SaaS Agreements – GDPR – Local Derogations

The General Data Protection Regulation (“GDPR”) now applies to all SaaS customers and SaaS companies collecting or processing the personal data of individuals located within the EU.  SaaS suppliers and SaaS customers must comply with the terms the GDPR. SaaS suppliers and SaaS customers should be aware that the GDPR does not however fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”) under their own local data protection laws. SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries therefore need to be aware of  the different data protection laws effective in each EU country, from which they collect or process data of individuals located there.

Derogations

To date, only a few EU countries have enacted their own local data protection law setting out additional rules and derogations from the GDPR. For example, in the UK the provisions of the Data Protection Act 2018 (“DPA”) apply in addition to the GDPR and include many derogations from the GDPR.

Many EU countries have not yet passed their own local data protection law setting out derogations, although most plan to. SaaS suppliers and SaaS customers must keep up to date on changes that are made to local national data protection laws in each EU country over the next few months.

Current Local Data Protection Laws

Currently the following 8 EU countries have their own additional or have amended their existing local data protection laws setting out the derogations from the GDPR applicable in each country:

  • UK
  • Austria
  • Germany
  • Ireland
  • Croatia
  • Netherlands
  • Poland
  • Slovakia

Greece is the only EU country which has confirmed that it will not derogate from the GDPR.

Draft Local Data Protection Laws

Currently the following EU countries have proposed an additional local data protection law setting out the exact derogations from the GDPR applicable in that country:

  • Belgium, Bulgaria
  • Cyprus, Czech Republic
  • Denmark, Estonia
  • Finland, France
  • Hungary, Italy
  • Latvia, Lithuania, Luxemburg
  • Malta, Portugal
  • Slovenia, Spain, Sweden
  • Romania

Summary

Where SaaS suppliers or SaaS customers are collecting or processing the personal data of individuals within the EU, they will need to regularly check the rules for each EU country in which they are collecting or processing personal data. Technical and legal measures will need to be implemented and updated to ensure that the local derogations from the GDPR are complied with in each applicable EU country. This will apply not only to EU SaaS suppliers and SaaS customers, but any entity located outside of the EU who collects or processes  personal data of persons located within the EU.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – GDPR – Data Processing Agreement

Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.

Mandatory Terms

Although the GDPR clearly sets out that the DPA should include all data processor and data controller obligations. However, many DPAs provided by SaaS customers do not include:

  • All mandatory obligations required under the GDPR; and
  • Any data controller (SaaS customer) obligations at all.

Additional Obligations

Many SaaS customer DPAs seek to impose additional or far more onerous obligations on the part of SaaS suppliers in the terms of their own DPA than are required under the GDPR. For example, a SaaS supplier has to report a data breach without undue delay but often SaaS customers will try to impose an obligation to report immediately or within 24 hours.

Liabilities and Indemnities

SaaS customers often add unlimited liabilities and indemnities to the DPA that only apply to the SaaS supplier, retaining their own limited liability for any breaches. Any limitations on liability included in the SaaS agreement should also apply to breaches of the DPA, particularly in light of the high fines (20 million Euros or 4% of annual worldwide turnover) that can be imposed for a breach of the GDPR.

Security Policy

It is mandatory to set out the technical and administrative security provisions that the SaaS supplier has in place to protect personal data. As the SaaS customer cannot know what security provisions the SaaS supplier and its sub-contractors i.e. the data centre have in place, it is entirely unrealistic for the SaaS customer to dictate what these should be, as they will not reflect the actual practices adopted by the SaaS supplier and its sub-contractors. The SaaS supplier should therefore always provide these details.

Applicable Data Protection Law

The DPA should refer to the GDPR and for UK SaaS suppliers, the Data Protection Act 2018. References to the EU Data Protection Directive are now obsolete (unless they refer to amendments or replacement legislation) and should be updated.

Providing Assistance

Many SaaS customer DPAs contain onerous and wide ranging obligations on SaaS suppliers to assist with audits, DPIAs, data subject requests and return and deletion of data which go far beyond the SaaS supplier’s obligations set out in the GDPR. These clauses should be carefully reviewed and amended to reflect the mandatory obligations of the SaaS supplier under the GDPR and should include provisions for a SaaS supplier to be paid for providing assistance.

