SaaS Agreements – Data Protection – New EU Standard Contractual Clauses Published

On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data to countries outside the EU/EEA (third countries) as the current SCCs were repealed on the 27th of September 2021.

What are EU Standard Contractual Clauses

EU standard contractual clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection for the transfer of personal data to a third country. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor.

Where personal data is transferred from:

A data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
A SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU standard contractual clauses with the SaaS customer or SaaS sub-processor, as applicable.

When EU standard contractual clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met and no specific consent will need to be obtained from individual data subjects.

This is a common scenario in a SaaS agreement where a SaaS customer based in the EU is accessing SaaS software provided by a SaaS supplier who uses a hosting centre in the USA or outsourced IT development centre located in India or Asia to process the SaaS customer’s personal data.

When must the new SCCs be used

Since the 27th of September 2021, SaaS suppliers and SaaS customers must use the new SCCs for all new SaaS contracts. For contracts existing before the 27th of September 2021, the old SCCs can continue to be used up until the 27th of December 2022.

Adapting the new SCCs

The structure and content of the SCCs has changed. The SCCs are no longer a “standard template” which can be added unaltered as an appendix to the data processing agreement, which forms part of a SaaS agreement. The new SCCs use a modular approach. The new SCCs must be substantially customised by adapting and removing any modules that do not apply. There are annexes that need to be customised and the total length of the SCCs is over 35 pages.

Transfer of data from the UK

The new SCCs are specific to transfers of personal data from the EU to third countries. They do not cover transfers of UK personal data to third countries as the UK is not an EU Member State. UK based SaaS suppliers and SaaS customers will need to use a UK version of the new SCCs for transfers of personal data from the UK to third countries – once this is created by the UK data protection supervisory authority (ICO). In the meantime, the old SCCs adapted by the ICO should be used for transfers of UK personal data.

Adapting and implementing the new SCCs

SaaS customers and SaaS suppliers need to take the following steps to enable them to adapt and implement the new SCCs:

create a data mapping of all personal data transfers;
carry out a data transfer impact assessment and document this;
adapt each module of the new SCCs in light of the above;
customise Annex I and II of the new SCCs for use with different types of controllers and processers i.e. customers, suppliers, agents and intercompany transfers;
use the new SSCs for all new SaaS contracts with customers and suppliers entered into from the 27th of September 2021; and
change all existing SaaS agreements with customers and suppliers to incorporate the new SCCs by the 27th of December 2022.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Name	Borlabs Cookie
Provider	Borlabs - Benjamin a. bornschein
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Privacy Policy	https://borlabs.io/privacy/
Cookie Name	borlabs-cookie
Cookie Expiry	180 days

Accept	Google Analytics
Name	Google Analytics
Provider	Google Inc.
Purpose	Cookies are set by Google and are used for website analytics and performance measurement. Cookies create statistical data on how visitors use our Site.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga ; _ga_*
Cookie Expiry	_ga : 1 year 1 month, _ga_* : 1 year 1 month