The General Data Protection Regulation (“GDPR”) now applies to all SaaS customers and SaaS suppliers collecting or processing the personal data of individuals located within the EU. SaaS suppliers and SaaS customers must comply with the terms the GDPR. SaaS suppliers and SaaS customers should be aware that the GDPR does not however fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”) under their own local data protection laws. SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries therefore need to be aware of the different data protection laws effective in each EU country, from which they collect or process data of individuals located there.
To date, only a few EU countries have enacted their own local data protection law setting out additional rules and derogations from the GDPR. For example, in the UK the provisions of the Data Protection Act 2018 (“DPA”) apply in addition to the GDPR and include many derogations from the GDPR.
Most EU countries have now passed their own local data protection law setting out derogations. SaaS suppliers and SaaS customers must keep up to date on changes that are made to local national data protection laws in each EU country, a summary of the current position is set out below.
Current Local Data Protection Laws
The following EU countries have their own additional data protection law, or have amended their existing local data protection laws setting out the derogations from the GDPR:
- UK, Ireland
- Austria, Belgium, Bulgaria
- Croatia, Cyprus, Denmark
- Estonia, Hungary, Italy
- France, Finland, Germany
- Latvia, Lithuania, Luxembourg
- Malta, Netherlands, Poland
- Portugal, Romania, Slovakia
- Slovenia, Spain, Sweden
Greece is the only EU country which has confirmed that it will not derogate from the GDPR.
Draft Local Data Protection Laws
The Czech Republic only has a proposed local data protection law setting out the exact derogations from the GDPR applicable in the Czech Republic.
Where SaaS suppliers or SaaS customers are collecting or processing the personal data of individuals within the EU, they will need to regularly check the rules for each EU country in which they are collecting or processing personal data. Technical and legal measures will need to be implemented and updated to ensure that the local derogations from the GDPR are complied with in each applicable EU country. This will apply not only to EU SaaS suppliers and SaaS customers, but any entity located outside of the EU who collects or processes personal data of persons located within the EU.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – GDPR – US companies
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – Age of Consent
- SaaS Agreements – GDPR – New German Data Protection Law (BDSG)
- SaaS Agreements – Brexit – EU Data Transfers to UK after Brexit
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – EU US Privacy Shield
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Data Stored in the USA