UK SaaS suppliers currently have limited obligations to SaaS customers when processing personal data as part of their SaaS services. Under the General Data Protection Regulation (GDPR) many new data processing obligations are imposed on SaaS suppliers. In particular, the obligation for SaaS suppliers to enter into a written data processing agreement with SaaS customers and subcontractors.
GDPR applies to UK SaaS Suppliers despite Brexit
Regardless of when and how Brexit takes place, the GDPR will apply to SaaS suppliers located within the UK if:
- They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 EU Member States); or
- They monitor the behaviour of EU data subjects;
Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.
GDPR applies to non-EU SaaS Suppliers
The GDPR automatically applies to all SaaS suppliers located outside of the EU i.e. in the USA, if:
- They offer goods or services to SaaS customers located within the EU; or
- They monitor the behaviour of EU data subjects;
Even though the SaaS supplier is not located within the EU.
Written Data Processing Agreement
Under the GDPR SaaS suppliers and SaaS customers must include detailed data processing obligations in a written data processing agreement. This can form part of the SaaS Agreement or be a separate schedule or agreement.
SaaS Suppliers should be aware that they need to enter into written data processing agreements not just with all SaaS customers, but also with all entities or persons who process personal data on their behalf, such as:
- All subcontractors i.e. data centres, penetration testing providers;
- All subsidiaries i.e. providing customer support, software maintenance and support.
Fines for Breach
Data subjects can claim damages directly from SaaS suppliers who breach:
- Any obligations under the GDPR; or
- Any lawful instructions of a SaaS customer.
In addition data protection authorities can fine SaaS suppliers or SaaS customers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.
Preparing for Change
To ensure compliance with the new obligations placed on SaaS suppliers (data processors) under the GDPR, SaaS suppliers should taking the following steps:
- Review existing data protection policies and procedures for compliance with the GDPR;
- Adapt existing privacy, security and data breach policies to comply with the new rules before the 25th of May 2018;
- Create a written data processing agreement which reflects the above polices and which is compliant with the GDPR;
- Review existing SaaS agreements to check limitations on liabilities and indemnities for data protection breaches;
- Identify any subcontractors and subsidiaries who process personal data;
- Audit compliance of subcontractors and subsidiaries with new policies and procedures; and
- Add written data processing agreements to all existing agreements with SaaS customers, subcontractors and subsidiaries.
Help
Irene Bodle is an IT lawyer specialising in SaaS, with over 15 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here
______________________________________________________
Other related articles:
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Legal Implications of a Brexit
- SaaS Agreements – Data Protection – Amending EU Model Clauses
- SaaS Agreements – FAQs – Personal Data
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – FAQs – What is a SLA and Essential Terms to Include in a SLA
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Russian Data Centres