When entering into a SaaS agreement with a SaaS customer a SaaS supplier will often need to transfer customer data that contains EU personal data outside of the European Economic Area (EEA). This could be at the request of a SaaS customer or more usually because the SaaS supplier uses a sub-contractor located outside of the EEA to provide part of the services on its behalf (as a sub-processor). For example: a data centre, online customer support centre or email service provider provided by a company located in the USA.
EU Data Protection Law
The General Data Protection Regulation (GDPR) applies to the processing of EU personal data, i.e. names, email addresses, dates of birth or national insurance numbers of any living individual located in the EU. Data protection law sets out different duties for data controllers and data processors. In a SaaS agreement, the customer is always the data controller and the SaaS supplier is their data processor.
A data controller is not permitted to transfer personal data of EU citizens outside of the EEA unless:
- it has the specific consent of the data subject,
- it has entered into binding corporate rules (BCRs),
- the transfer is to a country which has adequate protection, for example: to the UK, Switzerland, Canada and other countries recognised by the EU data protection authorities as having adequate protection); or
- EU standard contractual clauses are used.
EU Standard Contractual Clauses
EU standard contractual clauses are a set out of standard clauses that have been approved by the EU Commission as providing adequate protection, when used to transfer EU personal data from the EU to a third country located outside of the EEA. Up until June 2021 there were two sets of standard contractual clauses that could be used for transfers of personal data between data controllers, and one set for transfers between a data controller and a data processor, (old EU SCCs). There were no clauses for transfers between data processors.
In June 2021 the EU Commission replaced the old EU SCCs with one new set of standard contractual clauses, (new EU SCCs) to cover 4 different types of data transfers in one document in 4 different modules:
- Module 1: covers transfers from a data controller (SaaS supplier) to a data controller outside of the EEA (third party);
- Module 2: covers transfers from a data controller (SaaS customer) to a data processor outside of the EEA (SaaS supplier);
- Module 3: covers transfers from a data processor (SaaS supplier) to a data processor outside of the EEA (sub-processor); and
- Module 4: covers transfers from a data processor (SaaS supplier) to a data controller (third party) outside of the EEA.
NB/ Please note that whenever EU SCCs are relied upon as a data transfer mechanism a data transfer assessment must also be carried out.
Binding Corporate Rules
Please note that BCRs only cover international transfers of personal data between companies within the same group.
EU-US Privacy Shield
Please note that since the 16th of July 2020, the EU-US Privacy Shield was declared invalid by the European Court of Justice and can no longer be used for the transfer of personal data to US entities.
Any transfer of personal data by a SaaS customer or SaaS supplier to any country outside of the EEA which is not approved by the EU Commission as having adequate protection will be illegal, unless specific consent is obtained, or the new EU SCCs or BCRs are used AND a data transfer assessment is carried out.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here