Data protection issues must be adequately covered in any SaaS agreement to protect both the supplier and the customer.
Data Protection Act 1998
The Act applies to the processing of personal data, for example name/email addresses, dates of birth, national insurance number of any living individual. In a SaaS agreement, the customer will always be the data controller, as the customer is collecting data from its clients and deciding and controlling the purposes for which the data will be processed.
Supplier – Duties as Data Processor
The supplier is obliged to process data in accordance with the customer’s instructions and to take appropriate technical and organisational measures to protect the data. These duties must be included in the SaaS agreement, either in the data protection clauses or in a separate data processing agreement. The supplier should protect itself against liability to the customer for breaches of the data Protection Act which arise due to the supplier simply processing data in accordance with the customer’s instructions.
Customer – Duties as Data Controller
The Customer must register as a data controller under the Data Protection Act if it collects personal data. Failure to register is a criminal offence.
The customer must also comply with the following 8 data protection principles:
Data must be,
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- kept for no longer than necessary;
- processed in accordance with the data subject’s rights;
- secure; and
- transferred outside of the EEA only if there is adequate protection in that country.
The customer will be liable to its clients whose data it collects and processes (data subjects) for any breaches of the above principles. As the supplier will be carrying out the processing on behalf of the customer, the customer must ensure that adequate clauses are contained in the SaaS agreement to protect itself against data protection breaches, caused by the supplier.
Subject Access Request
Data subjects have the right to make a subject access request to find out what personal information is being held on them and to obtain a copy of this. This information must be provided within strict time limits and at a minimal cost to the data subject. The request is made to the data controller (the customer) as they are obliged to respond. However it may well be the supplier who needs to actually provide the information. The SaaS agreement needs to cover how and when such information will be released and to whom.
Data Transfers Outside of the EEA
If data is to be transferred outside of the EEA the specific consent of the data subject concerned must be obtained before the transfer takes place OR the transfer is permitted if the non-EEA country to which the data is being transferred has equivalent data protection legislation.
The European Economic Area means the 27 EU member states plus Norway, Iceland and Liechtenstein. Currently only Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey and Switzerland are recognised as countries having adequate protection. In addition companies registered under the Safe Harbor regime in the USA are also recognised.
Any transfer of data to any other country or without the data subject’s consent will be illegal.
For assistance with data protection issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – FAQs – What is SaaS?
- SaaS Agreements – FAQs – What is a SLA?
- SaaS Agreements – FAQs – EU Model Clauses
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – IPR and Intellectual Property
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – FAQs – Applicable Law and Jurisdiction
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1