SaaS Agreement – FAQs -What is a SLA and Essential Terms to include in a SLA

SLA is the abbreviation for a service level agreement.

Is a SLA a Software Licence

No. A service level agreement (SLA) sets out the SaaS services being provided in addition to the right to use the SaaS software.

What is a SLA

A SLA forms part of a SaaS agreement. The SLA can be contained in a separate schedule to the SaaS agreement, or included in the main terms and conditions of the SaaS agreement. SLAs set out:

How much Detail

It is advisable for a SaaS supplier to provide some degree of detail in the SLA to avoid spending unnecessary time negotiating the addition of further details requested by SaaS customers.

The degree of detail included in the SLA will depend upon:

  • How much a SaaS customer pays for the SaaS software and services;
  • Whether the SaaS software is business critical i.e. online banking;
  • What is standard in that particular business sector.

Terms to Include

SLAs should generally contain the following provisions, where appropriate:

Advantages of having a SLA

If SaaS suppliers do not have their own SLA, customers will often try to impose their own SLA on the supplier which does not “fit” the SaaS services being provided. This can lead to protracted negotiations about the content of the SLA.

Summary

Due to the unique nature of SaaS and in particular the use of SLAs you should seek specialist legal advice on the content of a SLA whether you are a SaaS supplier or a SaaS customer to ensure that your rights are adequately protected.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement

SaaS is the abbreviation for “software as a service”. You may know this under another name, for example subscription agreement, software on demand, software subscription agreement, cloud computing or ASP services (application service provider). These names all refer to the same thing – software being made available via the Internet to users.

What is a SaaS Agreement

A SaaS agreement is simply the name used for the agreement between a SaaS supplier and a SaaS customer which sets out the terms under which SaaS software may be accessed. This will usually include a service level agreement (SLA).

Differences between a SaaS Agreement and a Standard Software Licence

A SaaS agreement differs from a standard software licence in that:

  • The SaaS customer will not usually receive a physical or installed copy of the software;
  • No ownership in the SaaS software will be transferred to the SaaS customer;
  • The SaaS customer ‘s right to use SaaS software will end upon termination of the SaaS agreement.

Essential Terms to Include in a SaaS Agreement

The following legal issues should be included in any SaaS agreement, whether you are a SaaS supplier or a SaaS customer.

Software Licence

Access to the SaaS software should be limited to the term of the SaaS agreement. Once the SaaS agreement expires or terminates the software licence should automatically terminate.

If the SaaS customer is a global entity, you should specify:

  • Which companies or entities may access the SaaS software;
  • In which territories the software may be used; and
  • The number of authorised users;
  • Identify the specific purposes for which the SaaS software may be accessed; and
  • Name any third parties who will be permitted access to the SaaS software i.e. outsourcing providers or clients of the SaaS customer.

Intellectual Property Rights – IPR

The SaaS supplier should retain ownership of all IPR in the SaaS software and services it provides. The SaaS customer should retain ownership of all IPR in its systems, content and data. You should specifically state that the source code remains owned by the SaaS supplier. The SaaS customer should grant the SaaS supplier the right to use its IPRs for the term of the SaaS agreement i.e. to display the SaaS customer’s logos and copyrighted information.

Applicable Law, Jurisdiction & Language

State which law applies to the SaaS agreement and any disputes arising from it. In international SaaS agreements make sure that you specify in which language the dispute will be dealt with, and if the SaaS agreement is in more than one language, which language prevails if there is a discrepancy between the two versions.

Return of Data

At the end of the SaaS agreement the SaaS customer’s data should be returned. The format in which the data is to be returned and payment for this service should be agreed in advance. Additionally the parties can agree that the SaaS supplier will provide assistance in transferring SaaS customer data to a new supplier – in return for payment for this service.

Data Protection

The SaaS supplier is the data processor and the SaaS customer is the data controller. Under data protection law different rules apply to the data controller and the data processor. The SaaS supplier is obliged to process data in accordance with the SaaS customer’s instructions and should protect itself against claims from third parties that such processing was illegal. Likewise, the SaaS customer will also need to protect itself against claims from third parties caused by the SaaS supplier not processing data in accordance with its instructions or the terms of the SaaS agreement.

