The Information Commissioner’s Office (ICO) has started to issue very high fines to a number of companies and individuals, not just for serious breaches of the Data Protection Act (DPA), but also for breaches of the Privacy and Electronic Communications Regulations (PECR). Below is a summary of the recent fines and the reasons for them being imposed.
Continue readingTag: data protection
SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
If you are negotiating sales of SaaS solutions with German customers, you may be surprised by their insistence on having a separate written data processing agreement in addition to your SaaS agreement. This is a mandatory requirement under German data protection law (The BDSG) which imposes onerous obligations far beyond those found in most other EU data protection laws on the SaaS customer and the SaaS supplier.
Continue readingSaaS Agreements – Terms and Conditions – Subcontractors and Outsourcing
The terms of your SaaS agreement must include the right to use sub-contractors as 99% of SaaS suppliers use at least one sub-contractor – a third party data centre – to host their SaaS software. SaaS customers often try to prohibit the use of sub-contractors or place severe restrictions on their use by insisting that they must give prior consent to each sub-contractor. This is not acceptable for practical reasons as often numerous sub-contractors are used in providing the SaaS services and these sub-contractors will change over time.
Continue readingWebsite Legal Requirements – Privacy Policy – Basics for your Website
If you are operating a website and require users to register in order to use your website or you are simply using Google analytics on your website then you are collecting and processing personal data. Under the Data Protection Act 1998, if you collect, store or process personal data you must provide specific information to the persons whose personal data you are using. This information is usually provided to users in a privacy policy which should be published on your website.
Continue readingSaaS Agreements – Data Protection – Policies and Procedures
SaaS suppliers must have adequate data protection policies, procedures and checks in place when employees or third parties are handling SaaS customer data or face the risk of being heavily fined by the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act 1998 (DPA).
Continue readingSaaS Agreements – Data Protection – Customer Privacy Policy
SaaS Customers often ask or expect SaaS supplier’s to provide them with a privacy policy for use in conjunction with their SaaS products. SaaS suppliers should firmly refuse such requests. Firstly, as they could face liability claims from the customer if the privacy policy is in appropriate and secondly while you will have no adequate knowledge of the issues set out below, which will need to be covered in the privacy policy.
Continue readingSaaS Agreements – Data Protection – Anonymising Data
Often SaaS suppliers or SaaS customers anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data when linked with other information will not lead to the identification of an individual.
Continue readingSaaS Agreements – Data Protection – New Proposed EU Rules – Part 2
On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. Following on from my first article – part 1, I have summarised the remainder of the major changes this will make to EU data protection law below.
Continue readingSaaS Agreements – Data Protection – New Proposed EU Rules – Part 1
On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. I have summarised the major changes this will make to EU data protection law in two articles, part 1 of which is set out below.
Continue readingSaaS Agreements – Data Protection – Data Stored in the USA
SaaS suppliers who use data centres physically located in the USA to store or process data should be aware of a recent US Court of Appeals ruling that the Electronic Communications Privacy Act (ECPA) – an American law – protects the data of non-USA citizens when their data is stored on servers in the USA.
Continue reading