SaaS Agreements – Data Protection – New EU-US Privacy Shield?

Following the Schrems II judgement of the European Court of Justice (“ECJ”), which invalidated the EU-US Privacy Shield which resulted in the subsequent European Data Protection Board (“EDPB”) final data transfer guidance, SaaS customers and SaaS suppliers are currently required to carry out a data transfer assessment (“DTA”) prior to transferring personal data outside of the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.

Continue reading

SaaS Agreements – FAQs – Cookies

Cookies are small text files placed on a user’s hardware device, such as a computer, tablet or mobile phone which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing, tracking and other non essential purposes.

Continue reading

SaaS Agreements – FAQs – Personal Data

It is essential for SaaS providers and SaaS customers to understand what consitutes personal data to ensure that they comply with their respective legal obligations when acting as data controllers and/or data processors. What is Personal Data? Articles 4(1) of the General Data Protection Regulation (“GDPR“) defines personal data as:

Continue reading

SaaS Agreements – GDPR – Local Derogations

The General Data Protection Regulation (“GDPR”) now applies to all SaaS customers and SaaS companies collecting or processing the personal data of individuals located within the EU. SaaS suppliers and SaaS customers must comply with the terms the GDPR. SaaS suppliers and SaaS customers should be aware that the GDPR does not however fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”) under their own local data protection laws.

Continue reading

SaaS Agreements – GDPR – Data Processing Agreement

Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.

Continue reading

SaaS Agreements – GDPR – Data Protection Act 2018

The UK Data Protection Act 2018 Act came into force on the 25th of May 2018 (“DPA”).

The DPA replaces the Data Protection Act 1998 in its entirety and applies the standards of the General Data Protection Regulation (“GDPR), whilst also attempting to prepare the UK data protection law for Brexit. SaaS customers and SaaS suppliers should familiarise themselves with the terms of the DPA in addition to the provisions of the GDPR – as both apply. The DPA also includes a number of derogations from the GDPR.

Continue reading