On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).Continue reading
EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).
Where personal data is transferred from:
a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;
the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.Continue reading
The Article 29 Working Party, which represents the European data protection authorities (DPAs), recently announced that data processors (i.e. SaaS suppliers) can now use binding corporate rules (BCRs) to transfer personal data outside the European Economic Area (EEA). Previously the use of BCRs was limited to data controllers (i.e. SaaS customers).Continue reading
What are Binding Corporate Rules?
BCR’s are a set of rules adopted within a particular company or corporate group that provide legally binding protections for data processing within the company or group to cover global data transfers.Continue reading
Due to a recent resolution issued by the German data protection authorities, additional due diligence is now required if German customer data is being exported to a US data centre.Continue reading
There are no restrictions on transferring personal data within the EEA. However, due to the global nature of SaaS or ASP agreements personal data often needs to be transferred outside of the EEA, for example to an IT outsourcing provider in India, a subsidiary of your company in China or a data centre or software development centre in Vietnam.Continue reading