SaaS Agreements – FAQs – EU Model Clauses

EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).

Where personal data is transferred from:

a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.

Continue reading

SaaS Agreements – Data Protection – General Data Protection Regulation (GDPR)

At the end of 2015 the European Commission published the test of the new Data Protection Regulation (“GDPR”) which will replace the existing EU Data Protection Directive and harmonise European data protection law. The GDPR is expected to be adopted in Spring 2016. Once adopted, the GDPR will come into force within 2 years and in the UK the GDPR will replace the Data Protection Act 1998. This will have a significant effect on both SaaS suppliers and SaaS customers.

Continue reading

SaaS Agreements – Data Protection – EU US Privacy Shield

A new privacy agreement called the Privacy Shield has been agreed by the US and EU to replace the safe harbour scheme. The Privacy Shield is based upon safe harbour but has additional protections, particularly with regard to public authority access to personal data. The Privacy Shield must now be reviewed by the European Commission before it can be relied upon and adopted by SaaS suppliers or customers. The European Commission is currently assessing whether or not the Privacy Shield provides adequate protection in accordance with EU data protection laws. This process is expected to take up to 3 months.

Continue reading

SaaS Agreements – Data Protection – Direct Marketing Rules

In September 2013 the Information Commissioner’s Office (ICO) published a lengthy guide to Direct Marketing. The guide covers compliance with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR) in relation to the sending of unsolicited marketing. SaaS suppliers who are sending unsolicited marketing

Continue reading

SaaS Agreements – Data Protection – Russian Data Centres

SaaS Suppliers who will be processing personal data of Russian citizens on behalf of SaaS customers need to be aware of amendments to the Russian Federal Law on Personal Data. From the 1st of September 2015 changes to this Russian law may prohibit foreign SaaS suppliers from processing personal data of Russian citizens on servers located outside of Russia.

Continue reading

SaaS Agreements – Data Protection – Anonymising Data

Many SaaS suppliers use personal data, collected on behalf of SaaS customers, in an anonymised form for their own purposes, such as benchmarking. The UK Information Commissioner’s Office (ICO) Anonymisation Code and more recently the Article 29 Working Party’s Opinion on Anonymisation provide guidance on how to check that personal data is actually anonymous.

If you are a SaaS provider using anonymised personal data you should comply with the recommendations in these two guides, to ensure that you are properly anonymising data, otherwise you could be found to be using personal data in breach of the DPA.

Continue reading

SaaS Agreements – Data Protection – Which law applies?

UK SaaS suppliers who provide cloud computing services to SaaS customers located outside of the UK are increasingly being required to comply not just with UK data protection law, but also the data protection laws of the countries in which the SaaS customer and its clients are based. This increasingly creates problems for SaaS suppliers, as data protection laws generally assume that data is stored/processed in one place. However when operating in the cloud data is often moved between jurisdictions and often it may be unclear exactly where data is being stored or processed and who is storing and processing it.

Two recent cases against Facebook and Google show the extent of this developing problem.

Continue reading

SaaS Agreements – Data Protection – BYOD

Employees are increasingly using their privately owned devices (i.e. Ipads, tablets, mobile phones and laptops) for business purposes and may be accessing SaaS customer data using them. SaaS suppliers who allow staff to use such “bring your own devices” (BYOD) for work purposes should be aware of their duties to protect any SaaS customer personal data being accessed by staff using such BYODs.

Continue reading

SaaS Agreements – Data Protection – Update on the EU Draft Data Protection Regulation

SaaS suppliers should be aware of the recent changes made by the EU Parliament to the draft EU Data Protection Regulation (Regulation). If this amended version of the Regulation becomes law next year the obligations of SaaS suppliers who process personal data on behalf of customers will radically change. A summary of the current main proposed provisions is set out below.

Continue reading
Bodle Law