SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.
Continue readingTag: DPA
SaaS Agreements – Data Protection – Does your DPA and Sub-Processor List need updating?
Meta were fined 1.2 billion Euros for breaches of EU data protection law and for transferring personal data of EU users to the US despite, using standard contractual clauses, (SCCs), having in place supplemental measures and carrying out data transfer impact assessments, (DTIAs). Google has also been pursued in various EU member states for similar breaches.
In light of these decisions, SaaS suppliers should review their own data protection practices and documentation to ensure that they are up to date and comply with the current rules.
Continue readingSaaS Agreements – Data Protection – New EU Standard Contractual Clauses Published
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data to countries outside the EU/EEA (third countries) once the current SCCs are repealed.
Continue readingSaaS Agreements – FAQs – Data Processor
It is important for a SaaS supplier to understand the legal obligations imposed upon them as a data processor when negotiating a SaaS agreement and a data processing agreement (“DPA“) as the duties of a data processor are not the same as the duties of a data controller. In a
Continue readingSaaS Agreements – Data Protection – Anonymising Data
Many SaaS suppliers use personal data, collected on behalf of SaaS customers, in an anonymised form for their own purposes, such as benchmarking. The UK Information Commissioner’s Office (ICO) Anonymisation Code and more recently the Article 29 Working Party’s Opinion on Anonymisation provide guidance on how to check that personal data is actually anonymous.
If you are a SaaS provider using anonymised personal data you should comply with the recommendations in these two guides, to ensure that you are properly anonymising data, otherwise you could be found to be using personal data in breach of the DPA.
Continue readingSaaS Agreements – Confidential Information – FOIA and SARs
SaaS suppliers are increasingly dealing with subject access requests (SARs) and freedom of information requests (FOIAs) in relation to SaaS customers. Excessive time and costs can be spent dealing with such requests, unless a SaaS supplier’s obligation to comply with or assist a SaaS customer with such requests is clearly defined in the terms of the SaaS agreement.
Continue readingSaaS Agreements – Hosting – Encryption of Stored Data
Under the Data Protection Act (DPA), SaaS customers are required to take “appropriate technical and organisational measures” to prevent the unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. SaaS providers who process personal data on behalf of SaaS customers are required to include such obligations in their SaaS agreement (or SLA).
Continue reading