Following the Schrems II judgment, the EU-US Privacy Shield was declared invalid, meaning that SaaS suppliers and SaaS customers have to use standard contractual clauses (SCS) or BCRs when making transfers of EEA (or UK) personal data to the USA. In addition, SaaS customers and SaaS suppliers are required to carry out a data transfer impact assessment (DTIA) prior to transferring any personal data from the EEA or UK to a “third country” i.e. the USA.
Continue readingCategory: GDPR
SaaS Agreements – Data Retention and Deletion
In compliance with their respective obligations under the GDPR, SaaS suppliers and SaaS customers must only keep personal data for as long as necessary and as specified to data subjects. SaaS suppliers should include their obligations in relation to retention and deletion of personal data when acting as a data processor in their SaaS agreement and when acting as a data controller in their privacy policy.
Continue readingSaaS Agreements – New UK SCCs – IDTA and UK Addendum
Since the EU-US Privacy Shield was declared invalid following the Schrems II decision in 2020 of the ECJ, SaaS suppliers and SaaS customers have had to use EU standard contractual clauses, (“EU SCCs”) or binding corporate rules (“BCRs”) when transferring personal data from the EEA, UK or Switzerland to a third country not deemed “adequate” by the European Commission.
Continue readingSaaS Agreements – Cookies – Are your Cookie Banners Compliant
SaaS suppliers and SaaS customers should take note of three recent data protection fines issued against Facebook and Google by the French Data Protection Authority (“CNIL“) for non-compliant cookie banners on their websites. The fines were issued pursuant to breaches of French Data Protection Law and the GDPR and highlight
Continue readingSaaS Agreements – FAQs – Cookies
Cookies are small text files placed on a user’s hardware device, such as a computer, tablet or mobile phone which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing, tracking and other non essential purposes.
Continue readingSaaS Agreements – Data Protection – Schrems II: Data Transfer Assessments
Following the Schrems II judgement and the subsequent European Data Protection Board (EDPB) Schrems II guidance, SaaS customers and SaaS suppliers are now required to carry out a data transfer assessment prior to transferring personal data outside the EEA to a third country which does not have an “adequacy” decision from the EU. i.e. any transfer of EU located data to the USA.
Continue readingSaaS Agreements – Data Protection – New EU Standard Contractual Clauses
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data from the EU to countries outside the EU/EEA (third countries) when the old SCCs (old SCCs) are repealed on the 27th of September 2021.
Continue readingSaaS Agreements – GDPR – EU-US Privacy Shield Invalid
On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).
Continue readingSaaS Agreements – Brexit – Need for an EU Representative
A “no deal Brexit” is looking likely for the 31st of October 2019. SaaS suppliers and SaaS customers need to take steps now to ensure that they comply with the requirement to appoint an EU Representative under the GDPR, where they will no longer have any establishment in the EU after Brexit.
Continue readingSaaS Agreements – FAQs – Data Processor
It is important for a SaaS supplier to understand the legal obligations imposed upon them as a data processor when negotiating a SaaS agreement and a data processing agreement (“DPA“) as the duties of a data processor are not the same as the duties of a data controller. In a
Continue reading