The General Data Protection Regulation (“GDPR”) and the new Data Protection Act 2018 (“DPA”) now apply in the UK. SaaS suppliers and SaaS customers must comply with the terms of both the GDPR and the DPA. SaaS suppliers and SaaS customers should be aware that the GDPR does not fully harmonise data protection law throughout Europe, as each EU country may introduce their own requirements in certain instances (“derogations”). SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries need to be aware of the different rules in each EU country.Continue reading
EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).
Where personal data is transferred from:
a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;
the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.Continue reading
Many SaaS suppliers use personal data, collected on behalf of SaaS customers, in an anonymised form for their own purposes, such as benchmarking. The UK Information Commissioner’s Office (ICO) Anonymisation Code and more recently the Article 29 Working Party’s Opinion on Anonymisation provide guidance on how to check that personal data is actually anonymous.
If you are a SaaS provider using anonymised personal data you should comply with the recommendations in these two guides, to ensure that you are properly anonymising data, otherwise you could be found to be using personal data in breach of the DPA.Continue reading
SaaS suppliers are increasingly dealing with subject access requests (SARs) and freedom of information requests (FOIAs) in relation to SaaS customers. Excessive time and costs can be spent dealing with such requests, unless a SaaS supplier’s obligation to comply with or assist a SaaS customer with such requests is clearly defined in the terms of the SaaS agreement.Continue reading
Under the Data Protection Act (DPA), SaaS customers are required to take “appropriate technical and organisational measures” to prevent the unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. SaaS providers who process personal data on behalf of SaaS customers are required to include such obligations in their SaaS agreement (or SLA).Continue reading
Due to a recent resolution issued by the German data protection authorities, additional due diligence is now required if German customer data is being exported to a US data centre.Continue reading