SaaS Agreements – Data Protection – Safe Harbor Still Adequate

Recently, the Department of Commerce’s International Trade Administration (ITA) – a US government body – published a document confirming that any SaaS suppliers based in the US (and/or SaaS suppliers using a data centre located in the US) who are “safe harbor” registered must be recognised as having an “adequate” level of data protection. The ITA rejected the view that EU data protection authorities can unilaterally refuse to recognise safe harbor certification as a valid means of demonstrating that a SaaS supplier based in the US (and/or SaaS suppliers using a data centre located in the US) has an adequate level of data protection.

Continue reading

SaaS Agreements – FAQs – Transferring Data Outside the EEA

When negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the Data Protection Act.

Continue reading

SaaS Agreements – Data Protection – German Customers and Data Processing Agreements

If you are negotiating sales of SaaS solutions with German customers, you may be surprised by their insistence on having a separate written data processing agreement in addition to your SaaS agreement. This is a mandatory requirement under German data protection law (The BDSG) which imposes onerous obligations far beyond those found in most other EU data protection laws on the SaaS customer and the SaaS supplier.

Continue reading

Website Legal Requirements – Privacy Policy – Basics for your Website

If you are operating a website and require users to register in order to use your website or you are simply using Google analytics on your website then you are collecting and processing personal data. Under the Data Protection Act 1998, if you collect, store or process personal data you must provide specific information to the persons whose personal data you are using. This information is usually provided to users in a privacy policy which should be published on your website.

Continue reading

SaaS Agreements – Data Protection – Customer Privacy Policy

SaaS Customers often ask or expect SaaS supplier’s to provide them with a privacy policy for use in conjunction with their SaaS products. SaaS suppliers should firmly refuse such requests. Firstly, as they could face liability claims from the customer if the privacy policy is in appropriate and secondly while you will have no adequate knowledge of the issues set out below, which will need to be covered in the privacy policy.

Continue reading

SaaS Agreements – Data Protection – Anonymising Data

Often SaaS suppliers or SaaS customers anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data when linked with other information will not lead to the identification of an individual.

Continue reading