Tag: standard contractual clauses

SaaS Agreements – Data Protection: EU-US Data Privacy Framework (DPF)

In July 2023 the EU-US Data Privacy Framework, (DPF) was finally agreed between the EU and the USA. The DPF now provides a new transfer mechanism for SaaS suppliers and SaaS customers to use when transferring EU personal data to the USA. The DPF can be used instead of EU standard contractual clauses.

This means that all transfers of EU personal data made to US companies certified under the DPF by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

Continue reading

SaaS Agreements – Data Protection – Restricted Transfers

SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.

Continue reading

SaaS Agreements – Data Protection – Does your DPA and Sub-Processor List need updating?

Meta were fined 1.2 billion Euros for breaches of EU data protection law and for transferring personal data of EU users to the US despite, using standard contractual clauses, (SCCs), having in place supplemental measures and carrying out data transfer impact assessments, (DTIAs). Google has also been pursued in various EU member states for similar breaches.

In light of these decisions, SaaS suppliers should review their own data protection practices and documentation to ensure that they are up to date and comply with the current rules.

Continue reading

SaaS Agreements – FAQs – EU Standard Contractual Clauses

When entering into a SaaS agreement with a SaaS customer a SaaS supplier will often need to transfer customer data that contains EU personal data outside of the EEA. This could be at the request of a SaaS customer or more usually because the SaaS supplier uses a sub-contractor located outside of the EEA to provide part of the services on its behalf (as a sub-processor). For example: a data centre, online customer support centre or email service provider provided by a company located in the USA.
SaaS suppliers and SaaS customers must use EU standard contractual clauses in order to comply with their duties under the GDPR when making such restricted transfers of EU personal data.

Continue reading

SaaS Agreements – New UK SCCs – IDTA and UK Addendum

Since the EU-US Privacy Shield was declared invalid following the Schrems II decision in 2020 of the ECJ, SaaS suppliers and SaaS customers have had to use EU standard contractual clauses, (“EU SCCs”) or binding corporate rules (“BCRs”) when transferring personal data from the EEA, UK or Switzerland to a third country not deemed “adequate” by the European Commission.

Continue reading

SaaS Agreements – Data Protection – New EU-US Privacy Shield?

Following the Schrems II judgement of the European Court of Justice (“ECJ”), which invalidated the EU-US Privacy Shield which resulted in the subsequent European Data Protection Board (“EDPB”) final data transfer guidance, SaaS customers and SaaS suppliers are currently required to carry out a data transfer assessment (“DTA”) prior to transferring personal data outside of the EEA to a “third country” i.e. to a country which does not have an “adequacy decision” from the EU, for example, the USA.

Continue reading

SaaS Agreements – GDPR – EU-US Privacy Shield Invalid

On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).

Continue reading