If you are operating a website and require users to register in order to use your website or you are simply using Google analytics on your website then you are collecting and processing personal data. Under the Data Protection Act 1998, if you collect, store or process personal data you must provide specific information to the persons whose personal data you are using. This information is usually provided to users in a privacy policy which should be published on your website.
Continue readingTag: data controller
SaaS Agreements – Data Protection – Policies and Procedures
SaaS suppliers must have adequate data protection policies, procedures and checks in place when employees or third parties are handling SaaS customer data or face the risk of being heavily fined by the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act 1998 (DPA).
Continue readingSaaS Agreements – Data Protection – Customer Privacy Policy
SaaS Customers often ask or expect SaaS supplier’s to provide them with a privacy policy for use in conjunction with their SaaS products. SaaS suppliers should firmly refuse such requests. Firstly, as they could face liability claims from the customer if the privacy policy is in appropriate and secondly while you will have no adequate knowledge of the issues set out below, which will need to be covered in the privacy policy.
Continue readingSaaS Agreements – Data Protection – Anonymising Data
Often SaaS suppliers or SaaS customers anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data when linked with other information will not lead to the identification of an individual.
Continue readingSaaS Agreements – Data Protection – New Proposed EU Rules – Part 2
On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. Following on from my first article – part 1, I have summarised the remainder of the major changes this will make to EU data protection law below.
Continue readingSaaS Agreements – Data Protection – New Proposed EU Rules – Part 1
On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. I have summarised the major changes this will make to EU data protection law in two articles, part 1 of which is set out below.
Continue readingSaaS Agreements – Data Protection – Binding Corporate Rules
What are Binding Corporate Rules?
BCR’s are a set of rules adopted within a particular company or corporate group that provide legally binding protections for data processing within the company or group to cover global data transfers.
Continue readingWebsite Legal Requirements – Data Commissioner Fines for Unsolicited E-mails
As a result of an amendment to the Privacy and Electronic Communications Regulations 2003 (PECR), from the 25th of May 2011 the Information Commissioner’s Office (ICO) will have the power to impose fines of up to £500,000 on companies, if they send unwanted marketing e-mails or text messages to consumers.
Continue readingSaaS Agreements – Data Protection – Further Fines by Data Commissioner
On the 8th of February 2011 Ealing and Hounslow Councils were fined £80,000 and £70,000 respectively by the Data Commissioner for serious breaches of the Data Protection Act (DPA) following the theft of two laptops from the house of an employee of Ealing Council.
Continue readingSaaS, ASP Agreements – Data Protection Issues with Sub-contractors – Standard Contractual Clauses
Using a sub-contractor to process your SaaS customer data is a problem under data protection law, where the sub-processor is based outside of the European Economic Area (EEA). Incorporating EU standard contractual clauses into your SaaS agreement is NOT the solution to this common problem. EU Standard Contractual Clauses Under
Continue reading