EU data protection law prohibits SaaS suppliers and SaaS customers from transferring personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Below is a summary of the current position following the recent announcement that the EU-US Privacy Shield has been adopted by the EU Commission and will now replace Safe Harbor.Continue reading
SaaS suppliers and customers must currently comply with the terms of the Data Protection Act 1998 (DPA) which governs data protection law in the UK. SaaS suppliers and SaaS customers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU). Currently the UK is a Member State of the EU and even if the UK gives the European Council notice of its intention to leave the EU, it has 2 years in which to negotiate the terms of a “Brexit”. It is therefore likely that the UK will still be part of the EU on the 25th of May 2018Continue reading
EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).
Where personal data is transferred from:
a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;
the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.Continue reading
At the end of 2015 the European Commission published the test of the new Data Protection Regulation (“GDPR”) which will replace the existing EU Data Protection Directive and harmonise European data protection law. The GDPR is expected to be adopted in Spring 2016. Once adopted, the GDPR will come into force within 2 years and in the UK the GDPR will replace the Data Protection Act 1998. This will have a significant effect on both SaaS suppliers and SaaS customers.Continue reading
In September 2013 the Information Commissioner’s Office (ICO) published a lengthy guide to Direct Marketing. The guide covers compliance with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR) in relation to the sending of unsolicited marketing. SaaS suppliers who are sending unsolicited marketingContinue reading
SaaS Suppliers who will be processing personal data of Russian citizens on behalf of SaaS customers need to be aware of amendments to the Russian Federal Law on Personal Data. From the 1st of September 2015 changes to this Russian law may prohibit foreign SaaS suppliers from processing personal data of Russian citizens on servers located outside of Russia.Continue reading
Many SaaS suppliers use personal data, collected on behalf of SaaS customers, in an anonymised form for their own purposes, such as benchmarking. The UK Information Commissioner’s Office (ICO) Anonymisation Code and more recently the Article 29 Working Party’s Opinion on Anonymisation provide guidance on how to check that personal data is actually anonymous.
If you are a SaaS provider using anonymised personal data you should comply with the recommendations in these two guides, to ensure that you are properly anonymising data, otherwise you could be found to be using personal data in breach of the DPA.Continue reading
UK SaaS suppliers who provide cloud computing services to SaaS customers located outside of the UK are increasingly being required to comply not just with UK data protection law, but also the data protection laws of the countries in which the SaaS customer and its clients are based. This increasingly creates problems for SaaS suppliers, as data protection laws generally assume that data is stored/processed in one place. However when operating in the cloud data is often moved between jurisdictions and often it may be unclear exactly where data is being stored or processed and who is storing and processing it.
Two recent cases against Facebook and Google show the extent of this developing problem.Continue reading
Many SaaS customers falsely believe that if their SaaS data is stored in a data centre located in the EU it will be protected against disclosure to the US authorities. This is incorrect. The recent US court ruling against Microsoft has confirmed the position, namely that SaaS suppliers and SaaS customers who use data centres located in the EU, owned by US companies, cannot prevent US authorities from accessing their data.Continue reading
Employees are increasingly using their privately owned devices (i.e. Ipads, tablets, mobile phones and laptops) for business purposes and may be accessing SaaS customer data using them. SaaS suppliers who allow staff to use such “bring your own devices” (BYOD) for work purposes should be aware of their duties to protect any SaaS customer personal data being accessed by staff using such BYODs.Continue reading