From May 2018 each party’s data protections obligations must be set out in a written data processing agreement which should form a schedule to the SaaS agreement.

Service Level Agreement (SLA)

This sets out the hosting, support and maintenance services being provided to the SaaS customer by the SaaS supplier. The SLA should specify where the data centre is located, who is operating it, what security, backup and disaster recovery procedures are in place. Support hours and support services for dealing with hosting problems and software problems should be identified and documented and the procedure for dealing with upgrades and maintenance to the software should be specified. The particular details will depend on the amount being paid for the hosting, support and maintenance and the purpose for which the SaaS software is being used.

Summary

Due to the unique nature of SaaS agreements you will need to seek specialist legal advice on the content of a SaaS agreement whether you are a SaaS supplier or a SaaS customer to ensure that your rights are adequately protected and that you are fully complying with all applicable laws.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Brexit – How Brexit and the GDPR will affect SaaS Businesses

SaaS suppliers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU).

Many SaaS suppliers are concerned about the changes the GDPR will impose upon their current data protection obligations, particularly in light of the uncertainties surrounding “Brexit”.  SaaS suppliers should be aware that they will be obliged to comply with the new rules imposed by the GDPR from May next year and post Brexit.

Will the GDPR apply in the UK after Brexit

Regardless of the timing of Brexit and any agreement reached between the UK and the EU on the terms under which the UK will leave the EU, the GDPR will automatically apply in the UK, until UK data protection laws are amended.

GDPR applies to UK SaaS Suppliers despite Brexit

Regardless of when and how Brexit takes place or any subsequent changes made to UK data protection laws, the GDPR will still apply directly to SaaS suppliers located within the UK if:

  • They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 Member States); or
  • They monitor the behaviour of EU data subjects;

Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.

GDPR will apply to non-EU SaaS Suppliers

From the 25th of May 2018 the GDPR will automatically also apply to all SaaS suppliers located outside of the EU i.e. in the USA, if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects, even though the SaaS supplier is not located within the EU.

Complying with the GDPR

The following are the main obligations that all SaaS suppliers, who are subject to data processor obligations under the GDPR, will need to comply with:

  • Having specific minimum terms in a written data processing agreement with all customers;
  • Keeping records of all categories of processing activities that they carry out;
  • Obtaining prior written consent to the subcontracting of any data processing activities;
  • Notifying customers of any breach of their obligations, without undue delay, after becoming aware of the breach;
  • Appointing a data protection officer (DPO) in specific circumstances; and
  • Allowing customers to choose between deletion or return of all personal data.

Fines for Breach

Data subjects will be able to claim damages directly from SaaS suppliers who breach:

  • Any obligations under the GDPR; or
  • Any lawful instructions of the customer.

In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

Preparing for Change

The current position with regard to Brexit is unclear and subject to change. However, all SaaS suppliers supplying SaaS services to customers located in the EU need to be aware that current data protection laws will change throughout the EU on the 25th of May 2018, and/or in the UK following Brexit.

SaaS suppliers who plan to provide SaaS services to individuals located in the EU after the 25th of May 2018, need to take the following action:

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

ASP Agreements – Essential Elements”>Other related articles:

SaaS Agreements – Data Protection – What SaaS Suppliers need to know about the GDPR


From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing data protection laws in all 28 EU member states. The GDPR will place direct obligations on SaaS suppliers (data processors) in relation to data processing activities. In addition SaaS customers (data controllers), their clients (data subjects) and local data protection authorities will be able to enforce breaches of the new rules directly against SaaS suppliers.

SaaS suppliers need to amend the provisions of their existing SaaS agreements in order to comply with the upcoming changes in data protection law.

Written Data Processing Agreement

SaaS suppliers will need to include the following minimum terms in a written data processing agreement with all SaaS customers:

  • The duration, nature and purpose of the data processing;
  • The types of data being processed;
  • The obligations and rights of the customer.

