SaaS Agreements – GDPR – US Companies

From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR does not just apply to SaaS suppliers and SaaS customers located in the EU. The GDPR also applies outside the EU, i.e. to SaaS suppliers and SaaS customers located in the USA and other non-EU countries.

GDPR Applies to US SaaS Customers and SaaS Suppliers

The GDPR will apply to SaaS suppliers and SaaS customers located in the USA if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects;

Even though the SaaS supplier or SaaS Customer is not located within the EU.

US SaaS suppliers and US SaaS customers must therefore comply with the provisions of the GDPR from the 25th of May 2018.

Offering Goods or Services

In order for a US SaaS customer or supplier to be deemed to be offering SaaS goods or services it must be clear that the US company envisages offering SaaS goods or services to data subjects in one or more EU countries. This will be determined by looking at:

  • The use of any country specific domain names, e.g. co.uk;
  • The languages in which goods or services are offered, e.g. French;
  • The currencies in which goods or services are offered e.g. Euros.

Monitoring Behaviour of EU Data Subjects

In order for a US SaaS customer or supplier to be deemed to be monitoring the behaviour of EU data subjects, this will be the case if you track individuals on the Internet for profiling purposes, e.g. through the use of cookies.

Fines for Non-compliance

Data subjects will be able to claim damages directly from SaaS suppliers or SaaS customers who breach any obligations under the GDPR.

In addition data protection authorities will be able to fine SaaS suppliers and/or SaaS customers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

How to Comply

US SaaS customers and SaaS suppliers need to take the following actions to comply with the GDPR by the 25th of May 2018:

  • Identify what personal data of data subjects located in the EU they collect/process;
  • Review and amend SaaS agreement terms for compliance with the GDPR;
  • Create GDPR compliant data processing agreements (DPA);
  • Amend existing privacy policies to comply with the GDPR;
  • Implement the security, technical and administrative changes required to comply with the GDPR and set out in the above legal documentation.

NB/ US SaaS customers or SaaS suppliers who do not, or cannot, comply with the GDPR, should enact measures to prevent orders being placed on their websites by EU data subjects.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 14 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Bodle Law
Assign a menu in the Left Menu options.