When negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your SaaS customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the UK Data Protection Act 2018 (DPA) and the GDPR.
The GDPR and the Data Protection Act
The GDPR and the UK Data Protection Act 2018 applies to the processing of personal data, i.e. names, email addresses, dates of birth or national insurance numbers of any living individual. The GDPR and the DPA set out different duties for data controllers and data processors. In a SaaS agreement, the customer is always the data controller and the SaaS supplier is their data processor.
Transfer outside of the EEA
The European Economic Area is the 28 EU member states plus Norway, Iceland and Liechtenstein. If data is transferred to any country outside the EEA the specific consent of each data subject whose data is being transferred must be obtained before the transfer takes place, unless the data is transferred to a country recognised by the EU as having adequate data protection laws.
Countries with Adequate Protection
Currently Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are recognised by the EU data protection authorities as countries with adequate protection. In addition companies registered under the EU-US Privacy Shield regime in the USA are also recognised.
Other ways of Obtaining Consent
Consent can be obtained from data subjects by the SaaS customer including relevant information in its privacy policy and ensuring that its clients actively consent to transfers of their data outside of the EEA when they enter into a contract to use the SaaS customer’s products or services.
Summary
Any transfer of SaaS customer data to any country not set out above will be illegal, unless specific consent has been obtained prior to the data transfer taking place.
Help
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here
______________________________________________________
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – What is SaaS?
- SaaS Agreements – FAQs – What is a SLA?
- SaaS Agreements – FAQs – EU Model Clauses
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – IPR and Intellectual Property
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – FAQs – Personal Data
- SaaS Agreements – FAQs – Applicable Law and Jurisdiction
- SaaS Agreements – FAQs – Data Controller
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services