Subcontractors

Any exclusion on the use of subcontractors should be removed from the DPA – as all SaaS suppliers use subcontractors, due to the nature of cloud computing – all SaaS suppliers use a data centre. The provisions on how and when subcontractors can be used and in which jurisdictions, should be carefully drafted to ensure that these permit the actual practices of the SaaS supplier in providing the SaaS services.

Controller or Processor DPA

To avoid the above issues, SaaS suppliers should:

  • Draft their own GDPR compliant DPAs;
  • Send existing SaaS customers their DPA for inclusion in the existing SaaS agreement without delay;
  • Include their own DPA in their current SaaS agreements as a schedule for new SaaS customers.

Where a SaaS supplier agrees to use a SaaS customer’s DPA the SaaS supplier should have the terms of the DPA checked by a lawyer who will be able to:

  • Identify which obligations are not mandatory under the GDPR;
  • Which obligations of either party are missing;
  • Adapt the terms to protect the interests of the SaaS supplier in compliance with the requirements of the GDPR.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – GDPR – Data Protection Act 2018

The UK Data Protection Act 2018 Act came into force on the 25th of May 2018 (DPA). The DPA replaces the Data Protection Act 1998 in its entirety and applies the standards of the General Data Protection Regulation (GDPR), whilst also attempting to prepare the UK data protection law for Brexit. SaaS customers and SaaS suppliers should familiarise themselves with the terms of the DPA in addition to the provisions of the GDPR – as both apply. The DPA also includes a number of derogations from the GDPR.

Derogations

Each of the 28 EU member states is permitted to derogate from some of the provisions of the GDPR by enacting their own local data protection laws. SaaS customers and SaaS suppliers will need to be aware of the additional or differing rules in each of the EU countries in which they collect or process personal data.

Below is a summary of the main derogations in the UK that SaaS suppliers and SaaS customers should be aware of.

Age of Consent

Under the GDPR personal data cannot be collected from children under the age of 16 without obtaining parental consent. The DPA has lower the age of consent to 13 years of age in the UK. This means that SaaS customers may collect personal data from children from the age of 13, without the need to obtain parental consent. However, SaaS customers and SaaS suppliers should be aware that this derogation will only apply in the UK. SaaS customers. SaaS suppliers and SaaS customer will need to bear in mind when collecting and processing personal data from children in other countries within the EU that:

  • The GDPR restriction of 16 may apply; or
  • Other EU countries may have set a different age of consent.

Right to be Forgotten

Under the GDPR data subjects have the right to be forgotten. The DPA restricts a data subject’s right to access and delete data where there is a strong public policy justification, for example, national security.

Health Data

The DPA includes exceptions to the need to obtain consent from a data subject when processing medical information. Where the derogation applies, there will be no need to obtain advance consent from the data subject. SaaS suppliers and SaaS customers may process personal data concerning health for the purpose of insurance and pension policies.

Automated Processing/Profiling

The GDPR includes the right for a data subject to prevent processing based on automated decision making. The DPA includes exemptions, for example: for credit reference checking. However, data subjects must still be permitted to object to decisions made by automated means.

Criminal Convictions and Offences Data

Under the DPA, bodies other than public authorities will be lawfully permitted to process criminal convictions and offences data. For example, employers will be allowed to process criminal convictions data as part of their pre-employment checks and insurers can process criminal convictions data for anti-fraud purposes.

Criminal Offences

The DPA creates two new criminal offences for:

  • Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; or knowingly handling or processing such data; and
  • For a SaaS supplier or SaaS customer altering records with the intent of preventing disclosure under a subject access request.

