SaaS Agreements – Data Protection: UK-US Data Bridge

On Friday the 22nd of September the UK agreed its own transfer mechanism which can be used instead of UK standard contractual clauses.

From the 12 October 2023, SaaS Suppliers and SaaS Customers can start to transfer UK personal data to entities located in the USA provided that the US entity is certified under the new “UK Extension to the EU-US Data Privacy Framework” (UK-US Data Bridge).

This now means that all transfers of UK personal data made to US companies certified under the UK-US Data Bridge by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.

Continue reading

SaaS Agreements – Data Protection: EU-US Data Privacy Framework (DPF)

In July 2023 the EU-US Data Privacy Framework, (DPF) was finally agreed between the EU and the USA. The DPF now provides a new transfer mechanism for SaaS suppliers and SaaS customers to use when transferring EU personal data to the USA. The DPF can be used instead of EU standard contractual clauses.

This means that all transfers of EU personal data made to US companies certified under the DPF by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

Continue reading

SaaS Agreements – Data Protection – Restricted Transfers

SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.

Continue reading

SaaS Agreements: EU-US Adequacy Decision – Update

Following the Schrems II judgment, the EU-US Privacy Shield was declared invalid, meaning that SaaS suppliers and SaaS customers have to use standard contractual clauses (SCS) or BCRs when making transfers of EEA (or UK) personal data to the USA. In addition, SaaS customers and SaaS suppliers are required to carry out a data transfer impact assessment (DTIA) prior to transferring any personal data from the EEA or UK to a “third country” i.e. the USA.

Continue reading