The written data processing agreement must state that:

  • Personal data will only be processed in accordance with documented instructions from the SaaS customer;
  • The SaaS supplier will assist the SaaS customer in complying with its own obligations as a data controller;
  • The SaaS supplier is obliged to inform the SaaS customer if it believes an instruction to give personal data to the SaaS customer breaches the GDPR or any other EU or Member State law.

Record Keeping

Unless one of the exceptions applies, the main one being that the SaaS supplier has less than 250 employees, SaaS suppliers must keep records of all categories of processing activities that they carry out.

The following details must be recorded:

  • Information about the SaaS customer and any other data processors;
  • Names of relevant data protection officers (DPOs);
  • The categories of data processing carried out;
  • Any transfers to third countries; and
  • The general technical, organisational and security measures used by the SaaS supplier.

If requested by a supervisory authority, SaaS suppliers must provide such records.

Subcontracting

SaaS suppliers will need to obtain prior written consent to the subcontracting of any data processing activities: for example the using a third party hosting centre such as AWS or Microsoft Azure. Although SaaS suppliers can include a general consent to subcontracting in the provisions of their SaaS agreeents, SaaS suppliers will still be obliged to inform SaaS customers before adding or replacing any sub-processors in order to give customers time to object to a change.

Breach Notification

SaaS suppliers will be required to notify SaaS customers of any breach of their obligations, without undue delay, after becoming aware of the breach.

Data Protection Officers

SaaS suppliers will be obliged to appoint a data protection officer (DPO) in some specific circumstances: for example where the SaaS supplier is processing special data (sensitive data) or if required to do so under a Member State law.

The contact details of any DPO appointed must be published and communicated to the applicable supervisory authority.

Deletion or Return of Data

SaaS suppliers must allow SaaS customers to choose between deletion or return of all personal data on termination or expiry of the SaaS agreement (unless applicable mandatory law requires storage). SaaS customers will be entitled to check compliance with this requirement.

Transfers outside the EEA

Although SaaS suppliers are required to follow a SaaS customer’s instructions with regard to data processing, SaaS suppliers may only transfer personal data outside of the EEA if the SaaS supplier or SaaS customer has provided appropriate safeguards: for example by using of EU model clauses or Binding Corporate Rules (BCRs).

Fines and Compensation

  • Data subjects will be able to take action against SaaS suppliers directly and claim damages for the SaaS supplier’s breach of any obligations under the GDPR; or
  • SaaS suppliers will be potentially liable to both the SaaS customer and data subjects for the same breach.

In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover for some breaches.

Preparing for Change

SaaS suppliers need to review the terms of their existing SaaS agreements and their internal procedures to ensure that they comply with the new rules on the use of subcontractors, data security requirements, appointment of DPOs and having in place appropriate organisational and technical measures.

SaaS suppliers should ensure that existing and future agreements with their sub-processors impose the same data processing obligations on all subcontractors, as the SaaS supplier will be liable to the SaaS customer and data subjects for any breaches of the new rules caused by any subcontractors.

SaaS suppliers should ensure that their insurance cover and indemnities and limitations on liability contained in existing SaaS agreements relating to use of personal data are sufficient to cover the higher levels of fines and direct claims for damages by data subjects.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

ASP Agreements – Essential Elements”>Other related articles:

SaaS Agreements – Brexit – Amendments to Terms and Conditions

SaaS suppliers and SaaS customers are becoming increasingly concerned about the effect of “Brexit” upon the terms of their existing SaaS agreements, particularly where contracts are subject to English law or SaaS suppliers or customers are located within the UK. Below is a summary of the main issues that SaaS suppliers need to be aware of that may result in problems arising now or in the future with the terms of their existing SaaS agreements.

Territory

Where the EU or the EEA is used:

  • To define a territory in which rights are granted to the parties in a SaaS agreement, for example countries in which a SaaS reseller may resell SaaS services; or
  • As a general concept, for example in relation to the countries in which a data centre must be located;

The wording may need to be adapted to ensure that this includes or excludes the UK (as necessary).

The use of “EU” or “EEA” is of particular importance where rights are being granted for specific countries, some of which may be exclusive rights or where the applicable law depends upon the location of the SaaS customers being within or outside the EU/EEA.