Ensuring compliance

SaaS suppliers and SaaS customers should check that their privacy policies and data processing agreements reflect the UK derogations and that data processing activities reflect the obligations set out in such policies and agreements. Additionally, SaaS customers and SaaS suppliers must ensure that they also comply with other applicable laws which apply to the particular industry in which they operate, as such laws may impose mandatory additional responsibilities in relation to the age of consent, duration of storage and obligations to delete personal data.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

 

SaaS Agreements – GDPR – Age of Consent

The General Data Protection Regulation (“GDPR”) and the new Data Protection Act 2018 (“DPA”) now apply in the UK. SaaS suppliers and SaaS customers must comply with the terms of both the GDPR and the DPA. SaaS suppliers and SaaS customers should be aware that the GDPR does not fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”). SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries need to be aware of  the different rules in each EU country.

One example of a derogation is the age of consent which will be discussed in detail below.

Age of Consent

Under the GDPR the default age for obtaining parental consent to the processing of personal data of children using online services is 16. Each EU country can derogate from this general rule and lower the age of consent to 13.

Derogations

To date, only a few EU countries have enacted their own local data protection law setting out such a derogation to the age of consent. For example, in the UK the DPA states that the age of consent for children is 13.  In Germany the new data protection law (“BDSG”) does not derogate from the GDPR age of consent which remains at the default age of 16.

Many EU countries have not yet passed their own local data protection law setting out derogations, so the positon on the age of consent in such countries is currently the default of 16, but this may change when each country passes its own local data protection law.

Current Local Variations

Currently the following EU countries have either lowered the age of consent in their local data protection law or have indicated that they will do so:

  • 13 years of age – UK, Belgium, Czech Republic, Denmark, Estonia, Portugal, Spain, Sweden
  • 14 years of age – Bulgaria
  • 13 or 15 years of age – Finland
  • 15 years of age – France, Slovenia

Parental Consent

Where SaaS suppliers or SaaS customers are collecting or processing the personal data of children, they will need to regularly check the rules for each country in which they are collecting or processing the personal data of children. Technical and legal measures will need to be implemented and updated to ensure that the local rules on parental consent are complied with in each applicable EU country. This will apply not only to EU SaaS suppliers and SaaS customers, but any entity located outside of the EU which collects or processes the personal data of children located within the EU.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Brexit – EU Data Transfers to the UK after Brexit

Under EU and UK data protection laws, UK SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers located in the EU to any country within the EEA. From the 30th of March 2019, when the UK leaves the EU (“Brexit Date”), the UK will no longer be part of the EEA and will become a “third country” for data protection purposes, like the USA.

The EU Commission recently confirmed in a Notice that on the Brexit Date, UK based SaaS suppliers can no longer lawfully transfer personal data of SaaS customers located in the EU (i.e. in France, Germany, Spain etc.) to the UK, unless SaaS suppliers have in place appropriate protection measures to make the transfer legal under the GDPR.

EEA Data Transfers

The EEA is the EU, Norway, Lichtenstein and Iceland. If the UK decides to become a member of the EEA in its own right, following Brexit, UK SaaS suppliers would be able to continue to transfer personal data of  SaaS customers located in the EU to the UK. However, the UK government has indicated that it does not intend to join the EEA after leaving the EU. This means that prior to the Brexit Date the UK government must agree alternative arrangements with the EU to allow personal data to be transferred from the EU to the UK or SaaS suppliers themselves will put alternative arrangements in place from the Brexit Date.

Alternative Arrangements

The alternative arrangements that could be used by UK SaaS suppliers are currently:

  • Standard model clauses;
  • Binding Corporate Rules;
  • Approved certification measures; or
  • Consent from data subjects.

Standard Model Clauses

Standard model clauses are designed to allow EU SaaS customers transfer personal data from the EU to SaaS suppliers located outside the EEA. If the UK is not a member of the EEA after leaving the EU, SaaS customers located in the EU will need to enter into EU model clauses with UK SaaS suppliers in order to  continue to transfer personal data to UK SaaS suppliers.

BCRs

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in compliance with EU data protection law. If the UK is not a member of the EEA after leaving the EU, then a UK based SaaS customer will not be able to use BCRs to cover transfers outside of the EEA to a data processor, unless the SaaS customer has another entity located within the EEA. In any event, BCRs only cover inter-company transfers of personal data, not transfers of data by a SaaS customer to a third party SaaS supplier located outside of the EEA.

