SaaS – Data Protection and Safe Harbor issues with German Customers

If you have German SaaS customers, do not be surprised if they refuse to have their data hosted in the USA in the future, or start asking for onerous new provisions to be added to their existing SaaS agreements.

Safe Harbor is no longer adequate on its own

Due to a recent resolution issued by the German data protection authorities, additional due diligence is now required if German customer data is being exported to a US data centre.

Assessment of Safe Harbor Compliance

Prior to any data being exported, German customers may ask you to verify that the US data centre complies with the following minimum Safe Harbor requirements:

  • confirmation that the Safe Harbor registration was less than 7 years ago (if  more  the certification will be invalid),
  • evidence that the US data centre complies with its Safe Harbor obligation to provide notice of the data processing to the relevant individuals,
  • documentation of the above assessment and copies of such documentation.

Extra Contractual Requirements

As this is a recent new requirement (only applicable to transfers from Germany to the US) it remains to be seen how German customers will try to pass these obligations on to their SaaS providers.

Customers may ask for the EU standard contractual clauses to be used in the SaaS agreement or for you to provide binding corporate rules to ensure that there is adequate protection in place.

It is likely that customers will want to carry out some form of due diligence and if you carry this out on their behalf, they will want you to inform them of any breaches discovered when carrying out the assessment.  As an extra safeguard customers may require additional warranties and liabilities in the SaaS agreement to cover breaches of the above.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Bodle Law
Assign a menu in the Left Menu options.