On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. Following on from my first article – part 1, I have summarised the remainder of the major changes this will make to EU data protection law below and how this will effect SaaS suppliers and customers.
Data Protection Officer
An independent data protection officer must be appointed by public authorities and businesses with 250 or more employees or businesses whose core activities involve processing operations which require regular and systematic monitoring. The data protection officer must maintain an internal register which the DPA has the right to inspect.
Stricter express duties will be imposed on data controllers. For example they must:
- maintain documents regarding all processing;
- implement specific data security requirements;
- perform data processing impact assessments; and
- obtain prior authorisation for certain processing activities.
The obligations and duties of data processors will be more specifically defined. For example they should:
- only employ staff who have given confidentiality undertakings or commitments;
- obtain the permission of the data controller before employing a sub-processor;
- ensure that security measures are implemented; and
- maintain documentation of all processing operations.
Explicit consent must be obtained from data subjects by SaaS customers. It will not be acceptable for customers to assume consent from a data subject’s silence or inactivity or through generic terms and conditions. Consent must be given by a data subject in a clear statement or via an affirmative action (i.e. ticking a consent box when visiting a website). The data subject must have the right to withdraw consent at any time.
There is an additional requirement that explicit parental consent must be given when processing the data of a child under the age of 13.
Right to be Forgotten
Data subjects will have the right to be forgotten. This will allow individuals to have all personal data that a SaaS supplier holds on them deleted. This will include all photos and any public links to, or copies of, personal data that can be found on the Internet, for example in social networks or via search engines. SaaS suppliers will be required to permanently delete the individual’s data unless there are legitimate grounds for retaining it.
Right to Copy of Personal Data
In certain circumstances individuals will be able to obtain a copy of their personal data. They will also have the right to have their data transferred automatically between SaaS suppliers, for example from one social network to another. This means that SaaS suppliers will need to implement data exporting tools to enable users to download their data and move it to another provider.
When will the Rules Change
The draft Regulation must be approved by all EU countries and the European Parliament before it comes into effect, probably in about 3 years time. The rules will introduce significant and onerous new obligations upon SaaS suppliers, who will need to implement time consuming measures to ensure compliance, in order to avoid the risks of facing substantial fines.
Preparing for Change
Although the proposals could be substantially amended before they are approved, it is advisable that businesses start to prepare for the proposed changes now. For example by appointing a data protection officer (where appropriate), devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects and revising all data processing agreements.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Data Protection – EU US Privacy Shield
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Data Stored in the USA
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Google Analytics in Germany
- SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreement
- SaaS Agreements – Distributor or Agent – Is There a Difference?
- SaaS Agreements, Software on Demand – Confused?
- Cloud Computing and the Legal Cloud