SaaS Agreements – GDPR – Local Derogations

The General Data Protection Regulation (“GDPR”) now applies to all SaaS customers and SaaS suppliers collecting or processing the personal data of individuals located within the EU.  SaaS suppliers and SaaS customers must comply with the terms the GDPR. SaaS suppliers and SaaS customers should be aware that the GDPR does not however fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”) under their own local data protection laws. SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries therefore need to be aware of  the different data protection laws effective in each EU country, from which they collect or process data of individuals located there.

Derogations

To date, only a few EU countries have enacted their own local data protection law setting out additional rules and derogations from the GDPR. For example, in the UK the provisions of the Data Protection Act 2018 (“DPA”) apply in addition to the GDPR and include many derogations from the GDPR.

Many EU countries have not yet passed their own local data protection law setting out derogations, although most plan to. SaaS suppliers and SaaS customers must keep up to date on changes that are made to local national data protection laws in each EU country over the next few months.

Current Local Data Protection Laws

The following 21 EU countries have their own additional or have amended their existing local data protection laws setting out the derogations from the GDPR applicable in each country:

  • UK, Ireland
  • Austria, Belgium
  • Croatia, Cyprus
  • Denmark, Hungary, Italy
  • France, Germany
  • Latvia, Lithuania, Luxembourg
  • Malta, Netherlands
  • Poland, Romania
  • Slovakia, Spain, Sweden

Greece is the only EU country which has confirmed that it will not derogate from the GDPR.

Draft Local Data Protection Laws

The following 6 EU countries have a proposed local data protection law setting out the exact derogations from the GDPR applicable in that country:

  • Bulgaria
  • Czech Republic
  • Estonia
  • Finland
  • Portugal
  • Slovenia

Summary

Where SaaS suppliers or SaaS customers are collecting or processing the personal data of individuals within the EU, they will need to regularly check the rules for each EU country in which they are collecting or processing personal data. Technical and legal measures will need to be implemented and updated to ensure that the local derogations from the GDPR are complied with in each applicable EU country. This will apply not only to EU SaaS suppliers and SaaS customers, but any entity located outside of the EU who collects or processes personal data of persons located within the EU.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Bodle Law
Assign a menu in the Left Menu options.