SaaS suppliers and SaaS customers are increasingly relying upon the use of EU model clauses to enable them to lawfully export personal data outside of the EEA following the demise of Safe Harbor and its replacement the EU-US Privacy Shield. SaaS customers often try to amend the terms of the EU model clauses when negotiating a SaaS agreement. This can result in the EU model clauses being invalid, as they then do not provide adequate protection for the transfer of the data outside of the EEA.
SaaS suppliers should therefore be aware of the risks of agreeing to any changes to EU model clauses and understand which changes are, and are not, permitted to ensure that they are not in breach of data protection laws.
EU Model Clauses
EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor.
Where personal data is transferred from:
- A data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
- A SaaS supplier within the EU to a sub-processor located outside of the EEA;
the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.
When EU model clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met and no specific consent will need to be obtained from individual data subjects.
This is a common scenario in a SaaS agreement where a SaaS customer based in the EU is accessing SaaS software provided by a SaaS supplier who uses a hosting centre in the USA or outsourced IT development centre located in India or Asia to process the SaaS customer’s personal data.
Can Model Clauses be Amended
SaaS suppliers and SaaS customers can amend EU model clauses, provided that the amendments made:
- Are purely commercial;
- Do not impact the protection of the personal data;
- Do not impact the rights of data subjects or supervisory authorities.
This is clearly set out in clause 10 of the 2010 controller to processor model clauses, which states:
- “The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.”
And in the clause VII of the 2004 controller to controller model clauses, which states:
- “The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.”
SaaS suppliers should only agree amendments to EU model clauses that are purely commercial in nature or which intend to explain how some of the model clause rights should work in practice.
For example the following changes would be acceptable:
- Limitations on liability between the SaaS customer and the SaaS supplier by reference to financial caps on liability in the terms of the SaaS agreement.
- Giving SaaS suppliers a general consent to use sub-processors, provided that such sub-processors are bound by the requirements of the EU model clauses.
- Including the audit process and procedures for checking compliance with the EU model clauses, i.e. via third party certification or responses to security questionnaires.
The following amendments cannot be made to EU model clauses and will make them invalid:
- Any limitations on the SaaS supplier’s or SaaS customer’s liability to data subjects.
- Removing the SaaS customer’s right to audit compliance with the EU model clauses;
- Restrictions on the rights of supervisory authorities to audit compliance with the EU model clauses.
Registration of Changes
In some Member States (not the UK) SaaS suppliers and SaaS customers have a mandatory obligation to obtain authorisation to changes made to EU model clauses and there may also be an obligation to notify data protection authorities and regulators of changes made.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – US companies
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Privacy Shield Approved
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision
- SaaS Agreements – Legal Implications of a Brexit
- SaaS Agreements – Data Protection – Brexit and the GDPR
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – FAQs – What is a SLA and Essential Terms to Include in a SLA
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Russian Data Centres