SaaS Agreements – Data Protection – Brexit and the GDPR

SaaS suppliers and customers must currently comply with the terms of the Data Protection Act 1998 (DPA) which governs data protection law in the UK. SaaS suppliers and SaaS customers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU). Currently the UK is a Member State of the EU and even if the UK gives the European Council notice of its intention to leave the EU, it has 2 years in which to negotiate the terms of a “Brexit”. It is therefore likely that the UK will still be part of the EU on the 25th of May 2018

Continue reading

SaaS Agreements – FAQs – EU Standard Contractual Clauses

EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).

Where personal data is transferred from:

a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.

Continue reading

SaaS Agreements – Data Protection – General Data Protection Regulation (GDPR)

At the end of 2015 the European Commission published the test of the new Data Protection Regulation (“GDPR”) which will replace the existing EU Data Protection Directive and harmonise European data protection law. The GDPR is expected to be adopted in Spring 2016. Once adopted, the GDPR will come into force within 2 years and in the UK the GDPR will replace the Data Protection Act 1998. This will have a significant effect on both SaaS suppliers and SaaS customers.

Continue reading

SaaS Agreements – Data Protection – Anonymising Data

Many SaaS suppliers use personal data, collected on behalf of SaaS customers, in an anonymised form for their own purposes, such as benchmarking. The UK Information Commissioner’s Office (ICO) Anonymisation Code and more recently the Article 29 Working Party’s Opinion on Anonymisation provide guidance on how to check that personal data is actually anonymous.

If you are a SaaS provider using anonymised personal data you should comply with the recommendations in these two guides, to ensure that you are properly anonymising data, otherwise you could be found to be using personal data in breach of the DPA.

Continue reading

SaaS Agreements – Data Protection – Which law applies?

UK SaaS suppliers who provide cloud computing services to SaaS customers located outside of the UK are increasingly being required to comply not just with UK data protection law, but also the data protection laws of the countries in which the SaaS customer and its clients are based. This increasingly creates problems for SaaS suppliers, as data protection laws generally assume that data is stored/processed in one place. However when operating in the cloud data is often moved between jurisdictions and often it may be unclear exactly where data is being stored or processed and who is storing and processing it.

Two recent cases against Facebook and Google show the extent of this developing problem.

Continue reading

SaaS Agreements – Data Protection – Microsoft must disclose data on EU server

Many SaaS customers falsely believe that if their SaaS data is stored in a data centre located in the EU it will be protected against disclosure to the US authorities. This is incorrect. The recent US court ruling against Microsoft has confirmed the position, namely that SaaS suppliers and SaaS customers who use data centres located in the EU, owned by US companies, cannot prevent US authorities from accessing their data.

Continue reading

SaaS Agreements – Data Protection – BYOD

Employees are increasingly using their privately owned devices (i.e. Ipads, tablets, mobile phones and laptops) for business purposes and may be accessing SaaS customer data using them. SaaS suppliers who allow staff to use such “bring your own devices” (BYOD) for work purposes should be aware of their duties to protect any SaaS customer personal data being accessed by staff using such BYODs.

Continue reading