From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing data protection laws in all 28 EU member states. The GDPR will place direct obligations on SaaS suppliers (data processors) in relation to data processing activities. In addition SaaS customers (data controllers), their clients (data subjects) and local data protection authorities will be able to enforce breaches of the new rules directly against SaaS suppliers.
Written Data Processing Agreement
SaaS suppliers will need to include the following minimum terms in a written data processing agreement with all SaaS customers:
- The duration, nature and purpose of the data processing;
- The types of data being processed;
- The obligations and rights of the customer.
The written data processing agreement must state that:
- Personal data will only be processed in accordance with documented instructions from the SaaS customer;
- The SaaS supplier will assist the SaaS customer in complying with its own obligations as a data controller;
- The SaaS supplier is obliged to inform the SaaS customer if it believes an instruction to give personal data to the SaaS customer breaches the GDPR or any other EU or Member State law.
Unless one of the exceptions applies, the main one being that the SaaS supplier has less than 250 employees, SaaS suppliers must keep records of all categories of processing activities that they carry out.
The following details must be recorded:
- Information about the SaaS customer and any other data processors;
- Names of relevant data protection officers (DPOs);
- The categories of data processing carried out;
- Any transfers to third countries; and
- The general technical, organisational and security measures used by the SaaS supplier.
If requested by a supervisory authority, SaaS suppliers must provide such records.
SaaS suppliers will need to obtain prior written consent to the subcontracting of any data processing activities: for example the using a third party hosting centre such as AWS or Microsoft Azure. Although SaaS suppliers can include a general consent to subcontracting in the provisions of their SaaS agreeents, SaaS suppliers will still be obliged to inform SaaS customers before adding or replacing any sub-processors in order to give customers time to object to a change.
SaaS suppliers will be required to notify SaaS customers of any breach of their obligations, without undue delay, after becoming aware of the breach.
Data Protection Officers
SaaS suppliers will be obliged to appoint a data protection officer (DPO) in some specific circumstances: for example where the SaaS supplier is processing special data (sensitive data) or if required to do so under a Member State law.
The contact details of any DPO appointed must be published and communicated to the applicable supervisory authority.
Deletion or Return of Data
SaaS suppliers must allow SaaS customers to choose between deletion or return of all personal data on termination or expiry of the SaaS agreement (unless applicable mandatory law requires storage). SaaS customers will be entitled to check compliance with this requirement.
Transfers outside the EEA
Although SaaS suppliers are required to follow a SaaS customer’s instructions with regard to data processing, SaaS suppliers may only transfer personal data outside of the EEA if the SaaS supplier or SaaS customer has provided appropriate safeguards: for example by using of EU model clauses or Binding Corporate Rules (BCRs).
Fines and Compensation
- Data subjects will be able to take action against SaaS suppliers directly and claim damages for the SaaS supplier’s breach of any obligations under the GDPR; or
- SaaS suppliers will be potentially liable to both the SaaS customer and data subjects for the same breach.
In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover for some breaches.
Preparing for Change
SaaS suppliers need to review the terms of their existing SaaS agreements and their internal procedures to ensure that they comply with the new rules on the use of subcontractors, data security requirements, appointment of DPOs and having in place appropriate organisational and technical measures.
SaaS suppliers should ensure that existing and future agreements with their sub-processors impose the same data processing obligations on all subcontractors, as the SaaS supplier will be liable to the SaaS customer and data subjects for any breaches of the new rules caused by any subcontractors.
SaaS suppliers should ensure that their insurance cover and indemnities and limitations on liability contained in existing SaaS agreements relating to use of personal data are sufficient to cover the higher levels of fines and direct claims for damages by data subjects.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – Local Derogations
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – GDPR – US companies
- SaaS Agreements – GDPR – Age of Consent
- SaaS Agreements – GDPR – New German Data Protection Law (BDSG)
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Data Protection – Data Processing Agreement
- SaaS Agreements – Data Protection – Amending EU Model Clauses
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Privacy Shield Approved
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Legal Implications of a Brexit
- SaaS Agreements – Data Protection – Brexit and the GDPR
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – FAQs – What is a SLA and Essential Terms to Include in a SLA
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Russian Data Centres