SaaS suppliers and SaaS customers can only lawfully transfer personal data to sub-processors located outside of the UK, Switzerland or the EEA, (make a restricted transfer) if a recognised transfer mechanism is in place to protect the personal data being transferred.
Transfer Mechanisms
Currently the only transfer mechanisms are:
- Adequacy, (EU Adequacy Decisions including the DPF);
- EU Standard Contractual Clauses, (EU SCCs);
- UK Standard Contractual Clauses, (UK SCCs);
- Binding Corporate Rules, (BCRs)
If none of the above transfer mechanisms are used, no restricted transfer of personal data can be lawfully made.
Adequacy
The European Commission has currently awarded Adequacy Decisions to the following countries:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay .
A full list can be found on the European Commission website – Adequacy Decisions.
Data Privacy Framework (DPF)
The DPF is an opt-in certification scheme that can be used with sub-processors located in the USA to enable restricted transfers of personal data to be lawfully made to the USA. The DPF has been in force since the 10th of July 2024 and US entities can apply to be certified on the DPF website. Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data relying upon the DPF.
EU + UK SCCs
EU standard contractual clauses are a set out of standard clauses that have been approved by the EU Commission as providing adequate protection, when used to transfer EU personal data from the EU to a third country located outside of the EEA. Up until June 2021 there were two sets of standard contractual clauses that could be used for transfers of personal data between data controllers, and one set for transfers between a data controller and a data processor, (old EU SCCs). There were no clauses for transfers between data processors.
In June 2021 the EU Commission replaced the old EU SCCs with one new set of standard contractual clauses, (new EU SCCs) to cover 4 different types of data transfers in one document in 4 different modules:
- Module 1: covers transfers from a data controller (SaaS supplier) to a data controller outside of the EEA (third party);
- Module 2: covers transfers from a data controller (SaaS customer) to a data processor outside of the EEA (SaaS supplier);
- Module 3: covers transfers from a data processor (SaaS supplier) to a data processor outside of the EEA (sub-processor); and
- Module 4: covers transfers from a data processor (SaaS supplier) to a data controller (third party) outside of the EEA.
Is important to be aware that when EU SCCs are relied upon as a data transfer mechanism a data transfer assessment must also be carried out.
Binding Corporate Rules (BCRs)
BCRs only cover international transfers of personal data between companies within the same group.
Sub-Processor Lists
SaaS suppliers must list all sub-processors to whom they transfer personal data, in a sub-processer list. The sub-processor list usually forms part of the SaaS supplier’s data processing agreement, (“DPA”) which is often published on the SaaS supplier’s website or SaaS platform. The transfer mechanism used by each sub-processor must be identified in the sub-processor list.
A SaaS supplier’s current list of sub-processors must correctly identify the actual transfer mechanism relied upon by each sub-processor. Please note that:
- since the introduction of the DPF, many US sub-processors no longer user SCCs as their transfer mechanism; and
- where a sub-processor list was created before March 2024, the “old” EU and UK SCCs must be replaced with the “new” EU and UK SCCs.
SaaS suppliers should also be aware that where any sub-processor uses SCCs as a transfer mechanism, SaaS suppliers must ensure that the data transfer assessment carried out for each such sub-processor is updated at least annually.
Actions to be taken now
Where SaaS suppliers make any restricted transfers of personal data to sub-processors, or to their group companies, affiliates, customers or suppliers, they may need to update their legal documentation to reflect the above current transfer mechanisms.
For example:
Where a restricted transfer of personal data is made by the SaaS supplier to a member of a group company or an affiliate located in the USA the SaaS supplier will need to:
- apply for the US entity to be certified under the DPF;
- amend the group company or affiliate’s privacy policy to include the mandatory information required under the DPF rules;
- amend any inter-company data processing agreements to reflect the new transfer mechanism.
Where a transfer of personal data is made to a customer, supplier or sub-processor located in the USA the SaaS supplier will need to:
- amend its sub-processor list;
- amend its data processing agreement;
- amend its data transfer assessments;
to reflect the changes in the transfer mechanisms relied upon.
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here