When negotiating a SaaS agreement with SaaS customers a SaaS supplier will often need to transfer customer data outside of the European Economic Area (EEA). This could be at the request of a SaaS customer or more usually because the SaaS supplier uses a sub-contractor such as a data centre which is located outside of the EEA. SaaS suppliers and SaaS customers should use EU model clauses in the circumstances set out below in order to comply with their duties under UK and EU data protection laws.

The Data Protection Act

The Data Protection Act 1998 (DPA) applies to the processing of personal data, i.e. names, email addresses, dates of birth or national insurance numbers of any living individual. The DPA sets out different duties for data controllers and data processors. In a SaaS agreement, the customer is always the data controller and the SaaS supplier is their data processor.

A data controller is not permitted to transfer personal data of EU citizens outside of the EEA unless:

  • it has the specfic consent of the data subject,
  • it has entered into binding corporate rules (BCRs),
  • the transfer is to a country which has adequate protection, (currently Andorra, Argentina, Australia, Canada, Faroe Islands, Guernsey Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay are recognised by the EU data protection authorities as countries with adequate protection); or
  •  EU model clauses are used.

EU Model Clauses

EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).

Where personal data is transferred from:

  • a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
  • a SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.

When EU model clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met and no specific consent will need to be obtained from individual data subjects.

This is a common scenario in a SaaS agreement where a SaaS customer based in the UK is accessing SaaS software provided by a SaaS supplier who uses a hosting centre in the USA or outsourced IT development centre located in India or Asia to process the SaaS customer’s personal data.

Safe Harbor

Please note that since the 6th of October 2015, the Safe Harbor scheme was declared invalid by the European Court of Justice and can no longer be used for the transfer of personal data to US entities.

Binding Corporate Rules

Please note that BCRs only cover international transfers of personal data between companies within the same group.

Summary

Any transfer of personal data by a SaaS customer or SaaS supplier to any country outside of the EEA or which is not approved by the EU Commission as having adequate protection will be illegal, unless specific consent is obtained or EU model clauses or BCRs are used.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: