SaaS suppliers who use US public cloud providers to store, process or host their SaaS customer’s data as part of their SaaS services may now experience customers raising concerns about the risk of disclosure to, and monitoring of, their data by the US government under the Foreign Intelligence Amendments Act (FISA).
Continue readingTag: personal data
SaaS Agreements – Data Protection – Cyber Security Issues
SaaS Customers are increasingly raising questions about the security provisions that SaaS suppliers include in their SaaS agreements and insisting on including onerous rights of audit to monitor and check compliance. Under the UK’s Data Protection Act (DPA) SaaS customers (data controllers) are required to take appropriate technical and organisational measures to prevent the:
unauthorised or unlawful processing of personal data; and
accidental loss, destruction or damage to personal data.
In order to comply with these duties and avoid substantial fines SaaS customers need to ensure that SaaS suppliers have adequate security measures in place to prevent data protection breaches from occurring.
Continue readingSaaS Agreements – FAQs – Transferring Data Outside the EEA
When negotiating a SaaS agreement with SaaS customers you will often need to transfer customer data outside of the EEA (European Economic Area). This could be at the request of your customer or more usually because you have a sub-contractor such as a data centre located outside of the EEA. SaaS suppliers should be aware of the following in order to comply with their duties under the Data Protection Act.
Continue readingSaaS Agreements – Data Protection – Changes to BCRs
The Article 29 Working Party, which represents the European data protection authorities (DPAs), recently announced that data processors (i.e. SaaS suppliers) can now use binding corporate rules (BCRs) to transfer personal data outside the European Economic Area (EEA). Previously the use of BCRs was limited to data controllers (i.e. SaaS customers).
Continue readingSaaS Agreements – Data Protection – Recent ICO Fines
The Information Commissioner’s Office (ICO) has started to issue very high fines to a number of companies and individuals, not just for serious breaches of the Data Protection Act (DPA), but also for breaches of the Privacy and Electronic Communications Regulations (PECR). Below is a summary of the recent fines and the reasons for them being imposed.
Continue readingSaaS Agreements – Data Protection – German Customers and Data Processing Agreements
If you are negotiating sales of SaaS solutions with German customers, you may be surprised by their insistence on having a separate written data processing agreement in addition to your SaaS agreement. This is a mandatory requirement under German data protection law (The BDSG) which imposes onerous obligations far beyond those found in most other EU data protection laws on the SaaS customer and the SaaS supplier.
Continue readingWebsite Legal Requirements – Privacy Policy – Basics for your Website
If you are operating a website and require users to register in order to use your website or you are simply using Google analytics on your website then you are collecting and processing personal data. Under the Data Protection Act 1998, if you collect, store or process personal data you must provide specific information to the persons whose personal data you are using. This information is usually provided to users in a privacy policy which should be published on your website.
Continue readingSaaS Agreements – Data Protection – Policies and Procedures
SaaS suppliers must have adequate data protection policies, procedures and checks in place when employees or third parties are handling SaaS customer data or face the risk of being heavily fined by the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act 1998 (DPA).
Continue readingSaaS Agreements – Data Protection – Customer Privacy Policy
SaaS Customers often ask or expect SaaS supplier’s to provide them with a privacy policy for use in conjunction with their SaaS products. SaaS suppliers should firmly refuse such requests. Firstly, as they could face liability claims from the customer if the privacy policy is in appropriate and secondly while you will have no adequate knowledge of the issues set out below, which will need to be covered in the privacy policy.
Continue readingSaaS Agreements – Data Protection – Anonymising Data
Often SaaS suppliers or SaaS customers anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data when linked with other information will not lead to the identification of an individual.
Continue reading