SaaS Agreements – Data Protection – Does your DPA and Sub-Processor List need updating?

Meta were fined 1.2 billion Euros for breaches of EU data protection law and for transferring personal data of EU users to the US despite, using standard contractual clauses, (SCCs), having in place supplemental measures and carrying out data transfer impact assessments, (DTIAs). Google has also been pursued in various EU member states for similar breaches.

In light of these decisions, SaaS suppliers should review their own data protection practices and documentation to ensure that they are up to date and comply with the current rules.

Use of the correct SCCs

New EU SCCs

Since the 27^th of December 2022 the new EU SCCs must be used for all transfers of EU personal data to a third country. Any SaaS agreements that still include the old EU SCCs must be updated to include the new EU SCCs.

New UK SCCs

All SaaS agreements concluded on or before the 21st of September 2022 must use the new UK SCCs.

SaaS suppliers and SaaS customers can only continue to use the old EU SCCs in existing SaaS agreements until the 21st of March 2024 provided that the processing operations that are the subject matter of the agreement remain unchanged.

Supplemental Measures

In addition to using the correct, and up to date SCCs, SaaS suppliers must carry out due diligence on any sub-processors they plan to use to process personal data, where the sub-processors rely upon SCCs to transfer personal data outside of the EEA. Details of the supplemental measures used must be included in the sub-processor list.

The only supplemental measures that are compliant with the European Data Protection Board, (EDPB) guidelines are:

Encryption of data at rest and in transit; and
Storage of encryption keys within the EEA.

Data Impact Transfer Assessments

Following the Schrems II decision, the court made clear that SaaS suppliers and SaaS customers must carry out and document data transfer impact assessments when using SCCs as a transfer mechanism for restricted transfers.

SaaS suppliers should check their Article 30 GDPR data mapping document to identify which sub-processors rely upon SCCs, then they must;

Carry out a Schrems II data transfer impact assessment, for each transfer from the EU;
Carry out an ICO data transfer assessment for each transfer from the UK, (DTA) using the ICO tool or using an EU DTIA.

Summary

When reviewing compliance with the above rules SaaS suppliers and SaaS customers should not just check their SaaS agreements with customers. They will also need to review existing group data transfer agreements and existing agreements and DPAs with all third parties, i.e. suppliers, resellers, partners and sub-contractors.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

Name	Borlabs Cookie
Provider	Borlabs - Benjamin a. bornschein
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Privacy Policy	https://borlabs.io/privacy/
Cookie Name	borlabs-cookie
Cookie Expiry	180 days

Accept	Google Analytics
Name	Google Analytics
Provider	Google Inc.
Purpose	Cookies are set by Google and are used for website analytics and performance measurement. Cookies create statistical data on how visitors use our Site.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga ; _ga_*
Cookie Expiry	_ga : 1 year 1 month, _ga_* : 1 year 1 month