Approved Certification Measures

The UK government could apply for an adequacy decision from the European Commission certifying that it provides adequate protection for data transfers under English law. Currently Andorra, Argentina, Canada, Faeroe Islands, Israel, Isle of Man, Jersey, Switzerland, New Zealand and Uruguay are considered as having “adequate” protection. However, it is unlikely that such a decision would be granted if the UK:

  • Does not continue to comply with the General Data Protection Regulation (GDPR) after the Brexit Date; or
  • Changes its existing data protection laws – which are based upon a EU directive and the GDPR from the 25th of May 2018.

In any event an adequacy decision would not be approved by the European Commission prior to the Brexit Date.

EU-UK Privacy Shield

Another option would be for the UK to enter into an agreement with the EU similar to the EU-US Privacy Shield. The EU-US Privacy Shield (which replaced the Safe Harbor framework) permits EU entities to lawfully transfer personal data from the EU to the US. The UK could negotiate its own privacy shield to cover personal data transfers from the EU to the UK. Again, it is unlikely that a UK-EU privacy shield would be negotiated, or finalised, prior to the Brexit Date.

Consent

Another method of compliance is to obtain specific consent from each data subject before the transfer to the UK takes place. If the data subject consents to the transfer outside of the EEA, the transfer to the UK SaaS supplier will be in compliance with EU data protection law. Consent is usually obtained by having a data subject agree to the transfer of its personal data outside of the EEA and full details about the transfer itself should be set out in the privacy policy of the SaaS customer and the SaaS supplier.

How to Prepare for Change

UK SaaS suppliers should start considering the specific changes that may need to be made to the data protection terms of their SaaS agreements and privacy policies in order to allow them to continue transferring personal data from the EU to the UK once the UK leaves the EU on the Brexit Date. This action should be taken now, regardless of which, if any, of the above actions the UK government decides to take deal in order to ensure that data transfers from the EU can continue to take place from the Brexit Date.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

SaaS Agreements – GDPR – US Companies

From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR does not just apply to SaaS suppliers and SaaS customers located in the EU. The GDPR also applies outside the EU, i.e. to SaaS suppliers and SaaS customers located in the USA and other non-EU countries.

GDPR Applies to US SaaS Customers and SaaS Suppliers

The GDPR will apply to SaaS suppliers and SaaS customers located in the USA if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects;

Even though the SaaS supplier or SaaS Customer is not located within the EU.

US SaaS suppliers and US SaaS customers must therefore comply with the provisions of the GDPR from the 25th of May 2018.

Offering Goods or Services

In order for a US SaaS customer or supplier to be deemed to be offering SaaS goods or services it must be clear that the US company envisages offering SaaS goods or services to data subjects in one or more EU countries. This will be determined by looking at:

  • The use of any country specific domain names, e.g. co.uk;
  • The languages in which goods or services are offered, e.g. French;
  • The currencies in which goods or services are offered e.g. Euros.

Monitoring Behaviour of EU Data Subjects

In order for a US SaaS customer or supplier to be deemed to be monitoring the behaviour of EU data subjects, this will be the case if you track individuals on the Internet for profiling purposes, e.g. through the use of cookies.

Fines for Non-compliance

Data subjects will be able to claim damages directly from SaaS suppliers or SaaS customers who breach any obligations under the GDPR.

In addition data protection authorities will be able to fine SaaS suppliers and/or SaaS customers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

How to Comply

US SaaS customers and SaaS suppliers need to take the following actions to comply with the GDPR by the 25th of May 2018:

  • Identify what personal data of data subjects located in the EU they collect/process;
  • Review and amend SaaS agreement terms for compliance with the GDPR;
  • Create GDPR compliant data processing agreements (DPA);
  • Amend existing privacy policies to comply with the GDPR;
  • Implement the security, technical and administrative changes required to comply with the GDPR and set out in the above legal documentation.

