SaaS, ASP Agreements – Transfer of Personal Data outside of the EEA

There are no restrictions on transferring personal data within the EEA.  However, due to the global nature of SaaS agreements personal data often needs to be  transferred outside of the EEA, for example to an IT outsourcing provider in India, a subsidiary of your company in China or a data centre or software development centre in Vietnam.

Restrictions on Export of Data Outside of the EEA

Under the Data Protection Act 2018 and the GDPR before any personal data may be exported to any country outside of the EEA, you must ensure that there are adequate levels of protection in place. The European Economic Area consists of the 28 EU member states plus Norway, Iceland and Liechtenstein. There are four ways in which adequate levels of protection can be achieved:

  • consent
  • equivalent protection/ safe harbor
  • use of the EU model contract clauses
  • binding corporate rules


The easiest method of compliance is to obtain specific consent from the data subject before the transfer takes place. If the data subject consents to the transfer, you will comply with the Data Protection Act and the GDPR. Consent is usually obtained by having a data subject agree to the transfer of its personal data outside of the EEA and full details about the transfer itself should be set out in your privacy policy.

Equivalent Protection and Safe Harbor

Alternatively, the transfer is permitted if the non-EEA country to which the personal data is being transferred has equivalent data protection legislation. Currently only Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are recognised as having adequate protection. Certain companies in the USA are also recognised under the EU-US Privacy Shield, provided that the company to which the personal data is being transferred has an up to date Privacy Shield registration.

EU Model Clauses

The European Commission has issued its own model clauses to cover transfers of personal data outside of the EEA. If these model clauses  are used in the SaaS agreement with the data subject and the agreement with the third party IT outsourcer, data centre or software developer to whom the data is being transferred, there will be adequate protection. However, these clauses are not ideal due to the different legal responsibilities of the data processor and the data controller which still remain unclear in the situation where there is a sub-processor.

Binding Corporate Rules

BCRs are designed to cover transfers of personal data within multi-national companies where they have subsidiaries based in many countries. These rules only permit the inter-company transfer of personal data and do not cover transfers to third parties such as IT outsourcing providers or data centres. To date very few companies have adopted binding corporate rules due to the expense and time it takes for the rules to be recognised within the EU.


For assistance with transfers of personal data within or outside the EEA, SaaS, ASP, software on demand contract  or any other IT legal issues contact:

To register for my newsletter click here


Other related articles: