SaaS Agreements – FAQs – EU Standard Contractual Clauses
When entering into a SaaS agreement with a SaaS customer a SaaS supplier will often need to transfer customer data that contains EU personal data outside of the EEA. This could be at the request of a SaaS customer or more usually because the SaaS supplier uses a sub-contractor located outside of the EEA to provide part of the services on its behalf (as a sub-processor). For example: a data centre, online customer support centre or email service provider provided by a company located in the USA.
SaaS suppliers and SaaS customers must use EU standard contractual clauses in order to comply with their duties under the GDPR when making such restricted transfers of EU personal data.
SaaS Agreements – New UK SCCs – IDTA and UK Addendum
Since the EU-US Privacy Shield was declared invalid following the Schrems II decision in 2020 of the ECJ, SaaS suppliers and SaaS customers have had to use EU standard contractual clauses, (“EU SCCs”) or binding corporate rules (“BCRs”) when transferring personal data from the EEA, UK or Switzerland to a third country not deemed “adequate” by the European Commission.Continue reading
SaaS Agreements – Cookies – Are your Cookie Banners Compliant
SaaS suppliers and SaaS customers should take note of three recent data protection fines issued against Facebook and Google by the French Data Protection Authority (“CNIL“) for non-compliant cookie banners on their websites. The fines were issued pursuant to breaches of French Data Protection Law and the GDPR and highlightContinue reading
SaaS Agreements – Data Protection – New EU-US Privacy Shield?
Following the Schrems II judgement of the European Court of Justice (“ECJ”), which invalidated the EU-US Privacy Shield which resulted in the subsequent European Data Protection Board (“EDPB”) final data transfer guidance, SaaS customers and SaaS suppliers are currently required to carry out a data transfer assessment (“DTA”) prior to transferring personal data outside of the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.Continue reading
SaaS Agreements – FAQs – Cookies
SaaS Agreements – Data Protection – Schrems II: Data Transfer Assessments
Following the Schrems II judgement and the subsequent European Data Protection Board (EDPB) Schrems II guidance, SaaS customers and SaaS suppliers are now required to carry out a data transfer assessment prior to transferring personal data outside the EEA to a third country which does not have an “adequacy” decision from the EU. i.e. any transfer of EU located data to the USA.Continue reading
SaaS Agreements – Data Protection – New EU Standard Contractual Clauses
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data from the EU to countries outside the EU/EEA (third countries) when the old SCCs (old SCCs) are repealed on the 27th of September 2021.Continue reading
SaaS Agreements – Data Protection – New EU Standard Contractual Clauses Published
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data to countries outside the EU/EEA (third countries) once the current SCCs are repealed.Continue reading
SaaS Agreements – GDPR – EU-US Privacy Shield Invalid
On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).Continue reading