NB/ US SaaS customers or SaaS suppliers who do not, or cannot, comply with the GDPR, should enact measures to prevent orders being placed on their websites by EU data subjects.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – GDPR – The General Data Protection Regulation

The General Data Protection Regulation (GDPR) has now replaced the existing EU Data Protection Directive in an aim to harmonise European data protection law. In the UK the GDPR and the Data Protection Act 2018 (DPA) replaced the Data Protection Act 1998 on the 25th of May 2018. These changes in data protection law will have a significant effect on both SaaS suppliers and SaaS customers who must comply with both the terms of the GDPR and the DPA. Below is a summary of the main provisions of the GDPR that SaaS suppliers and customers need to be aware of.

Brexit

The GDPR will continue to apply in the UK after any future Brexit.

SaaS Agreement Terms

SaaS suppliers and SaaS customers must ensure that all contractual documents that involve data processing, such as SaaS agreements, privacy policies and hosting and support agreements comply with the new rules under the GDPR and the DPA.

Harmonisation

SaaS suppliers and SaaS customers should be aware that the GDPR does not fully harmonise data protection law throughout Europe. Each EU country may introduce their own requirements in certain instances under the various derogations permitted under the GDPR.

New Data Processor Obligations

The GDPR applies to data controllers (SaaS customers) and data processors (SaaS suppliers) and in particular SaaS suppliers should be aware that some GDPR obligations apply directly to data processors who are now subject to compliance obligations and sanctions for non-compliance.

Consent

SaaS suppliers and SaaS customers relying on consent to process personal data will need to show that the consent is:

  • freely given;
  • specific and informed; and
  • an “unambiguous indication” of a data subject’s wishes and expressed either by a statement or a clear affirmative action (i.e. ticking a consent box when visiting a website).

Consent must be purpose limited i.e. related to explicitly specified purposes.

The default age for giving valid consent and using online services is 16, however each EU country will be able to reduce this to 13, if they wish to. The UK has already included this derogation in the DPA.

Penalties

The maximum penalty for a breach of the GDPR will be substantially higher than under current legislation. Fines can be imposed on SaaS suppliers or SaaS customers. Fines of up to 4% of annual global turnover or up to 20m Euros (whichever is higher) can be applied.

Applicable to Non-EU Entities

The GDPR will apply not just to EU SaaS customers and suppliers but also to non-EU SaaS customers and suppliers who:

  • offer goods or services to data subjects in the EU; or
  • monitor the behaviour of EU citizens to the extent that the behaviour takes place in the EU.

Enforcement – One Stop Shop

SaaS suppliers and SaaS customers will be regulated by a single regulator in the place of their main establishment, which shall be their main administrative location in the EU. Data subjects will be able to make complaints to regulators in their own EU country.

Data Protection Officer

An independent data protection officer (“DPO”) must be appointed where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Each EU country may enact national provisions imposing further requirements regarding the appointment of DPOs. This will be particularly relevant in Germany where this is already a legal requirement.

Notification

There is no requirement for a SaaS supplier or SaaS customer to notify local data protection authorities of any data processing activities but there is a requirement to keep records of data processing activities (subject to limited exceptions).

Breach Reporting

SaaS customers and SaaS suppliers must report breaches to the relevant local regulator without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Data subjects must be informed of breaches without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms unless:

  • the data has been rendered unintelligible to any third party (for example by encryption);
  • the data controller has taken steps to ensure the high risk is unlikely to materialise; or
  • it would involve disproportionate effort to inform data subjects individually, in which case a public announcement can be made.

Data processors (SaaS suppliers) are required to inform data controllers (SaaS customers) of any breach without undue delay.

Impact Assessments

SaaS customers will be required to carry out data protection impact assessments (“DPIAs”) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of profiling.

Data Subject Rights

The following rights shall be granted to data subjects:

  • data portability;
  • the right to be forgotten;
  • the right to prevent profiling;
  • the right to object to processing;
  • the right to rectification and erasure.
  • subject access requests (“SARs”).

SARs must be responded to by the data controller (SaaS customer) without undue delay and, at the latest, within one month of receipt of the request. The data controller only has the right to charge a reasonable fee to cover administrative costs where the requests are “manifestly unfounded or excessive”.

