Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.Continue reading
Under EU and UK data protection laws, UK SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers located in the EU to any country within the EEA. From the 30th of March 2019, when the UK leaves the EU (“Brexit Date”), the UK will no longer be part of the EEA and will become a “third country” for data protection purposes, just like the USA.
The European Commission recently confirmed in a Notice that on the Brexit Date, UK based SaaS suppliers can no longer lawfully transfer personal data of SaaS customers located in the EU (i.e. in France, Germany, Spain etc.) to the UK,Continue reading
Once the UK leaves the EU, the UK will no longer be a member of the EEA. UK SaaS suppliers will no longer be lawfully permitted to continue to transfer personal data of EU SaaS customers to the UK unless the UK government, or alternatively SaaS suppliers themselves, put in place measures to make the transfer legal under EU data protection laws.Continue reading
SaaS suppliers and SaaS resellers should be aware that price fixing is illegal under UK and EU competition law. Often SaaS resellers are not aware that the terms of their SaaS reseller agreement include price fixing clauses. For example: If the SaaS reseller agreement includes clause on resale price maintenance (RPM). This will usually be deemed to be price fixing by the Competition and Markets Authority (CMA) who investigates breaches of competition law in the UK.Continue reading
Under the Data Protection Act 1998 (DPA) UK SaaS suppliers currently have limited obligations to SaaS customers when processing personal data as part of their SaaS services. However, from the 25th of May 2018 the General Data Protection Regulation (GDPR) will impose numerous new data processing obligations on SaaS suppliers. In particular, the obligation for SaaS suppliers to enter into a written data processing agreement with SaaS customers and sub-contractors.Continue reading
UK SaaS suppliers must currently comply with the terms of the Data Protection Act 1998 (DPA), which governs data protection law in the UK. SaaS suppliers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU).
Many SaaS suppliers are concerned about their data protection obligations following Brexit and are unaware that they will still have obligations (as data processors) to comply with the new rules imposed by the GDPR, even after a Brexit.Continue reading
From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR will place further more onerous obligations on SaaS customers (data controllers) in relation to all data processing. SaaS customers need to amend the terms of their existing SaaS agreements and privacy policies and implement the changes into internal policies and procedures in order to comply with the upcoming changes in UK data protection law.Continue reading
From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR will place direct obligations on SaaS suppliers (data processors) in relation to data processing activities. In addition SaaS customers (data controllers) and their clients (data subjects) will be able to enforce breaches of the new rules directly against SaaS suppliers. SaaS suppliers need to amend the terms of their existing SaaS agreements in order to comply with the upcoming changes in data protection law.Continue reading
SaaS suppliers who decide to use a local partner to resell their SaaS software to customers outside of the countries in which they are based, will need to have a reseller/distributor agreement in place between themselves and each SaaS reseller/distributor. What is a SaaS Reseller/Distributor? A SaaS reseller is theContinue reading
EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).
Where personal data is transferred from:
a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;
the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.Continue reading