Below is a summary of the following online platform laws, the EU Digital Services Act, the European Accessibility Directive and the UK Online Safety Act, the UK Digital Markets Competition and Consumers Act and the EU Revised Product Liability Directive, that will impact SaaS suppliers and SaaS customers in 2025. Some of these laws apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively). It is important to be aware of these new laws in order to assess whether
Continue readingTag: SaaS contract
SaaS Agreements – New EU and UK Data Security Laws
Below is a summary of the following data security laws, the EU Network and Information Systems Directive 2, the EU Digital Operational Resilience Act, the EU Cyber Resilience Act, the EU Critical Entities Resilience Directive and the UK Product Security and Telecommunications Infrastructure Act that will impact SaaS suppliers and SaaS customers in 2025. Some of these laws apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively).
It is important to be aware of these new laws in order to assess whether or not they apply to your particular SaaS business, products and services.
Continue readingSaaS Agreements – New EU and UK Data Laws
Below is a summary of the EU Artificial Intelligence Act, the EU Data Act and the UK Data Use and Access Act that will impact SaaS suppliers and SaaS customers in 2025. These laws will apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively). It is important to be aware of these new laws in order to assess whether or not they apply to your particular SaaS business, products and services. The EU AI Act applies to AI systems and AI models and categorises AI systems into different risk categories.
Continue readingFAQs – Sub-Processor Lists – Transfer Mechanisms
SaaS suppliers and SaaS customers can only lawfully transfer personal data to sub-processors located outside of the UK, Switzerland or the EEA, (make a restricted transfer) if a recognized transfer mechanism is in place to protect the personal data being transferred.
Continue readingSaaS Agreements – DORA – ICT Supplier Obligations
SaaS suppliers obligations under the Digital Operational Resilience Act,(“DORA”), (Regulation (EU) 2022/2554 on digital operational resilience for the EU financial sector), are effective from the 17th of January 2025. From this date DORA provisions must be included in contracts entered into between financial services entities subject to DORA and their third party providers of ICT Services. As SaaS suppliers are third party providers of digital and data services on an ongoing basis they will be third party providers of ICT services if their SaaS customers are regulated by DORA. Both
Continue readingSaaS Agreements – FAQs – Restricted Transfers
Restricted transfers are a type of international data transfer to which special rules apply. SaaS suppliers and SaaS customers are responsible for complying with the relevant rules when making or permitting restricted transfers of personal data to their suppliers, customers, sub-processors, group companies and partners.
What is an international data transfer?
An international data transfer occurs when personal data is sent or transmitted from one country to another.
This includes:
Continue readingSaaS Agreements – FAQs – Transfer Mechanisms
Below is a summary of the transfer mechanisms that can be relied upon to make a lawful transfer of UK, Swiss or EEA personal data to a country outside of the UK, Switzerland or the EEA.
Adequacy is granted when a recipient country is deemed to have data protection laws and practices similar to those of the sending country.
Continue readingSaaS Agreements – Data Protection: UK-US Data Bridge
On Friday the 22nd of September the UK agreed its own transfer mechanism which can be used instead of UK standard contractual clauses.
From the 12 October 2023, SaaS Suppliers and SaaS Customers can start to transfer UK personal data to entities located in the USA provided that the US entity is certified under the new “UK Extension to the EU-US Data Privacy Framework” (UK-US Data Bridge).
This now means that all transfers of UK personal data made to US companies certified under the UK-US Data Bridge by SaaS companies will be deemed to be to a third country that has adequate data protection laws.
Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.
Continue readingSaaS Agreements – Data Protection – New EU-US Privacy Shield?
Following the Schrems II judgement of the European Court of Justice (“ECJ”), which invalidated the EU-US Privacy Shield which resulted in the subsequent European Data Protection Board (“EDPB”) final data transfer guidance, SaaS customers and SaaS suppliers are currently required to carry out a data transfer assessment (“DTA”) prior to transferring personal data outside of the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.
Continue readingSaaS Agreements – FAQs – Cookies
Cookies are small text files placed on a user’s hardware device, such as a computer, tablet or mobile phone which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing, tracking and other non essential purposes.
Continue reading