Compliance

Now the GDPR is in force, it is essential that SaaS customers and SaaS suppliers comply with its terms. For example by:

  • Including written data processing agreements in existing SaaS agreements and future SaaS agreements with relevant customers;
  • Ensuring that privacy policies comply with the GDPR rules;
  • Appointing a data protection officer (where appropriate);
  • Using a documentation system for recording data processing activities;
  • Being able to show how and when any consents have been obtained from data subjects.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – GDPR – New German Data Protection Law (BDSG)

The General Data Protection Regulation (GDPR) will replace the existing EU Data Protection Directive and aims to harmonise European data protection law from the 25th of May 2018. In Germany, the Government has already amended the existing German Data Protection Act (BDSG) and from the 25th of May 2018 the New German Data Protection Act (New BDSG) and the GDPR will apply together in Germany.

Compliance with the New BDSG

Both SaaS suppliers and SaaS customers who provide services to German clients or who collect or process personal data of German data subjects on behalf of international SaaS clients, will need to comply with the terms of the New BDSG in addition to the terms of the GDPR. The New BDSG sets out derogations from certain parts of the GDPR and additional obligations. Below is a summary of the main derogations and additional obligations that SaaS suppliers and SaaS customers should be aware of.

Data Protection Officer

In addition to the obligation to appoint a data protection officer in certain circumstances under the GDPR, the New BDSG imposes additional circumstances in which a data protection officer must be appointed:

  • By any business with 10 or more employees permanently processing personal data;
  • Where data controllers are required to carry out privacy impact assessments;
  • Where data controllers process personal data in a commercial context for the purpose of transfer (whether or not the data is anonymised).

Sensitive Data

Sensitive data is referred to in the GDPR as special categories of personal data (Sensitive Data). Sensitive Data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation. The GDPR only allows processing of Sensitive Data where specific exceptions apply. The New BDSG extends the scope of the exceptions.

Employee Data

Employee data protection rules under the New BDSG generally correspond to the existing rules under the BDSG, with some changes. For example: Any collective agreements, (an agreement between a company and its works council) which allows the company to process employee data, must comply with the GDPR obligation to ensure that the employee’s human dignity, legitimate interests, and fundamental rights are properly safeguarded.

Dealing with Derogations

Each of the 27 EU member states are permitted to derogate from some of the provisions of the GDPR. SaaS customers and SaaS suppliers who collect or process personal data from data subjects located in Germany need to be aware of such additional or differing rules in Germany and/or any other EU countries in which they collect or process personal data.

SaaS suppliers and SaaS customers should ensure that their privacy policies and data processing agreements reflect these differences and that data processing activities reflect the obligations set out in such policies and agreements. SaaS customers and SaaS suppliers must also ensure that they comply with other applicable laws which apply to the particular industry in which they operate, as such laws may impose mandatory additional responsibilities in relation to personal data.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

 

SaaS Agreement – FAQs -What is a SLA and Essential Terms to include in a SLA

SLA is the abbreviation for a service level agreement.

Is a SLA a Software Licence

No. A service level agreement (SLA) sets out the SaaS services being provided in addition to the right to use the SaaS software.

What is a SLA

A SLA forms part of a SaaS agreement. The SLA can be contained in a separate schedule to the SaaS agreement, or included in the main terms and conditions of the SaaS agreement. SLAs set out:

How much Detail

It is advisable for a SaaS supplier to provide some degree of detail in the SLA to avoid spending unnecessary time negotiating the addition of further details requested by SaaS customers.

The degree of detail included in the SLA will depend upon:

  • How much a SaaS customer pays for the SaaS software and services;
  • Whether the SaaS software is business critical i.e. online banking;
  • What is standard in that particular business sector.

Terms to Include

SLAs should generally contain the following provisions, where appropriate:

  • Guaranteed availability of the services and software;
  • Timing of and prior notice of maintenance;
  • Description of the security provisions at the hosting centre and the technical infrastructure;
  • Problem response and resolution times;
  • Customer support description and support hours;
  • Provision of service availability reports;
  • Backup of customer data;
  • Security and disaster recovery provisions;
  • Right to terminate for breaches of the SLA.
  • Service credits for breaches of the SLA;

Advantages of having a SLA

If SaaS suppliers do not have their own SLA, customers will often try to impose their own SLA on the supplier which does not “fit” the SaaS services being provided. This can lead to protracted negotiations about the content of the SLA.

