The General Data Protection Regulation (GDPR) has now replaced the existing EU Data Protection Directive in an aim to harmonise European data protection law. In the UK the GDPR and the Data Protection Act 2018 (DPA) replaced the Data Protection Act 1998 on the 25th of May 2018. These changes in data protection law will have a significant effect on both SaaS suppliers and SaaS customers who must comply with both the terms of the GDPR and the DPA. Below is a summary of the main provisions of the GDPR that SaaS suppliers and customers need to be aware of.
The GDPR will continue to apply in the UK after any future Brexit.
SaaS Agreement Terms
SaaS suppliers and SaaS customers must ensure that all contractual documents that involve data processing, such as SaaS agreements, privacy policies and hosting and support agreements comply with the new rules under the GDPR and the DPA.
SaaS suppliers and SaaS customers should be aware that the GDPR does not fully harmonise data protection law throughout Europe. Each EU country may introduce their own requirements in certain instances under the various derogations permitted under the GDPR.
New Data Processor Obligations
The GDPR applies to data controllers (SaaS customers) and data processors (SaaS suppliers) and in particular SaaS suppliers should be aware that some GDPR obligations apply directly to data processors who are now subject to compliance obligations and sanctions for non-compliance.
SaaS suppliers and SaaS customers relying on consent to process personal data will need to show that the consent is:
- freely given;
- specific and informed; and
- an “unambiguous indication” of a data subject’s wishes and expressed either by a statement or a clear affirmative action (i.e. ticking a consent box when visiting a website).
Consent must be purpose limited i.e. related to explicitly specified purposes.
The default age for giving valid consent and using online services is 16, however each EU country will be able to reduce this to 13, if they wish to. The UK has already included this derogation in the DPA.
The maximum penalty for a breach of the GDPR will be substantially higher than under current legislation. Fines can be imposed on SaaS suppliers or SaaS customers. Fines of up to 4% of annual global turnover or up to 20m Euros (whichever is higher) can be applied.
Applicable to Non-EU Entities
The GDPR will apply not just to EU SaaS customers and suppliers but also to non-EU SaaS customers and suppliers who:
- offer goods or services to data subjects in the EU; or
- monitor the behaviour of EU citizens to the extent that the behaviour takes place in the EU.
Enforcement – One Stop Shop
SaaS suppliers and SaaS customers will be regulated by a single regulator in the place of their main establishment, which shall be their main administrative location in the EU. Data subjects will be able to make complaints to regulators in their own EU country.
Data Protection Officer
An independent data protection officer (“DPO”) must be appointed where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Each EU country may enact national provisions imposing further requirements regarding the appointment of DPOs. This will be particularly relevant in Germany where this is already a legal requirement.
There is no requirement for a SaaS supplier or SaaS customer to notify local data protection authorities of any data processing activities but there is a requirement to keep records of data processing activities (subject to limited exceptions).
SaaS customers and SaaS suppliers must report breaches to the relevant local regulator without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Data subjects must be informed of breaches without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms unless:
- the data has been rendered unintelligible to any third party (for example by encryption);
- the data controller has taken steps to ensure the high risk is unlikely to materialise; or
- it would involve disproportionate effort to inform data subjects individually, in which case a public announcement can be made.
Data processors (SaaS suppliers) are required to inform data controllers (SaaS customers) of any breach without undue delay.
SaaS customers will be required to carry out data protection impact assessments (“DPIAs”) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of profiling.
Data Subject Rights
The following rights shall be granted to data subjects:
- data portability;
- the right to be forgotten;
- the right to prevent profiling;
- the right to object to processing;
- the right to rectification and erasure.
- subject access requests (“SARs”).
SARs must be responded to by the data controller (SaaS customer) without undue delay and, at the latest, within one month of receipt of the request. The data controller only has the right to charge a reasonable fee to cover administrative costs where the requests are “manifestly unfounded or excessive”.
Now the GDPR is in force, it is essential that SaaS customers and SaaS suppliers comply with its terms. For example by:
- Including written data processing agreements in existing SaaS agreements and future SaaS agreements with relevant customers;
- Ensuring that privacy policies comply with the GDPR rules;
- Appointing a data protection officer (where appropriate);
- Using a documentation system for recording data processing activities;
- Being able to show how and when any consents have been obtained from data subjects.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – Local Derogations
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – GDPR – US companies
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – Age of Consent
- SaaS Agreements – GDPR – New German Data Protection Law (BDSG)
- SaaS Agreements – Brexit – EU Data Transfers to UK after Brexit
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – EU US Privacy Shield
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Data Stored in the USA