From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR does not just apply to SaaS suppliers and SaaS customers located in the EU. The GDPR also applies outside the EU, i.e. to SaaS suppliers and SaaS customers located in the USA and other non-EU countries.
GDPR Applies to US SaaS Customers and SaaS Suppliers
The GDPR will apply to SaaS suppliers and SaaS customers located in the USA if:
- They offer goods or services to SaaS customers located within the EU; or
- They monitor the behaviour of EU data subjects;
Even though the SaaS supplier or SaaS Customer is not located within the EU.
US SaaS suppliers and US SaaS customers must therefore comply with the provisions of the GDPR from the 25th of May 2018.
Offering Goods or Services
In order for a US SaaS customer or supplier to be deemed to be offering SaaS goods or services it must be clear that the US company envisages offering SaaS goods or services to data subjects in one or more EU countries. This will be determined by looking at:
- The use of any country specific domain names, e.g. co.uk;
- The languages in which goods or services are offered, e.g. French;
- The currencies in which goods or services are offered e.g. Euros.
Monitoring Behaviour of EU Data Subjects
Fines for Non-compliance
Data subjects will be able to claim damages directly from SaaS suppliers or SaaS customers who breach any obligations under the GDPR.
In addition data protection authorities will be able to fine SaaS suppliers and/or SaaS customers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.
How to Comply
US SaaS customers and SaaS suppliers need to take the following actions to comply with the GDPR by the 25th of May 2018:
- Identify what personal data of data subjects located in the EU they collect/process;
- Review and amend SaaS agreement terms for compliance with the GDPR;
- Create GDPR compliant data processing agreements (DPA);
- Amend existing privacy policies to comply with the GDPR;
- Implement the security, technical and administrative changes required to comply with the GDPR and set out in the above legal documentation.
NB/ US SaaS customers or SaaS suppliers who do not, or cannot, comply with the GDPR, should enact measures to prevent orders being placed on their websites by EU data subjects.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 15 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – Local Derogations
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – Personal Data Breaches
- SaaS Agreements – GDPR – Age of Consent
- SaaS Agreements – GDPR – New German Data Protection Law (BDSG)
- SaaS Agreements – Brexit – EU Data Transfers to UK after Brexit
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – EU US Privacy Shield
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decisi
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Data Stored in the USA