Following the Schrems II judgment, the EU-US Privacy Shield was declared invalid, meaning that SaaS suppliers and SaaS customers have to use standard contractual clauses (SCS) or BCRs when making transfers of EEA (or UK) personal data to the USA. In addition, SaaS customers and SaaS suppliers are required to carry out a data transfer impact assessment (DTIA) prior to transferring any personal data from the EEA or UK to a “third country” i.e. the USA.
Continue readingYear: 2023
SaaS Agreements – Data Retention and Deletion
In compliance with their respective obligations under the GDPR, SaaS suppliers and SaaS customers must only keep personal data for as long as necessary and as specified to data subjects. SaaS suppliers should include their obligations in relation to retention and deletion of personal data when acting as a data processor in their SaaS agreement and when acting as a data controller in their privacy policy.
Continue reading