SaaS Agreements – Data Protection – Privacy Shield Update

The Privacy Shield now replaces the Safe Harbor scheme. The rules under the Privacy Shield are similar to the rules under the Safe Harbor scheme, in that SaaS customers and SaaS suppliers need to self-certify their compliance with the principles of the Privacy Shield.

The following core principles must be adhered to.

Core Principles

  • Notice must be given to data subjects about specific issues;
  • Choice to opt out of disclosure of personal data to third parties;
  • Accountability for onward transfer of personal data to third parties;
  • Implement reasonable and appropriate security measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
  • Personal data must be reliable, accurate, complete and up to date;
  • Individuals must be able to access personal data and have it corrected, amended or deleted;
  • Independent mechanisms for dealing with complaints free of charge must be in place.

Applying for Certification

  • Draft a privacy statement which complies with the notice requirements;
  • Maintain appropriate documentation to demonstrate their compliance with the above Privacy Shield principles;
  • Amend existing agreements that involve personal data transfers to ensure compliance with the principles;
  • Train staff and introduce internal guidelines and processes to ensure compliance with the principles.
  • Ensure on-going compliance with the principles of the Privacy Shield.

Validity of the Privacy Shield

It is very likely that in the near future there will be challenges to the adequacy of the Privacy Shield (on a similar basis to the challenges that lead to the invalidity of Safe Harbor) either :

  • By a German Data Protection Authority; or
  • An individual at the European Union Court of Justice (CJEU).

SaaS suppliers and SaaS customers should be aware of the limitations of the Privacy Shield in the long term when considering investing substantial resources and time in complying with and applying for registration under the Privacy Shield.


When deciding whether or not to apply for certification under the Privacy Shield SaaS customers and SaaS suppliers should consider alternative options, which are currently the use of EU Model Clauses or binding corporate rules (BCRs).

EU Model Clauses

EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).

Where personal data is transferred from:

  • A data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
  • A SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.


BCRs are a set of rules adopted within a particular company or corporate group that set out legally binding obligations in relation to data processing within a company or group which cover global data transfers of personal data. BCRs include amongst other matters, details of:

  • Data protection policies;
  • Commitments to data protection training;
  • Data protection audits.

BCRs must be approved by a lead national data protection authority (DPA), typically determined by the location of the European headquarters of a SaaS supplier. Once the lead national DPA approves the BCRs they are then responsible for coordinating approval of the BCRs with all other DPAs across Europe.


When deciding which option to use to facilitate the lawful transfer of personal data from the EU to the USA, SaaS suppliers and SaaS customers need to take into account their specific circumstances in order to determine the best method to use, as use of the Privacy Shield may not be the right long term solution for many SaaS suppliers and SaaS customers who previously relied upon Safe Harbor.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: