SaaS and the legal cloud made simple
Below, I have set out the main legal requirements (including some optional recommendations) that you should comply with when operating your website in the UK. Even if you do not sell SaaS products or services online via your website, you will still need to comply with the following English laws when operating a website in the UK.
Mandatory Requirements
About Us/Contact Information
Continue readingRecently, the Department of Commerce’s International Trade Administration (ITA) – a US government body – published a document confirming that any SaaS suppliers based in the US (and/or SaaS suppliers using a data centre located in the US) who are “safe harbor” registered must be recognised as having an “adequate” level of data protection. The ITA rejected the view that EU data protection authorities can unilaterally refuse to recognise safe harbor certification as a valid means of demonstrating that a SaaS supplier based in the US (and/or SaaS suppliers using a data centre located in the US) has an adequate level of data protection.
Continue readingSLA is the common abbreviation used for a service level agreement. When providing SaaS services to customers you need to include a SLA in your SaaS agreement, either as part of the main terms of your SaaS agreement or in a specific SLA schedule. A SLA should set out the following support and maintenance services that you will provide to customers to ensure that the SaaS software is made properly available to them.
Continue readingSaaS suppliers who use US public cloud providers to store, process or host their SaaS customer’s data as part of their SaaS services may now experience customers raising concerns about the risk of disclosure to, and monitoring of, their data by the US government under the Foreign Intelligence Amendments Act (FISA).
Continue readingIf your are a SaaS supplier or SaaS customer you should be aware of the provisions of the Bribery Act when negotiating the terms of a SaaS agreement. The Bribery Act 2010 (“Act”) has been in force since July 2011. It aims to distinguish between hospitality (which is permitted) and bribes which are illegal. A breach of the Act can result in an unlimited fine and a maximum prison sentence of 10 years.
Continue readingSaaS Customers are increasingly raising questions about the security provisions that SaaS suppliers include in their SaaS agreements and insisting on including onerous rights of audit to monitor and check compliance. Under the UK’s Data Protection Act (DPA) SaaS customers (data controllers) are required to take appropriate technical and organisational measures to prevent the:
unauthorised or unlawful processing of personal data; and
accidental loss, destruction or damage to personal data.
In order to comply with these duties and avoid substantial fines SaaS customers need to ensure that SaaS suppliers have adequate security measures in place to prevent data protection breaches from occurring.
Continue readingSaaS is the abbreviation for “software as a service”. You may know this under another name, for example ASP services (application service provider), software on demand or software subscription. These names all refer to the same thing – software being made available via the Internet to users.
What is a SaaS Agreement?
A SaaS agreement is simply the name used for the agreement between a SaaS supplier and a SaaS customer which sets out the terms under which SaaS software may be accessed. This will usually include a service level agreement (SLA).
Continue readingWhen negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the Data Protection Act.
Continue readingThe Article 29 Working Party, which represents the European data protection authorities (DPAs), recently announced that data processors (i.e. SaaS suppliers) can now use binding corporate rules (BCRs) to transfer personal data outside the European Economic Area (EEA). Previously the use of BCRs was limited to data controllers (i.e. SaaS customers).
Continue readingThe Information Commissioner’s Office (ICO) has started to issue very high fines to a number of companies and individuals, not just for serious breaches of the Data Protection Act (DPA), but also for breaches of the Privacy and Electronic Communications Regulations (PECR). Below is a summary of the recent fines and the reasons for them being imposed.
Continue reading