Summary

Due to the unique nature of SaaS and in particular the use of SLAs you should seek specialist legal advice on the content of a SLA whether you are a SaaS supplier or a SaaS customer to ensure that your rights are adequately protected.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement

SaaS is the abbreviation for “software as a service”. You may know this under another name, for example subscription agreement, software on demand, software subscription agreement, cloud computing or ASP services (application service provider). These names all refer to the same thing – software being made available via the Internet to users.

What is a SaaS Agreement

A SaaS agreement is simply the name used for the agreement between a SaaS supplier and a SaaS customer which sets out the terms under which SaaS software may be accessed. This will usually include a service level agreement (SLA).

Differences between a SaaS Agreement and a Standard Software Licence

A SaaS agreement differs from a standard software licence in that:

  • The SaaS customer will not usually receive a physical or installed copy of the software;
  • No ownership in the SaaS software will be transferred to the SaaS customer;
  • The SaaS customer ‘s right to use SaaS software will end upon termination of the SaaS agreement.

Essential Terms to Include in a SaaS Agreement

The following legal issues should be included in any SaaS agreement, whether you are a SaaS supplier or a SaaS customer.

Software Licence

Access to the SaaS software should be limited to the term of the SaaS agreement. Once the SaaS agreement expires or terminates the software licence should automatically terminate.

If the SaaS customer is a global entity, you should specify:

  • Which companies or entities may access the SaaS software;
  • In which territories the software may be used; and
  • The number of authorised users;
  • Identify the specific purposes for which the SaaS software may be accessed; and
  • Name any third parties who will be permitted access to the SaaS software i.e. outsourcing providers or clients of the SaaS customer.

Intellectual Property Rights – IPR

The SaaS supplier should retain ownership of all IPR in the SaaS software and services it provides. The SaaS customer should retain ownership of all IPR in its systems, content and data. You should specifically state that the source code remains owned by the SaaS supplier. The SaaS customer should grant the SaaS supplier the right to use its IPRs for the term of the SaaS agreement i.e. to display the SaaS customer’s logos and copyrighted information.

Applicable Law, Jurisdiction & Language

State which law applies to the SaaS agreement and any disputes arising from it. In international SaaS agreements make sure that you specify in which language the dispute will be dealt with, and if the SaaS agreement is in more than one language, which language prevails if there is a discrepancy between the two versions.

Return of Data

At the end of the SaaS agreement the SaaS customer’s data should be returned. The format in which the data is to be returned and payment for this service should be agreed in advance. Additionally the parties can agree that the SaaS supplier will provide assistance in transferring SaaS customer data to a new supplier – in return for payment for this service.

Data Protection

The SaaS supplier is the data processor and the SaaS customer is the data controller. Under data protection law different rules apply to the data controller and the data processor. The SaaS supplier is obliged to process data in accordance with the SaaS customer’s instructions and should protect itself against claims from third parties that such processing was illegal. Likewise, the SaaS customer will also need to protect itself against claims from third parties caused by the SaaS supplier not processing data in accordance with its instructions or the terms of the SaaS agreement.

From May 2018 each party’s data protections obligations must be set out in a written data processing agreement which should form a schedule to the SaaS agreement.

Service Level Agreement (SLA)

This sets out the hosting, support and maintenance services being provided to the SaaS customer by the SaaS supplier. The SLA should specify where the data centre is located, who is operating it, what security, backup and disaster recovery procedures are in place. Support hours and support services for dealing with hosting problems and software problems should be identified and documented and the procedure for dealing with upgrades and maintenance to the software should be specified. The particular details will depend on the amount being paid for the hosting, support and maintenance and the purpose for which the SaaS software is being used.

Summary

Due to the unique nature of SaaS agreements you will need to seek specialist legal advice on the content of a SaaS agreement whether you are a SaaS supplier or a SaaS customer to ensure that your rights are adequately protected and that you are fully complying with all applicable laws.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close