Applicable Law

English law is often chosen as the applicable law in international SaaS agreements. Even after “Brexit” this position should not change as English law:

  • Will still be one of the most flexible laws with few mandatory restrictions on liability and other contractual obligations;
  • Historically forms the basis of local law in many countries worldwide; and
  • Is more similar to US laws and legal concepts than other European country’s laws.

Force Majeure

Force Majeure clauses set out special rules that apply if something beyond a party’s reasonable control effects that party’s ability to comply with its contractual obligations. Depending on how a SaaS supplier’s force majeure clause is worded “Brexit” could be considered to be a force majeure event. In most SaaS agreements, a force majeure event entitles the non-breaching party to terminate the SaaS agreement, without penalty and this could be used by a unhappy SaaS customer looking for a reason to terminate the SaaS agreement early.

Application of existing EU based law

Some EU laws apply to the UK directly, for example: interest on late payments and compensation for the termination of commercial agents. Following a Brexit, the application of such laws and UK compliance with such laws may change depending upon the exact circumstances of the Brexit and some laws will still apply extra-territorially to the UK despite a Brexit.

Compliance with new EU based law

Prior to the UK actually formally leaving the EU, the EU will continue to make laws that apply in the UK and the UK will be bound by any new laws at least until Brexit is complete. For example: the UK’s compliance with the General Data Protection Regulation (GDPR) will automatically apply from the 25th of May 2018 but the UK government may then remove the GDPR from English law or adapt its terms after “Brexit” under English law.

Identifying Potential Issues

While there is currently no immediate need for SaaS suppliers to amend existing SaaS agreement terms, as the government’s “Brexit” strategy has not been finalised or published, SaaS suppliers should be aware of the issues and should now be:

  • Reviewing existing SaaS agreements to identify potential problems; and
  • Addressing problems that are identified within any new SaaS agreements or renewals of existing SaaS agreements entered into with SaaS customers in the interim.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

ASP Agreements – Essential Elements”>Other related articles:

SaaS Agreements – Brexit – EU Data Transfers

EU SaaS suppliers transfer personal data within the European Economic Area (EEA) when providing SaaS services, most commonly when using hosting services provided by AWS, Microsoft Azure or Google. Under EU and local data protection laws, EU SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers in the EU to any country within the EEA.

Once the UK leaves the EU, the UK will no longer be a member of the EEA. UK SaaS suppliers will no longer be lawfully permitted to continue to transfer personal data of EU SaaS customers to the UK unless the UK government, or alternatively SaaS suppliers themselves, put in place measures to make the transfer legal under EU data protection laws.

EEA Membership

The EEA consists of the EU, Norway, Lichtenstein and Iceland. It is currently unclear whether or not the UK government intends to join the EEA after leaving the EU. If the UK decides to become a member of the EEA in its own right, following the Brexit, then SaaS suppliers will be able to continue to transfer personal data of EU SaaS customers to the UK. However, if the UK government decides:

  • Not to join the EEA in its own right; or
  • Does not agree alternative arrangements with the EU to allow personal data to be transferred from the EU to the UK;

SaaS suppliers will need to rely on other measures in order to lawfully continue to transfer personal data of EU SaaS customers to the UK.

Possible UK Government Actions

Adequacy

The UK may apply for an adequacy decision from the European Commission that it provides adequate protection for data transfers under English law. Currently Andorra, Argentina, Canada, Faeroe Islands, Israel, Isle of Man, Jersey, Switzerland, New Zealand and Uruguay are considered as having “adequate” protection. However, it is unlikely that such a decision would be granted if the UK does not continue to comply with the General Data Protection Regulation (GDPR) after a Brexit, or changes its existing data protection laws – which are based upon a EU directive and the GDPR in due course.

EU-UK Privacy Shield

Another option would be for the UK to enter into an agreement with the EU similar to the EU-US Privacy Shield. The EU-US Privacy Shield (which replaced the Safe Harbor framework) permits EU entities to lawfully transfer personal data from the EU to the US. The UK could negotiate its own Privacy Shield to cover personal data transfers from the EU to the UK.

SaaS Supplier Actions

BCRs

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in compliance with EU data protection law. If the UK does not choose to become a member of the EEA after leaving the EU, then a UK based SaaS supplier will not be able to use BCRs to cover transfers outside of the EEA, unless they have another entity located within the EEA. Also BCRs only cover inter-company transfers of personal data, not transfer of data to a third party located outside of the EEA.

EU Model Clauses

EU model clauses are designed to allow EU entities to transfer personal data from the EU to entities located outside the EEA. If the UK does not choose to become a member of the EEA after leaving the EU, UK SaaS customers will need to enter into EU model clauses with SaaS suppliers in order to be able to continue to lawfully transfer personal data to UK SaaS suppliers.

How to Prepare for Change

UK SaaS suppliers should start considering specific changes that may need to be made to the data protection terms of their SaaS agreements and privacy policies in order to allow them to continue transferring personal data from the EU to the UK once the UK leaves the EU. This action should be taken now, regardless of which, if any, of the above actions the UK government decides to deal with the issue of data transfers from the EU after Brexit.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

ASP Agreements – Essential Elements”>Other related articles:

SaaS Agreements – Reseller Agreements – Price Fixing

SaaS suppliers and SaaS resellers should be aware that price fixing is illegal under UK and EU competition law. Often SaaS resellers are not aware that the terms of their SaaS reseller agreement include price fixing clauses. For example: If the SaaS reseller agreement includes clause on resale price maintenance (RPM). This will usually be deemed to be price fixing by the Competition and Markets Authority (CMA) who investigates breaches of competition law in the UK.

What is Price Fixing

Price fixing occurs when competitors agree (i.e. SaaS suppliers or SaaS resellers) what price they will charge SaaS customers for their SaaS services.

Price fixing occurs between a SaaS supplier and a SaaS reseller where a SaaS supplier tries to control the price at which SaaS services can be resold to SaaS customers for example by using RPMs.

What is RPM

An RPM is when a SaaS supplier controls the resale price of the SaaS services to customers, by agreeing with the SaaS reseller that the SaaS services will be resold at, or above, a particular price. RPM can be achieved directly by including this restriction in the terms of the SaaS reseller agreement.

RPM can also be achieved indirectly:

  • By including terms in the SaaS reseller agreement that restrict discounts on prices; or
  • Where financial incentives are offered to the SaaS reseller, to resell at a particular price.

RPM involves parties at different levels of the supply chain i.e. the SaaS supplier and the SaaS reseller.

Why RPM is Price Fixing

RPM is usually deemed to be “price fixing” and illegal because it prevents SaaS resellers from offering lower prices and setting their own independent prices at which they can resell SaaS services to SaaS customers.

Recent Fines

The CMA recently fined a fridge supplier £2.3 million for imposing a minimum advertised price on goods sold by a reseller because this restricted the price that goods could be advertised online by resellers. The supplier threatened to charge resellers “higher cost prices for its products” or to stop supplying products altogether if its resellers advertised fridges below the minimum price. This amounted to price fixing.

In a similar case involving a bathroom fitting company, the CMA imposed a fine of £786,000 for the use of RPMs. The supplier had threatened to penalise online resellers for not pricing its products at, or above, its recommended prices.

It should be noted that fines can be imposed on SaaS suppliers as well as SaaS resellers for breaches of competition law.

How to Avoid Price Fixing

In order to avoid direct or indirect price fixing and the risk of being fined by the CMA,

SaaS Suppliers should, in the terms of the SaaS reseller agreement:

  • Not dictate the price at which SaaS services can be resold, either online or through other sales channels;
  • Not include provisions that set a minimum advertised price for any sales of SaaS services;
  • Not use threats, financial incentives or take any other action, such as withholding supply or offering less favourable terms, to make SaaS resellers stick to recommended resale prices.

SaaS Reseller should in the terms of the SaaS reseller agreement:

  • Ensure that they are entitled to set the price of the SaaS services they resell to SaaS customers, regardless of whether sales are made online or through other sales channels;
  • Ensure that SaaS suppliers cannot dictate the prices at which a SaaS reseller can advertise their products online.

