Following the Schrems II judgement of the European Court of Justice (“ECJ”), which invalidated the EU-US Privacy Shield which resulted in the subsequent European Data Protection Board (“EDPB”) final data transfer guidance, SaaS customers and SaaS suppliers are currently required to carry out a data transfer assessment (“DTA”) prior to transferring personal data outside of the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.
Continue readingTag: SaaS contract
SaaS Agreements – FAQs – Cookies
Cookies are small text files placed on a user’s hardware device, such as a computer, tablet or mobile phone which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing, tracking and other non essential purposes.
Continue readingSaaS Agreements – Data Protection – Schrems II: Data Transfer Assessments
Following the Schrems II judgement and the subsequent European Data Protection Board (EDPB) Schrems II guidance, SaaS customers and SaaS suppliers are now required to carry out a data transfer assessment prior to transferring personal data outside the EEA to a third country which does not have an “adequacy” decision from the EU. i.e. any transfer of EU located data to the USA.
Continue readingSaaS Agreements – Data Protection – New EU Standard Contractual Clauses
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data from the EU to countries outside the EU/EEA (third countries) when the old SCCs (old SCCs) are repealed on the 27th of September 2021.
Continue readingSaaS Agreements – Data Protection – New EU Standard Contractual Clauses Published
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data to countries outside the EU/EEA (third countries) once the current SCCs are repealed.
Continue readingSaaS Agreements – FAQs – Personal Data
It is essential for SaaS providers and SaaS customers to understand what consitutes personal data to ensure that they comply with their respective legal obligations when acting as data controllers and/or data processors. What is Personal Data? Articles 4(1) of the General Data Protection Regulation (“GDPR“) defines personal data as:
Continue readingSaaS Agreements – GDPR – Personal Data Breaches and How to Avoid them
Recently there have been a number of high profile cases involving the UK’s data protection authority (the “ICO”), imposing very large fines on Marriott and British Airways for serious data breaches. SaaS customers and SaaS suppliers should be reviewing the appropriateness of their technical and organisational measures to avoid the
Continue readingSaaS Agreements – GDPR – Local Derogations
The General Data Protection Regulation (“GDPR”) now applies to all SaaS customers and SaaS companies collecting or processing the personal data of individuals located within the EU. SaaS suppliers and SaaS customers must comply with the terms the GDPR. SaaS suppliers and SaaS customers should be aware that the GDPR does not however fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”) under their own local data protection laws.
Continue readingSaaS Agreements – GDPR – Data Processing Agreement
Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.
Continue readingSaaS Agreements – GDPR – Data Protection Act 2018
The UK Data Protection Act 2018 Act came into force on the 25th of May 2018 (“DPA”).
The DPA replaces the Data Protection Act 1998 in its entirety and applies the standards of the General Data Protection Regulation (“GDPR), whilst also attempting to prepare the UK data protection law for Brexit. SaaS customers and SaaS suppliers should familiarise themselves with the terms of the DPA in addition to the provisions of the GDPR – as both apply. The DPA also includes a number of derogations from the GDPR.
Continue reading