Data protection issues must be adequately covered in any SaaS agreement to protect both the SaaS supplier and the SaaS customer.
Data Protection Act 2018 and the GDPR
The Data Protetion Act 2018 and the GDPR apply to the processing of personal data, for example name/email addresses, dates of birth, national insurance number of any living individual. In a SaaS agreement, the SaaS customer will always be the data controller, as the SaaS customer is collecting data from its clients and deciding and controlling the purposes for which the data will be processed.
Supplier – Duties as Data Processor
The SaaS supplier is obliged to process personal data in accordance with the SaaS customer’s instructions and to take appropriate technical and organisational measures to protect the personal data. These duties must be included in the SaaS agreement, either in the data protection clauses or in a separate data processing agreement.
In addition, since the 25th of May 2018 under the GDPR the data processor and data controller are obliged to enter into a written data processing agreement that contains mandatory information set out in the GDPR.
Customer – Duties as Data Controller
The SaaS customer must register as a data controller under the Data Protection Act 2018 if it collects personal data. Failure to register is a criminal offence.
The SaaS customer must also comply with its duties set out in the GDPR, which should be included in a written data processing agreement, entered into with the SaaS supplier.
Subject Access Request
Data subjects have the right to make a subject access request to find out what personal information is being held on them and to obtain a copy of this. This information must be provided within strict time limits and at no cost to the data subject. The request is made to the data controller (the SaaS customer) as they are obliged to respond. However it may well be the SaaS supplier who needs to actually provide the information. The SaaS agreement needs to cover how and when such information will be released and to whom.
Data Transfers Outside of the EEA
If data is to be transferred outside of the EEA the specific consent of the data subject concerned must be obtained before the transfer takes place OR the transfer is permitted if the non-EEA country to which the data is being transferred has equivalent adequate data protection legislation.
The European Economic Area means the 28 EU member states plus Norway, Iceland and Liechtenstein. Currently only Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are recognised as countries having adequate protection. In addition companies registered under the EU-US Privacy Shield in the USA are also recognised.
Any transfer of data to any other country or without the data subject’s consent will be illegal.
For assistance with data protection issues, SaaS, GDPR, ASP, software on demand contracts or any other IT legal issues contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – FAQs – What is SaaS?
- SaaS Agreements – FAQs – What is a SLA?
- SaaS Agreements – FAQs – EU Model Clauses
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – IPR and Intellectual Property
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – FAQs – Applicable Law and Jurisdiction
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services