When negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your SaaS customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the Data Protection Act 1998 (DPA).
The Data Protection Act
The Data Protection Act 1998 applies to the processing of personal data, i.e. names, email addresses, dates of birth or national insurance numbers of any living individual. The DPA sets out different duties for data controllers and data processors. In a SaaS agreement, the customer is always the data controller and the SaaS supplier is their data processor.
Transfer outside of the EEA
The European Economic Area is the 27 EU member states plus Norway, Iceland and Liechtenstein. If data is transferred to any country outside the EEA the specific consent of each data subject whose data is being transferred must be obtained before the transfer takes place, unless the data is transferred to a country recognised by the EU as having adequate data protection laws.
Countries with Adequate Protection
Currently Andorra, Argentina, Canada, Faeroe Islands, Guernsey, State of Israel, the Isle of Man, Jersey, New Zealand, Switzerland and the Eastern Republic of Uruguay are recognised by the EU data protection authorities as countries with adequate protection. In addition companies registered under the EU-US Privacy Shield regime in the USA are also recognised.
Other ways of Obtaining Consent
Any transfer of SaaS customer data to any country not set out above will be illegal, unless specific consent has been obtained prior to the data transfer taking place.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – What is SaaS?
- SaaS Agreements – FAQs – What is a SLA?
- SaaS Agreements – FAQs – EU Model Clauses
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – IPR and Intellectual Property
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – FAQs – Applicable Law and Jurisdiction
- SaaS Agreements – FAQs – Data Controller
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services