Consequences of Price Fixing

If a SaaS reseller has agreed with a SaaS supplier to resell SaaS services at fixed or minimum prices, both be could be found to be breaking competition law. In addition to both being fined up to 10% of worldwide turnover the SaaS supplier and SaaS reseller could also be:

  • Sued for damages;
  • Sent to prison for up to 5 years;
  • Disqualified from being a company director for up to 15 years.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Terms and Conditions – Data Processing Agreement

Under the Data Protection Act 1998 (DPA) UK SaaS suppliers currently have limited obligations to SaaS customers when processing personal data as part of their SaaS services. However, from the 25th of May 2018 the General Data Protection Regulation (GDPR) will impose many new  data processing obligations on SaaS suppliers. In particular, the obligation for SaaS suppliers to enter into a written data processing agreement with SaaS customers and subcontractors.

GDPR applies to UK SaaS Suppliers despite Brexit

Regardless of when and how Brexit takes place, the GDPR will apply to SaaS suppliers located within the UK if:

  • They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 Member States); or
  • They monitor the behaviour of EU data subjects;

Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.

GDPR will apply to non-EU SaaS Suppliers

From the 25th of May 2018 the GDPR will automatically apply to all SaaS suppliers located outside of the EU i.e. in the USA, if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects;

Even though the SaaS supplier is not located within the EU.

Written Data Processing Agreement

Currently a SaaS supplier must include the mandatory written obligations imposed by the DPA within the terms of the SaaS Agreement.

From May 2018 SaaS suppliers and SaaS customers will need to include detailed data processing obligations in a separate written data processing agreement.

SaaS Suppliers should be aware that they need to enter into written data processing agreements not just with all SaaS customers, but also with all entities or persons who process personal data on their behalf, such as:

  • All subcontractors i.e. data centres, penetration testing providers;
  • All subsidiaries i.e. providing customer support, software maintenance and support.

Fines for Breach

From May 2018 data subjects will be able to claim damages directly from SaaS suppliers who breach:

  • Any obligations under the GDPR; or
  • Any lawful instructions of a SaaS customer.

In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

Preparing for Change

To ensure compliance with the new obligations placed on SaaS suppliers (data processors) under the GDPR, SaaS suppliers should start preparing for the changes to data protection law now, by taking the following steps:

  • Review existing data protection policies and procedures for compliance with the GDPR;
  • Adapt existing privacy, security and data breach policies to comply with the new rules before the 25th of May 2018;
  • Create a written data processing agreement which reflects the above polices and which is compliant with the GDPR;
  • Review existing SaaS agreements to check limitations on liabilities and indemnities for data protection breaches;
  • Identify any subcontractors and subsidiaries who process personal data;
  • Audit compliance of subcontractors and subsidiaries with new policies and procedures; and
  • Add written data processing agreements to all existing agreements with SaaS customers, subcontractors and subsidiaries before the 25th of May 2018.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

ASP Agreements – Essential Elements”>Other related articles:

SaaS Agreements – Data Protection – TalkTalk Fine

SaaS customers and SaaS Suppliers should be aware that in October 2016 the Information Commissioner’s Office (ICO) issued a £400,000 fine against TalkTalk for serious breaches of the Data Protection Act 1998 (DPA). The fine was issued in relation to the hacking of personal data stored in a database that was accessible via the Internet.

TalkTalk Case

In 2015, a cyber-attack exploited vulnerabilities in some web pages leading to the extraction of personal data from an underlying database of customer data operated by TalkTalk. The data accessed included names, addresses, email addresses, telephone numbers and dates of birth of more than 150,000 customers and the bank account numbers and sort codes of more than 15,000 customers.

Breach of Data Protection Law

The ICO determined that TalkTalk had breached the 7th principle of the DPA as they had not taken appropriate technical and organisational measures against authorised or unlawful processing of personal data. Nor had TalkTalk taken appropriate technical and organisational measures against accidental loss or destruction or damage to personal data.

