind that this article should not be treated as legal advice in complying with the GDPR. The sole purpose of this article is to facilitate a better understanding of the approved EU data privacy law.
If you are in need of legal advice on the matter, we urge you to seek the assistance of an attorney, who can apply the GDPR to the specific needs of your company.

FAQs 

What are the main GDPR risks for software and video game businesses?

Businesses in the software, SaaS, and video gaming sectors face unique GDPR challenges due to their digital nature and global reach. Key risks involve managing user consent effectively across subscriptions and for user tracking/analytics, ensuring lawful international data transfers (often requiring mechanisms like Standard Contractual Clauses or SCCs), complying with potential data localization laws in specific countries, and securely handling sensitive payment information for microtransactions and in-app purchases. Failure to address these areas properly can expose your business to significant compliance violations and penalties, as seen in recent enforcement actions against major tech companies.

How can a Merchant of Record help my business comply with GDPR?

A Merchant of Record (MoR) acts as the legal entity responsible for selling your digital products or services online, and in doing so, it significantly simplifies your GDPR compliance burden for those transactions.

 

The MoR becomes the data controller for the transactional data it processes (like payment details and billing information). This means the MoR assumes key GDPR responsibilities such as obtaining valid consent during purchase, handling data subject requests (like access or deletion) related to transactions, ensuring compliant data transfer mechanisms, and taking on the financial liability for GDPR compliance concerning that sales data. This reduces your direct regulatory risk and administrative workload.

Does using a Merchant of Record remove all my GDPR responsibilities?

No, using a Merchant of Record primarily shifts the GDPR responsibilities related to the sales transaction process but doesn't eliminate all obligations for your company.

While the MoR is the data controller for the payment and billing data it handles, your company likely remains the data controller for other personal data you collect directly. This could include user account information (beyond payment details), product usage analytics, marketing communication data, or employee data. You must still ensure your own internal data processing activities are GDPR compliant.

What does a Merchant of Record actually do regarding GDPR?

A Merchant of Record performs several key tasks to manage GDPR compliance for the sales it processes on your behalf.

 

This typically includes: implementing compliant checkout flows to capture necessary consents, securely processing and storing payment information, establishing procedures to manage data subject access and deletion requests for transactional data, ensuring legal data transfer mechanisms (like SCCs) are in place if data crosses borders (e.g., outside the EEA), adhering to data localization rules where applicable, and maintaining auditable records of these compliance activities.

Meet the Author

Ioana Grigorescu

Ioana Grigorescu is PayPro Global's Content Manager, focused on creating strategic writing pieces for SaaS, B2B, and technology companies. With a background that combines Languages and Translation Studies with Political Sciences, she's skilled in analyzing, creating, and communicating impactful content. She excels at developing content strategies, producing diverse marketing materials, and ensuring content effectiveness. Beyond her work, she enjoys exploring design with Figma.

What you should do now
  • 1.
    Explore PayPro Global's Solutions: See how our platform can help you streamline your payment processing and boost revenue.
  • 2.
    Get a Free Consultation: Discuss your specific needs with our experts and discover how we can tailor a solution for you.
  • 3.
    Download our Free Resources: Access valuable guides, checklists, and templates to optimize your online sales.
  • 4.
    Become a Partner: Expand your business by offering PayPro Global's solutions to your clients.
  • GDPR places a lot of requirements on businesses that handle the personal data of EU citizens. 
  • Heavy fines, harm to one's reputation, and a decline in customer trust might result from noncompliance. 
  • As the data controller for transactional data, a MoR relieves businesses of compliance duties while maintaining data security.

Ready to get started?

We've been where you are. Let's share our 18 years of experience and make your global dreams a reality.