SaaS Agreements – FAQs – Data Controller

It is important for a SaaS supplier to understand the legal obligations imposed upon a data controller when negotiating a SaaS agreement as the duties of a data controller are not the same as the duties of a data processor. In a SaaS relationship the supplier is always the data processor of the SaaS customer. The SaaS customer is always the data controller. Below is a summary of the obligations of a data controller.

Continue reading

SaaS Agreements – Data Protection – Prism and US Laws

SaaS suppliers should be aware of relevant US laws when outsourcing SaaS services (data storage and hosting) to US companies or companies located in the USA. SaaS customers are becoming increasingly concerned about outsourcing in the USA following media reports about “Prism”. Namely, that the National Security Agency (NSA) accesses personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and a few other major US public companies. Below is a summary of the most relevant US laws that SaaS suppliers should be aware of.

Continue reading

SaaS Agreements – Data Protection – HIPAA

On January 25th 2013, the US Department of Health and Human Services modified the rules of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”). HIPAA applies to any SaaS suppliers who process protected health information (“PHI”) on behalf of customers to whom the Act applies, regardless of whether or not the SaaS supplier is located in the USA.

Continue reading

SaaS Agreements – Data Protection – Safe Harbor Still Adequate

Recently, the Department of Commerce’s International Trade Administration (ITA) – a US government body – published a document confirming that any SaaS suppliers based in the US (and/or SaaS suppliers using a data centre located in the US) who are “safe harbor” registered must be recognised as having an “adequate” level of data protection. The ITA rejected the view that EU data protection authorities can unilaterally refuse to recognise safe harbor certification as a valid means of demonstrating that a SaaS supplier based in the US (and/or SaaS suppliers using a data centre located in the US) has an adequate level of data protection.

Continue reading

SaaS Agreements – FAQs – Transferring Data Outside the EEA

When negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the Data Protection Act.

Continue reading

SaaS Agreements – Data Protection – German Customers and Data Processing Agreements

If you are negotiating sales of SaaS solutions with German customers, you may be surprised by their insistence on having a separate written data processing agreement in addition to your SaaS agreement. This is a mandatory requirement under German data protection law (The BDSG) which imposes onerous obligations far beyond those found in most other EU data protection laws on the SaaS customer and the SaaS supplier.

Continue reading

Website Legal Requirements – Privacy Policy – Basics for your Website

If you are operating a website and require users to register in order to use your website or you are simply using Google analytics on your website then you are collecting and processing personal data. Under the Data Protection Act 1998, if you collect, store or process personal data you must provide specific information to the persons whose personal data you are using. This information is usually provided to users in a privacy policy which should be published on your website.

Continue reading