2023 – Bodle Law

SaaS Agreements – Data Protection: UK-US Data Bridge

26/09/2023 Irene Bodle

On Friday the 22nd of September the UK agreed its own transfer mechanism which can be used instead of UK standard contractual clauses.

From the 12 October 2023, SaaS Suppliers and SaaS Customers can start to transfer UK personal data to entities located in the USA provided that the US entity is certified under the new “UK Extension to the EU-US Data Privacy Framework” (UK-US Data Bridge).

This now means that all transfers of UK personal data made to US companies certified under the UK-US Data Bridge by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.

SaaS Agreements – Data Protection: EU-US Data Privacy Framework (DPF)

25/09/2023 Irene Bodle

In July 2023 the EU-US Data Privacy Framework, (DPF) was finally agreed between the EU and the USA. The DPF now provides a new transfer mechanism for SaaS suppliers and SaaS customers to use when transferring EU personal data to the USA. The DPF can be used instead of EU standard contractual clauses.

This means that all transfers of EU personal data made to US companies certified under the DPF by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

SaaS Agreements – Data Protection – Restricted Transfers

04/07/2023 Irene Bodle

SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.

SaaS Agreements – Data Protection – Does your DPA and Sub-Processor List need updating?

20/06/2023 Irene Bodle

Meta were fined 1.2 billion Euros for breaches of EU data protection law and for transferring personal data of EU users to the US despite, using standard contractual clauses, (SCCs), having in place supplemental measures and carrying out data transfer impact assessments, (DTIAs). Google has also been pursued in various EU member states for similar breaches.

In light of these decisions, SaaS suppliers should review their own data protection practices and documentation to ensure that they are up to date and comply with the current rules.

SaaS Agreements – Data Retention and Deletion

25/01/2023 Irene Bodle

In compliance with their respective obligations under the GDPR, SaaS suppliers and SaaS customers must only keep personal data for as long as necessary and as specified to data subjects. SaaS suppliers should include their obligations in relation to retention and deletion of personal data when acting as a data processor in their SaaS agreement and when acting as a data controller in their privacy policy.

Name	Borlabs Cookie
Provider	Borlabs - Benjamin a. bornschein
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Privacy Policy	https://borlabs.io/privacy/
Cookie Name	borlabs-cookie
Cookie Expiry	180 days

Accept	Google Analytics
Name	Google Analytics
Provider	Google Inc.
Purpose	Cookies are set by Google and are used for website analytics and performance measurement. Cookies create statistical data on how visitors use our Site.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga ; _ga_*
Cookie Expiry	_ga : 1 year 1 month, _ga_* : 1 year 1 month