GDPR Archives

SaaS Agreements – GDPR – Local Derogations

The General Data Protection Regulation (“GDPR”) now applies to all SaaS customers and SaaS companies collecting or processing the personal data of individuals located within the EU.  SaaS suppliers and SaaS customers must comply with the terms the GDPR. SaaS suppliers and SaaS customers should be aware that the GDPR does not however fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”) under their own local data protection laws. SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries therefore need to be aware of  the different data protection laws effective in each EU country, from which they collect or process data of individuals located there.

Derogations

To date, only a few EU countries have enacted their own local data protection law setting out additional rules and derogations from the GDPR. For example, in the UK the provisions of the Data Protection Act 2018 (“DPA”) apply in addition to the GDPR and include many derogations from the GDPR.

Many EU countries have not yet passed their own local data protection law setting out derogations, although most plan to. SaaS suppliers and SaaS customers must keep up to date on changes that are made to local national data protection laws in each EU country over the next few months.

Current Local Data Protection Laws

Currently the following 8 EU countries have their own additional or have amended their existing local data protection laws setting out the derogations from the GDPR applicable in each country:

  • UK
  • Austria
  • Germany
  • Ireland
  • Croatia
  • Netherlands
  • Poland
  • Slovakia

Greece is the only EU country which has confirmed that it will not derogate from the GDPR.

Draft Local Data Protection Laws

Currently the following EU countries have proposed an additional local data protection law setting out the exact derogations from the GDPR applicable in that country:

  • Belgium, Bulgaria
  • Cyprus, Czech Republic
  • Denmark, Estonia
  • Finland, France
  • Hungary, Italy
  • Latvia, Lithuania, Luxemburg
  • Malta, Portugal
  • Slovenia, Spain, Sweden
  • Romania

Summary

Where SaaS suppliers or SaaS customers are collecting or processing the personal data of individuals within the EU, they will need to regularly check the rules for each EU country in which they are collecting or processing personal data. Technical and legal measures will need to be implemented and updated to ensure that the local derogations from the GDPR are complied with in each applicable EU country. This will apply not only to EU SaaS suppliers and SaaS customers, but any entity located outside of the EU who collects or processes  personal data of persons located within the EU.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – GDPR – Data Processing Agreement

Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.

Mandatory Terms

Although the GDPR clearly sets out that the DPA should include all data processor and data controller obligations. However, many DPAs provided by SaaS customers do not include:

  • All mandatory obligations required under the GDPR; and
  • Any data controller (SaaS customer) obligations at all.

Additional Obligations

Many SaaS customer DPAs seek to impose additional or far more onerous obligations on the part of SaaS suppliers in the terms of their own DPA than are required under the GDPR. For example, a SaaS supplier has to report a data breach without undue delay but often SaaS customers will try to impose an obligation to report immediately or within 24 hours.

Liabilities and Indemnities

SaaS customers often add unlimited liabilities and indemnities to the DPA that only apply to the SaaS supplier, retaining their own limited liability for any breaches. Any limitations on liability included in the SaaS agreement should also apply to breaches of the DPA, particularly in light of the high fines (20 million Euros or 4% of annual worldwide turnover) that can be imposed for a breach of the GDPR.

Security Policy

It is mandatory to set out the technical and administrative security provisions that the SaaS supplier has in place to protect personal data. As the SaaS customer cannot know what security provisions the SaaS supplier and its sub-contractors i.e. the data centre have in place, it is entirely unrealistic for the SaaS customer to dictate what these should be, as they will not reflect the actual practices adopted by the SaaS supplier and its sub-contractors. The SaaS supplier should therefore always provide these details.

Applicable Data Protection Law

The DPA should refer to the GDPR and for UK SaaS suppliers, the Data Protection Act 2018. References to the EU Data Protection Directive are now obsolete (unless they refer to amendments or replacement legislation) and should be updated.

Providing Assistance

Many SaaS customer DPAs contain onerous and wide ranging obligations on SaaS suppliers to assist with audits, DPIAs, data subject requests and return and deletion of data which go far beyond the SaaS supplier’s obligations set out in the GDPR. These clauses should be carefully reviewed and amended to reflect the mandatory obligations of the SaaS supplier under the GDPR and should include provisions for a SaaS supplier to be paid for providing assistance.

Subcontractors

Any exclusion on the use of subcontractors should be removed from the DPA – as all SaaS suppliers use subcontractors, due to the nature of cloud computing – all SaaS suppliers use a data centre. The provisions on how and when subcontractors can be used and in which jurisdictions, should be carefully drafted to ensure that these permit the actual practices of the SaaS supplier in providing the SaaS services.

Controller or Processor DPA

To avoid the above issues, SaaS suppliers should:

  • Draft their own GDPR compliant DPAs;
  • Send existing SaaS customers their DPA for inclusion in the existing SaaS agreement without delay;
  • Include their own DPA in their current SaaS agreements as a schedule for new SaaS customers.

Where a SaaS supplier agrees to use a SaaS customer’s DPA the SaaS supplier should have the terms of the DPA checked by a lawyer who will be able to:

  • Identify which obligations are not mandatory under the GDPR;
  • Which obligations of either party are missing;
  • Adapt the terms to protect the interests of the SaaS supplier in compliance with the requirements of the GDPR.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – GDPR – Data Protection Act 2018

The UK Data Protection Act 2018 Act came into force on the 25th of May 2018 (DPA). The DPA replaces the Data Protection Act 1998 in its entirety and applies the standards of the General Data Protection Regulation (GDPR), whilst also attempting to prepare the UK data protection law for Brexit. SaaS customers and SaaS suppliers should familiarise themselves with the terms of the DPA in addition to the provisions of the GDPR – as both apply. The DPA also includes a number of derogations from the GDPR.

Derogations

Each of the 28 EU member states is permitted to derogate from some of the provisions of the GDPR by enacting their own local data protection laws. SaaS customers and SaaS suppliers will need to be aware of the additional or differing rules in each of the EU countries in which they collect or process personal data.

Below is a summary of the main derogations in the UK that SaaS suppliers and SaaS customers should be aware of.

Age of Consent

Under the GDPR personal data cannot be collected from children under the age of 16 without obtaining parental consent. The DPA has lower the age of consent to 13 years of age in the UK. This means that SaaS customers may collect personal data from children from the age of 13, without the need to obtain parental consent. However, SaaS customers and SaaS suppliers should be aware that this derogation will only apply in the UK. SaaS customers. SaaS suppliers and SaaS customer will need to bear in mind when collecting and processing personal data from children in other countries within the EU that:

  • The GDPR restriction of 16 may apply; or
  • Other EU countries may have set a different age of consent.

Right to be Forgotten

Under the GDPR data subjects have the right to be forgotten. The DPA restricts a data subject’s right to access and delete data where there is a strong public policy justification, for example, national security.

Health Data

The DPA includes exceptions to the need to obtain consent from a data subject when processing medical information. Where the derogation applies, there will be no need to obtain advance consent from the data subject. SaaS suppliers and SaaS customers may process personal data concerning health for the purpose of insurance and pension policies.

Automated Processing/Profiling

The GDPR includes the right for a data subject to prevent processing based on automated decision making. The DPA includes exemptions, for example: for credit reference checking. However, data subjects must still be permitted to object to decisions made by automated means.

Criminal Convictions and Offences Data

Under the DPA, bodies other than public authorities will be lawfully permitted to process criminal convictions and offences data. For example, employers will be allowed to process criminal convictions data as part of their pre-employment checks and insurers can process criminal convictions data for anti-fraud purposes.

Criminal Offences

The DPA creates two new criminal offences for:

  • Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; or knowingly handling or processing such data; and
  • For a SaaS supplier or SaaS customer altering records with the intent of preventing disclosure under a subject access request.

Ensuring compliance

SaaS suppliers and SaaS customers should check that their privacy policies and data processing agreements reflect the UK derogations and that data processing activities reflect the obligations set out in such policies and agreements. Additionally, SaaS customers and SaaS suppliers must ensure that they also comply with other applicable laws which apply to the particular industry in which they operate, as such laws may impose mandatory additional responsibilities in relation to the age of consent, duration of storage and obligations to delete personal data.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

 

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close