SaaS Agreements – GDPR – Data Processing Agreement

Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.

Continue reading

SaaS Agreements – Terms and Conditions – Data Processing Agreement

Under the Data Protection Act 1998 (DPA) UK SaaS suppliers currently have limited obligations to SaaS customers when processing personal data as part of their SaaS services. However, from the 25th of May 2018 the General Data Protection Regulation (GDPR) will impose numerous new data processing obligations on SaaS suppliers. In particular, the obligation for SaaS suppliers to enter into a written data processing agreement with SaaS customers and sub-contractors.

Continue reading

SaaS Agreements – Data Protection – Amending EU Model Clauses

SaaS suppliers and SaaS customers are increasingly relying upon the use of EU model clauses to enable them to lawfully export personal data outside of the EEA following the invalidity of Safe Harbor in 2016 and the current implementation of the EU-US Privacy Shield (which replaces Safe Harbor). SaaS customers often try to amend the terms of the EU model clauses when negotiating the SaaS agreement with the SaaS supplier. This can result in the EU model clauses being invalid as they do not provide adequate protection for the data transfer.

SaaS suppliers should therefore be aware of the risks of agreeing to any changes to EU model clause and know which changes are, and are not, permitted to ensure that they are not in breach of data protection laws.

Continue reading

SaaS Agreements – Data Protection – Anonymising Data

Many SaaS suppliers use personal data, collected on behalf of SaaS customers, in an anonymised form for their own purposes, such as benchmarking. The UK Information Commissioner’s Office (ICO) Anonymisation Code and more recently the Article 29 Working Party’s Opinion on Anonymisation provide guidance on how to check that personal data is actually anonymous.

If you are a SaaS provider using anonymised personal data you should comply with the recommendations in these two guides, to ensure that you are properly anonymising data, otherwise you could be found to be using personal data in breach of the DPA.

Continue reading

SaaS Agreements – Terms and Conditions – Risk Assessment

SaaS customers often complain that the security provisions in SaaS agreements are inadequate and lack transparency. Following a risk assessment, often using external auditors and regulators, SaaS customers often ask SaaS suppliers to add numerous additional terms and warranties to their SaaS terms. By including the security provisions set out below in your standard SaaS agreement, SaaS suppliers can avoid having more rigorous provisions imposed upon them.

Continue reading

SaaS Agreements – Terms and Conditions – Safe Harbor Adequacy

European data protection authorities have recently raised serious reservations about the effectiveness of the safe harbour scheme and its ability to adequately protect SaaS customer data to the same standard as European data protection laws. If you are a SaaS supplier and are considering/or are already using a company located in the US to provide part of your SaaS services i.e. for hosting, you should be aware of the existence and limitations of the safe harbor scheme.

Continue reading

SaaS Agreements – Data Protection – German Customers and Data Processing Agreements

If you are negotiating sales of SaaS solutions with German customers, you may be surprised by their insistence on having a separate written data processing agreement in addition to your SaaS agreement. This is a mandatory requirement under German data protection law (The BDSG) which imposes onerous obligations far beyond those found in most other EU data protection laws on the SaaS customer and the SaaS supplier.

Continue reading
Bodle Law