Using a sub-contractor to process your SaaS customer data is a problem under data protection law, where the sub-processor is based outside of the European Economic Area (EEA). Incorporating EU standard contractual clauses into your SaaS agreement is NOT the solution to this common problem.
EU Standard Contractual Clauses
Under data protection law personal data may only be transferred to countries outside of the EEA where there is adequate protection. In order to deal with the problem of transfers of personal data from a customer (data controller) in the EEA i.e. in the UK, to a SaaS supplier (data processor) outside of the EEA i.e. a SaaS supplier in Asia, the EU drafted standard contractual clauses. When such clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met.
New EU Standard Contractual Clauses
In July 2010 the EU standard Contractual Clauses were amended to cover the position where personal data is transferred from a data controller in the EEA (customer) to a data processor outside of the EEA (supplier) and then a transfer to a sub-processor located outside of the EEA.
This is a common scenario in a SaaS agreement where a customer based in the UK is accessing SaaS software provided by a supplier outside of the EEA and the supplier is using a hosting centre or outsourced IT development centre located in India or Asia to process the customer data.
Sub-Processor located outside of the EEA
Despite the above changes to the EU model clauses, where a data processor (supplier) based inside the EEA, instructs a sub-processor based outside of the EEA, to process a customer’s data, the transfer of data is not covered by the new or old standard contractual clauses. This is a common scenario in SaaS agreements where the customer and supplier are both based in the EEA but the SaaS supplier uses a data centre or IT personnel outside the EEA i.e. in Asia to process the customer data.
The transfer of customer data to the sub-processor will not comply with data protection law if the new or old standard contractual clauses are used and an alternative solution will need to be found. This will usually take the form of an additional data protection agreement between the relevant parties.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS, ASP Agreements – FAQs – Data Protection
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS, ASP Agreements – Data Protection and Safe Harbor, Issues with German Customers
- SaaS, ASP Agreements – Essential Elements
- SaaS, ASP Agreements – FAQs – Security
- SaaS, ASP Agreements – FAQs – Confidential Information
- SaaS, ASP Agreements – FAQs – Software Licence
- SaaS, ASP Agreements – FAQs – Source Code and Object Code
- SaaS, ASP Agreements – FAQs – Escrow
- SLAs Explained – Essential Elements
- Cloud Computing and the Legal Cloud
- SaaS, ASP, Software on Demand – Confused?