SaaS Agreements – GDPR – Local Derogations

The General Data Protection Regulation (“GDPR”) now applies to all SaaS customers and SaaS suppliers collecting or processing the personal data of individuals located within the EU.  SaaS suppliers and SaaS customers must comply with the terms the GDPR. SaaS suppliers and SaaS customers should be aware that the GDPR does not however fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”) under their own local data protection laws. SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries therefore need to be aware of the different data protection laws effective in each EU country, from which they collect or process data of individuals located there.

Derogations

Most EU countries have now passed their own local data protection law setting out derogations. For example, in the UK the provisions of the Data Protection Act 2018 (“DPA”) apply in addition to the GDPR and include many derogations from the GDPR. SaaS suppliers and SaaS customers must keep up to date on changes that are made to local national data protection laws in each EU country, a summary of the current position is set out below.

Current Local Data Protection Laws

The following EU countries have their own additional data protection law, or have amended their existing local data protection laws setting out the derogations from the GDPR:

  • UK, Ireland
  • Austria, Belgium, Bulgaria
  • Croatia, Cyprus, Denmark
  • Estonia, Hungary, Italy
  • France, Finland, Germany
  • Latvia, Lithuania, Luxembourg
  • Malta, Netherlands, Poland
  • Portugal, Romania, Slovakia
  • Slovenia, Spain, Sweden

Greece is the only EU country which has confirmed that it will not derogate from the GDPR.

Draft Local Data Protection Laws

The Czech Republic only has a proposed local data protection law setting out the exact derogations from the GDPR applicable in the Czech Republic.

Summary

Where SaaS suppliers or SaaS customers are collecting or processing the personal data of individuals within the EU, they will need to regularly check the rules for each EU country in which they are collecting or processing personal data. Technical and legal measures will need to be implemented and updated to ensure that the local derogations from the GDPR are complied with in each applicable EU country. This will apply not only to EU SaaS suppliers and SaaS customers, but any entity located outside of the EU who collects or processes personal data of persons located within the EU.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 15 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: