SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.
Continue readingTag: GDPR
SaaS Agreements – FAQs – EU Standard Contractual Clauses
When entering into a SaaS agreement with a SaaS customer a SaaS supplier will often need to transfer customer data that contains EU personal data outside of the EEA. This could be at the request of a SaaS customer or more usually because the SaaS supplier uses a sub-contractor located outside of the EEA to provide part of the services on its behalf (as a sub-processor). For example: a data centre, online customer support centre or email service provider provided by a company located in the USA.
SaaS suppliers and SaaS customers must use EU standard contractual clauses in order to comply with their duties under the GDPR when making such restricted transfers of EU personal data.
SaaS Agreements – FAQs – Data Processor
It is important for a SaaS supplier to understand the legal obligations imposed upon them as a data processor when negotiating a SaaS agreement and a data processing agreement (“DPA“) as the duties of a data processor are not the same as the duties of a data controller. In a
Continue readingSaaS Agreements – GDPR – Data Processing Agreement
Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.
Continue readingSaaS Agreements – GDPR – Data Protection Act 2018
The UK Data Protection Act 2018 Act came into force on the 25th of May 2018 (“DPA”).
The DPA replaces the Data Protection Act 1998 in its entirety and applies the standards of the General Data Protection Regulation (“GDPR), whilst also attempting to prepare the UK data protection law for Brexit. SaaS customers and SaaS suppliers should familiarise themselves with the terms of the DPA in addition to the provisions of the GDPR – as both apply. The DPA also includes a number of derogations from the GDPR.
Continue readingSaaS Agreements – GDPR – Age of Consent
The General Data Protection Regulation (“GDPR”) and the new Data Protection Act 2018 (“DPA”) now apply in the UK. SaaS suppliers and SaaS customers must comply with the terms of both the GDPR and the DPA. SaaS suppliers and SaaS customers should be aware that the GDPR does not fully harmonise data protection law throughout Europe, as each EU country may introduce their own requirements in certain instances (“derogations”). SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries need to be aware of the different rules in each EU country.
Continue readingSaaS Agreements – GDPR – US Companies
From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR does not just apply to SaaS suppliers and SaaS customers located in the EU. The GDPR also applies extraterritorially, i.e. to SaaS suppliers and SaaS customers located outside of the EU, for example in the USA, as set out below.
GDPR Applies to US SaaS Customers and SaaS Suppliers
The GDPR will apply to SaaS suppliers and SaaS customers located in the USA if:
They offer goods or services to SaaS customers located within the EU; or
They monitor the behaviour of EU data subjects;
Even though the SaaS supplier or SaaS Customer is not located within the EU.
Continue readingSaaS Agreements – GDPR – The General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) will replace the existing EU Data Protection Directive and harmonise European data protection law from the 25th of May 2018. In the UK the GDPR will replace the Data Protection Act 1998 from the 25th of May 2018, regardless of “Brexit”. This will have a significant effect on both SaaS suppliers and SaaS customers who will need to comply with the terms of the GDPR. SaaS suppliers and SaaS customers must update all contractual documents that involve data processing, such as SaaS agreements, privacy policies and hosting and support agreements to comply with the new rules under the GDPR before the 25th of May deadline.
Continue readingSaaS Agreements – GDPR – New German Data Protection Law (BDSG)
The General Data Protection Regulation (GDPR) will replace the existing EU Data Protection Directive and aims to harmonise European data protection law from the 25th of May 2018. In Germany, the Government has already amended the existing German Data Protection Act (BDSG) and from the 25th of May 2018 the New German Data Protection Act (New BDSG) and the GDPR will apply together.
Compliance with the New BDSG
Both SaaS suppliers and SaaS customers who provide services to German clients or who collect or process personal data of German data subjects on behalf of international SaaS clients, will need to comply with the terms of the New BDSG in addition to the terms of the GDPR. The New BDSG sets out derogations from certain parts of the GDPR and additional obligations.
Continue readingSaaS Agreements – Data Protection – What SaaS Suppliers need to know about the GDPR
From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing data protection laws in all 28 EU member states. The GDPR will place direct obligations on SaaS suppliers (data processors) in relation to data processing activities. In addition customers (data controllers), their clients (data subjects) and local data protection authorities will be able to enforce breaches of the new rules directly against SaaS suppliers.
Continue reading