When negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your SaaS customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the Data Protection Act 1998 (DPA).

The Data Protection Act

The Data Protection Act 1998 applies to the processing of personal data, i.e. names, email addresses, dates of birth or national insurance numbers of any living individual. The DPA sets out different duties for data controllers and data processors. In a SaaS agreement, the customer is always the data controller and the SaaS supplier is their data processor.

Transfer outside of the EEA

The European Economic Area is the 27 EU member states plus Norway, Iceland and Liechtenstein. If data is transferred to any country outside the EEA the specific consent of each data subject whose data is being transferred must be obtained before the transfer takes place, unless the data is transferred to a country recognised by the EU as having adequate data protection laws.

Countries with Adequate Protection

Currently  Andorra, Argentina, Canada, Faeroe Islands, Guernsey, State of Israel, the Isle of Man, Jersey, New Zealand,  Switzerland and the Eastern Republic of Uruguay are recognised by the EU data protection authorities as countries with adequate protection. In addition companies registered under the EU-US Privacy Shield regime in the USA are also recognised.

Other ways of Obtaining Consent

Consent can be obtained from data subjects by the SaaS customer including relevant information in its privacy policy and ensuring that its clients actively consent to transfers of their data outside of the EEA when they enter into a contract to use the SaaS customer’s products or services.

Summary

Any transfer of SaaS customer data to any country not set out above will be illegal, unless specific consent has been obtained prior to the data transfer taking place.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: