SaaS Agreements – FAQs – Restricted Transfers

Restricted transfers are a type of international data transfer to which special rules apply. SaaS suppliers and SaaS customers are responsible for complying with the relevant rules when making or permitting restricted transfers of personal data to their suppliers, customers, sub-processors, group companies and partners.

What is an international data transfer?

An international data transfer occurs when personal data is sent or transmitted from one country to another.

This includes:

Continue reading

SaaS Agreements – Data Protection: UK-US Data Bridge

On Friday the 22nd of September the UK agreed its own transfer mechanism which can be used instead of UK standard contractual clauses.

From the 12 October 2023, SaaS Suppliers and SaaS Customers can start to transfer UK personal data to entities located in the USA provided that the US entity is certified under the new “UK Extension to the EU-US Data Privacy Framework” (UK-US Data Bridge).

This now means that all transfers of UK personal data made to US companies certified under the UK-US Data Bridge by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.

Continue reading

SaaS Agreements – Data Protection – New EU-US Privacy Shield?

Following the Schrems II judgement of the European Court of Justice (“ECJ”), which invalidated the EU-US Privacy Shield which resulted in the subsequent European Data Protection Board (“EDPB”) final data transfer guidance, SaaS customers and SaaS suppliers are currently required to carry out a data transfer assessment (“DTA”) prior to transferring personal data outside of the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.

Continue reading

SaaS Agreements – FAQs – Cookies

Cookies are small text files placed on a user’s hardware device, such as a computer, tablet or mobile phone which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing, tracking and other non essential purposes.

Continue reading

SaaS Agreements – FAQs – Personal Data

It is essential for SaaS providers and SaaS customers to understand what consitutes personal data to ensure that they comply with their respective legal obligations when acting as data controllers and/or data processors. What is Personal Data? Articles 4(1) of the General Data Protection Regulation (“GDPR“) defines personal data as:

Continue reading