Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.
Although the GDPR clearly sets out that the DPA should include all data processor and data controller obligations. However, many DPAs provided by SaaS customers do not include:
- All mandatory obligations required under the GDPR; and
- Any data controller (SaaS customer) obligations at all.
Many SaaS customer DPAs seek to impose additional or far more onerous obligations on the part of SaaS suppliers in the terms of their own DPA than are required under the GDPR. For example, a SaaS supplier, (the data processor) has to report a data breach without undue delay but often SaaS customers, (the data controller) try to impose an obligation to report immediately or within 24 hours.
Liabilities and Indemnities
SaaS customers often add unlimited liabilities and indemnities to the DPA that only apply to the SaaS supplier, retaining their own limited liability for any breaches. Any limitations on liability included in the SaaS agreement should also apply to breaches of the DPA, particularly in light of the high fines (20 million Euros or 4% of annual worldwide turnover) that can be imposed for a breach of the GDPR.
It is mandatory to set out the technical and administrative security provisions that the SaaS supplier has in place to protect personal data. As the SaaS customer cannot know what security provisions the SaaS supplier and its sub-contractors i.e. the data centre have in place, it is entirely unrealistic for the SaaS customer to dictate what these should be, as they will not reflect the actual practices adopted by the SaaS supplier and its sub-contractors. The SaaS supplier should therefore always provide these details.
Applicable Data Protection Law
The DPA should refer to the GDPR and for UK SaaS suppliers, the Data Protection Act 2018. References to the EU Data Protection Directive are now obsolete (unless they refer to amendments or replacement legislation) and should be updated.
Many SaaS customer DPAs contain onerous and wide ranging obligations on SaaS suppliers to assist with audits, DPIAs, data subject requests and return and deletion of data which go far beyond the SaaS supplier’s obligations set out in the GDPR. These clauses should be carefully reviewed and amended to reflect the mandatory obligations of the SaaS supplier under the GDPR and should include provisions for a SaaS supplier to be paid for providing assistance.
Any exclusion on the use of subcontractors should be removed from the DPA – as all SaaS suppliers use subcontractors, due to the nature of cloud computing – all SaaS suppliers use a data centre. The provisions on how and when subprocessors can be used and in which jurisdictions, should be carefully drafted to ensure that these permit the actual practices of the SaaS supplier in providing the SaaS services. EU standard contractual clauses must be used where any UK or EU personal data is transferred outside of the EEA.
Controller or Processor DPA
To avoid the above issues, SaaS suppliers should:
- Draft their own GDPR compliant DPAs;
- Send existing SaaS customers their DPA for inclusion in the existing SaaS agreement without delay;
- Include their own DPA in their current SaaS agreements as a schedule for new SaaS customers.
Where a SaaS supplier agrees to use a SaaS customer’s DPA the SaaS supplier should have the terms of the DPA checked by a lawyer who will be able to:
- Identify which obligations are not mandatory under the GDPR;
- Which obligations of either party are missing;
- Adapt the terms to protect the interests of the SaaS supplier in compliance with the requirements of the GDPR.
IIrene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection – New EU Standard Contractual Clauses
- SaaS Agreements – Data Protection – Schrems II Data Transfer Assessments
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – GDPR – Local Derogations
- SaaS Agreements – GDPR – US companies
- SaaS Agreements – GDPR – Personal Data Breaches
- SaaS Agreements – GDPR – Age of Consent
- SaaS Agreements – GDPR – New German Data Protection Law (BDSG)
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers