SaaS suppliers and SaaS customers can only lawfully transfer personal data to sub-processors located outside of the UK, Switzerland or the EEA, (make a restricted transfer) if a recognized transfer mechanism is in place to protect the personal data being transferred.
Continue readingTag: BCRs
SaaS Agreements – FAQs – Restricted Transfers
Restricted transfers are a type of international data transfer to which special rules apply. SaaS suppliers and SaaS customers are responsible for complying with the relevant rules when making or permitting restricted transfers of personal data to their suppliers, customers, sub-processors, group companies and partners.
What is an international data transfer?
An international data transfer occurs when personal data is sent or transmitted from one country to another.
This includes:
Continue readingSaaS Agreements – FAQs – Transfer Mechanisms
Below is a summary of the transfer mechanisms that can be relied upon to make a lawful transfer of UK, Swiss or EEA personal data to a country outside of the UK, Switzerland or the EEA.
Adequacy is granted when a recipient country is deemed to have data protection laws and practices similar to those of the sending country.
Continue readingSaaS Agreements – Data Protection – Restricted Transfers
SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.
Continue readingSaaS Agreements – FAQs – EU Standard Contractual Clauses
When entering into a SaaS agreement with a SaaS customer a SaaS supplier will often need to transfer customer data that contains EU personal data outside of the EEA. This could be at the request of a SaaS customer or more usually because the SaaS supplier uses a sub-contractor located outside of the EEA to provide part of the services on its behalf (as a sub-processor). For example: a data centre, online customer support centre or email service provider provided by a company located in the USA.
SaaS suppliers and SaaS customers must use EU standard contractual clauses in order to comply with their duties under the GDPR when making such restricted transfers of EU personal data.
SaaS Agreements – Data Protection – Privacy Shield Approved
EU data protection law prohibits SaaS suppliers and SaaS customers from transferring personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Below is a summary of the current position following the recent announcement that the EU-US Privacy Shield has been adopted by the EU Commission and will now replace Safe Harbor.
Continue readingSaaS Agreements – Data Protection – EU US Privacy Shield
A new privacy agreement called the Privacy Shield has been agreed by the US and EU to replace the safe harbour scheme. The Privacy Shield is based upon safe harbour but has additional protections, particularly with regard to public authority access to personal data. The Privacy Shield must now be reviewed by the European Commission before it can be relied upon and adopted by SaaS suppliers or customers. The European Commission is currently assessing whether or not the Privacy Shield provides adequate protection in accordance with EU data protection laws. This process is expected to take up to 3 months.
Continue readingSaaS Agreements – Data Protection – Changes to BCRs
The Article 29 Working Party, which represents the European data protection authorities (DPAs), recently announced that data processors (i.e. SaaS suppliers) can now use binding corporate rules (BCRs) to transfer personal data outside the European Economic Area (EEA). Previously the use of BCRs was limited to data controllers (i.e. SaaS customers).
Continue reading