SaaS suppliers obligations under the Digital Operational Resilience Act,(“DORA”), (Regulation (EU) 2022/2554 on digital operational resilience for the EU financial sector), are effective from the 17th of January 2025. From this date DORA provisions must be included in contracts entered into between financial services entities subject to DORA and their third party providers of ICT Services. As SaaS suppliers are third party providers of digital and data services on an ongoing basis they will be third party providers of ICT services if their SaaS customers are regulated by DORA. Both
Continue readingTag: software as a service
SaaS Agreements – FAQs – Restricted Transfers
Restricted transfers are a type of international data transfer to which special rules apply. SaaS suppliers and SaaS customers are responsible for complying with the relevant rules when making or permitting restricted transfers of personal data to their suppliers, customers, sub-processors, group companies and partners.
What is an international data transfer?
An international data transfer occurs when personal data is sent or transmitted from one country to another.
This includes:
Continue readingSaaS Agreements – Data Protection: UK-US Data Bridge
On Friday the 22nd of September the UK agreed its own transfer mechanism which can be used instead of UK standard contractual clauses.
From the 12 October 2023, SaaS Suppliers and SaaS Customers can start to transfer UK personal data to entities located in the USA provided that the US entity is certified under the new “UK Extension to the EU-US Data Privacy Framework” (UK-US Data Bridge).
This now means that all transfers of UK personal data made to US companies certified under the UK-US Data Bridge by SaaS companies will be deemed to be to a third country that has adequate data protection laws.
Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.
Continue readingSaaS Agreements – Data Protection: EU-US Data Privacy Framework (DPF)
In July 2023 the EU-US Data Privacy Framework, (DPF) was finally agreed between the EU and the USA. The DPF now provides a new transfer mechanism for SaaS suppliers and SaaS customers to use when transferring EU personal data to the USA. The DPF can be used instead of EU standard contractual clauses.
This means that all transfers of EU personal data made to US companies certified under the DPF by SaaS companies will be deemed to be to a third country that has adequate data protection laws.
Continue readingSaaS Agreements – Data Retention and Deletion
In compliance with their respective obligations under the GDPR, SaaS suppliers and SaaS customers must only keep personal data for as long as necessary and as specified to data subjects. SaaS suppliers should include their obligations in relation to retention and deletion of personal data when acting as a data processor in their SaaS agreement and when acting as a data controller in their privacy policy.
Continue readingSaaS Agreements – Data Protection – New EU Standard Contractual Clauses
On the 4th of June 2021 the EU Commission announced the adoption of new Standard Contractual Clauses (new SCCs). The new SCCs must be used by all SaaS suppliers and SaaS customers who transfer personal data from the EU to countries outside the EU/EEA (third countries) when the old SCCs (old SCCs) are repealed on the 27th of September 2021.
Continue readingSaaS Agreements – GDPR – US Companies
From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR does not just apply to SaaS suppliers and SaaS customers located in the EU. The GDPR also applies extraterritorially, i.e. to SaaS suppliers and SaaS customers located outside of the EU, for example in the USA, as set out below.
GDPR Applies to US SaaS Customers and SaaS Suppliers
The GDPR will apply to SaaS suppliers and SaaS customers located in the USA if:
They offer goods or services to SaaS customers located within the EU; or
They monitor the behaviour of EU data subjects;
Even though the SaaS supplier or SaaS Customer is not located within the EU.
Continue readingSaaS Agreements – GDPR – The General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) will replace the existing EU Data Protection Directive and harmonise European data protection law from the 25th of May 2018. In the UK the GDPR will replace the Data Protection Act 1998 from the 25th of May 2018, regardless of “Brexit”. This will have a significant effect on both SaaS suppliers and SaaS customers who will need to comply with the terms of the GDPR. SaaS suppliers and SaaS customers must update all contractual documents that involve data processing, such as SaaS agreements, privacy policies and hosting and support agreements to comply with the new rules under the GDPR before the 25th of May deadline.
Continue readingSaaS Agreements – GDPR – New German Data Protection Law (BDSG)
The General Data Protection Regulation (GDPR) will replace the existing EU Data Protection Directive and aims to harmonise European data protection law from the 25th of May 2018. In Germany, the Government has already amended the existing German Data Protection Act (BDSG) and from the 25th of May 2018 the New German Data Protection Act (New BDSG) and the GDPR will apply together.
Compliance with the New BDSG
Both SaaS suppliers and SaaS customers who provide services to German clients or who collect or process personal data of German data subjects on behalf of international SaaS clients, will need to comply with the terms of the New BDSG in addition to the terms of the GDPR. The New BDSG sets out derogations from certain parts of the GDPR and additional obligations.
Continue readingSaaS Agreement – FAQs -What is a SLA and Essential Terms to include in a SLA
A SLA forms part of a SaaS agreement. The SLA can be contained in a separate schedule to the SaaS agreement, or included in the main terms and conditions of the SaaS agreement. An SLA sets out:
Details about the availability of the software and services;
Technical details about hosting; and
Details about support and maintenance services for the software.