The ICO came to this conclusion on the basis that:

  • There were minimal levels of protection of personal data in place;
  • Use of out of date software had allowed the database to be accessed using a basic cyber-attack; and
  • A well known patch designed to fix this issue had been available for 3 years but had not been installed by TalkTalk.

Fine

£400,000 is the highest fine that the ICO has issued to date. Such a large fine was issued because:

  • The personal data included names, address, email addresses and bank account information;
  • Such data was likely to cause the individuals concerned substantial distress and would expose them to an increased risk of blagging, phishing and fraud; and
  • The breach was not a one-off event (there had been previous cyber-attacks); and
  • The breach was not attributable to human error.

How to Avoid Similar Breaches

SaaS customers and SaaS suppliers should reduce the risk of having a similar fine imposed on them for breaches of the DPA by taking the following basic precautions:

  • Using current patches;
  • Checking and monitoring for potential vulnerabilities in webpages and databases;
  • Regularly reviewing security measures;
  • Staying informed about attacks to other businesses; and
  • Identifying, responding to and acting appropriately to actual and attempted cyber attacks.

Also, SaaS customers and SaaS suppliers should bear in mind that from the 25th of May 2018 the ICO will have increased powers to issue much higher fines under the General Data Protection Regulation (GDPR) of 4% of a group’s total worldwide turnover or €20 million, whichever is higher.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

ASP Agreements – Essential Elements”>Other related articles:

SaaS Agreements – Data Protection – Amending EU Model Clauses

SaaS suppliers and SaaS customers are increasingly relying upon the use of EU model clauses to enable them to lawfully export personal data outside of the EEA following the demise of Safe Harbor and its replacement the EU-US Privacy Shield. SaaS customers often try to amend the terms of the EU model clauses when negotiating a SaaS agreement. This can result in the EU model clauses being invalid, as they then do not provide adequate protection for the transfer of the data outside of the EEA.

SaaS suppliers should therefore be aware of the risks of agreeing to any changes to EU model clauses and understand which changes are, and are not, permitted to ensure that they are not in breach of data protection laws.

EU Model Clauses

EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor.

Where personal data is transferred from:

  • A data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
  • A SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.

When EU model clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met and no specific consent will need to be obtained from individual data subjects.

This is a common scenario in a SaaS agreement where a SaaS customer based in the EU is accessing SaaS software provided by a SaaS supplier who uses a hosting centre in the USA or outsourced IT development centre located in India or Asia to process the SaaS customer’s personal data.

Can Model Clauses be Amended

SaaS suppliers and SaaS customers can amend EU model clauses, provided that the amendments made:

  • Are purely commercial;
  • Do not impact the protection of the personal data;
  • Do not impact the rights of data subjects or supervisory authorities.

This is clearly set out in clause 10 of the 2010 controller to processor model clauses, which states:

  • “The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.”

And in the clause VII of the 2004 controller to controller model clauses, which states:

  • “The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.”

Permitted Amendments

SaaS suppliers should only agree amendments to EU model clauses that are purely commercial in nature or which intend to explain how some of the model clause rights should work in practice.

For example the following changes would be acceptable:

  • Limitations on liability between the SaaS customer and the SaaS supplier by reference to financial caps on liability in the terms of the SaaS agreement.
  • Giving SaaS suppliers a general consent to use sub-processors, provided that such sub-processors are bound by the requirements of the EU model clauses.
  • Including the audit process and procedures for checking compliance with the EU model clauses, i.e. via third party certification or responses to security questionnaires.

Prohibited Amendments

The following amendments cannot be made to EU model clauses and will make them invalid:

  • Any limitations on the SaaS supplier’s or SaaS customer’s liability to data subjects.
  • Removing the SaaS customer’s right to audit compliance with the EU model clauses;
  • Restrictions on the rights of supervisory authorities to audit compliance with the EU model clauses.

Registration of Changes

In some Member States (not the UK) SaaS suppliers and SaaS customers have a mandatory obligation to obtain authorisation to changes made to EU model clauses and there may also be an obligation to notify data protection authorities and regulators of changes made.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

ASP Agreements – Essential Elements”>Other related articles: