SaaS suppliers and SaaS customers should take note of three recent data protection fines issued against Facebook and Google by the French Data Protection Authority (“CNIL“) for non-compliant cookie banners on their websites. The fines were issued pursuant to breaches of French Data Protection Law and the GDPR and highlight
Continue readingTag: SAAS
SaaS Agreements – Data Protection – New EU-US Privacy Shield?
Following the Schrems II judgement of the European Court of Justice (“ECJ”), which invalidated the EU-US Privacy Shield which resulted in the subsequent European Data Protection Board (“EDPB”) final data transfer guidance, SaaS customers and SaaS suppliers are currently required to carry out a data transfer assessment (“DTA”) prior to transferring personal data outside of the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.
Continue readingSaaS Agreements – FAQs – Cookies
Cookies are small text files placed on a user’s hardware device, such as a computer, tablet or mobile phone which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing, tracking and other non essential purposes.
Continue readingSaaS Agreements – Data Protection – Schrems II: Data Transfer Assessments
Following the Schrems II judgement and the subsequent European Data Protection Board (EDPB) Schrems II guidance, SaaS customers and SaaS suppliers are now required to carry out a data transfer assessment prior to transferring personal data outside the EEA to a third country which does not have an “adequacy” decision from the EU. i.e. any transfer of EU located data to the USA.
Continue readingSaaS Agreements – Data Protection – New EU Standard Contractual Clauses
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data from the EU to countries outside the EU/EEA (third countries) when the old SCCs (old SCCs) are repealed on the 27th of September 2021.
Continue readingSaaS Agreements – Data Protection – New EU Standard Contractual Clauses Published
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data to countries outside the EU/EEA (third countries) once the current SCCs are repealed.
Continue readingSaaS Agreements – GDPR – EU-US Privacy Shield Invalid
On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).
Continue readingSaaS Agreements – Brexit – Need for an EU Representative
A “no deal Brexit” is looking likely for the 31st of October 2019. SaaS suppliers and SaaS customers need to take steps now to ensure that they comply with the requirement to appoint an EU Representative under the GDPR, where they will no longer have any establishment in the EU after Brexit.
Continue readingSaaS Agreements – FAQs – Data Processor
It is important for a SaaS supplier to understand the legal obligations imposed upon them as a data processor when negotiating a SaaS agreement and a data processing agreement (“DPA“) as the duties of a data processor are not the same as the duties of a data controller. In a SaaS relationship the supplier is always the data processor of the SaaS customer. The SaaS customer is always the data controller of the SaaS supplier. Who is a Data Processor Articel 4(8) of the GDPR defines a data processor as:
Continue readingSaaS Agreements – FAQs – Personal Data
It is essential for SaaS providers and SaaS customers to understand what consitutes personal data to ensure that they comply with their respective legal obligations when acting as data controllers and/or data processors. What is Personal Data? Articles 4(1) of the General Data Protection Regulation (“GDPR“) defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location
Continue reading