SaaS Agreements – Data Protection – Restricted Transfers

SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.

Continue reading

SaaS Agreements – Data Protection – Does your DPA and Sub-Processor List need updating?

Meta were fined 1.2 billion Euros for breaches of EU data protection law and for transferring personal data of EU users to the US despite, using standard contractual clauses, (SCCs), having in place supplemental measures and carrying out data transfer impact assessments, (DTIAs). Google has also been pursued in various EU member states for similar breaches.

In light of these decisions, SaaS suppliers should review their own data protection practices and documentation to ensure that they are up to date and comply with the current rules.

Continue reading

SaaS Agreements: EU-US Adequacy Decision – Update

Following the Schrems II judgment, the EU-US Privacy Shield was declared invalid, meaning that SaaS suppliers and SaaS customers have to use standard contractual clauses (SCS) or BCRs when making transfers of EEA (or UK) personal data to the USA. In addition, SaaS customers and SaaS suppliers are required to carry out a data transfer impact assessment (DTIA) prior to transferring any personal data from the EEA or UK to a “third country” i.e. the USA.

Continue reading

SaaS Agreements – Data Retention and Deletion

In compliance with their respective obligations under the GDPR, SaaS suppliers and SaaS customers must only keep personal data for as long as necessary and as specified to data subjects. SaaS suppliers should include their obligations in relation to retention and deletion of personal data when acting as a data processor in their SaaS agreement and when acting as a data controller in their privacy policy.

Continue reading

SaaS Agreements – New UK SCCs – IDTA and UK Addendum

Since the EU-US Privacy Shield was declared invalid following the Schrems II decision in 2020 of the ECJ, SaaS suppliers and SaaS customers have had to use EU standard contractual clauses, (“EU SCCs”) or binding corporate rules (“BCRs”) when transferring personal data from the EEA, UK or Switzerland to a third country not deemed “adequate” by the European Commission.

Continue reading

SaaS Agreements – FAQs – Cookies

Cookies are small text files placed on a user’s hardware device, such as a computer, tablet or mobile phone which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing, tracking and other non essential purposes.

Continue reading

SaaS Agreements – GDPR – EU-US Privacy Shield Invalid

On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).

Continue reading