SaaS Agreements – GDPR – EU-US Privacy Shield Invalid

On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).

Continue reading

SaaS Agreements – Brexit – Transition Period

Brexit has now taken place and the UK has left the EU. However until the end of the transition period the UK is still treated as being part of the EU to enable an EU trade deal to be negotiated. This means that although SaaS suppliers and SaaS customers can continue to lawfully process and transfer personal data between the EU and the UK until the expiry of the transition period on the 31st of December 2020, SaaS suppliers and SaaS customers still need to take action now to amend existing documents to reflect that fact that the UK is no longer part of the EU.

Continue reading

SaaS Agreements – GDPR – Data Processing Agreement

Since the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, SaaS suppliers and SaaS customers are legally obliged to include a written data processing agreement (DPA) in the terms of their SaaS agreements. The DPA usually forms a schedule to the SaaS agreement and must include the specific and detailed mandatory obligations set out in the GDPR. SaaS suppliers should use their own DPA and resist any attempt by a SaaS customer to have them sign up to the SaaS customer’s DPA for the following reasons.

Continue reading

SaaS Agreements – Brexit – EU Data Transfers to the UK after Brexit

Under EU and UK data protection laws, UK SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers located in the EU to any country within the EEA. From the 30th of March 2019, when the UK leaves the EU (“Brexit Date”), the UK will no longer be part of the EEA and will become a “third country” for data protection purposes, just like the USA.

The European Commission recently confirmed in a Notice that on the Brexit Date, UK based SaaS suppliers can no longer lawfully transfer personal data of SaaS customers located in the EU (i.e. in France, Germany, Spain etc.) to the UK,

Continue reading

SaaS Agreements – Brexit – EU Data Transfers

Once the UK leaves the EU, the UK will no longer be a member of the EEA. UK SaaS suppliers will no longer be lawfully permitted to continue to transfer personal data of EU SaaS customers to the UK unless the UK government, or alternatively SaaS suppliers themselves, put in place measures to make the transfer legal under EU data protection laws.

Continue reading