SaaS Agreements – GDPR – EU-US Privacy Shield Invalid

On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).

Continue reading

SaaS Agreements – Brexit – Transition Period

Brexit has now taken place and the UK has left the EU. However until the end of the transition period the UK is still treated as being part of the EU to enable an EU trade deal to be negotiated. This means that although SaaS suppliers and SaaS customers can continue to lawfully process and transfer personal data between the EU and the UK until the expiry of the transition period on the 31st of December 2020, SaaS suppliers and SaaS customers still need to take action now to amend existing documents to reflect that fact that the UK is no longer part of the EU.

Continue reading

SaaS Agreements – Brexit – Need for an EU Representative

A “no deal Brexit” is looking likely for the 31st of October 2019. SaaS suppliers and SaaS customers need to take steps now to ensure that they comply with the requirement to appoint an EU Representative under the GDPR, where they will no longer have any establishment in the EU after Brexit.

Continue reading

SaaS Agreements – Preparing for a No Deal Brexit

Currently a “no deal Brexit” is looking likely for the 31st of October 2019. It is therefore essential that SaaS suppliers and SaaS customers take steps now to ensure that they can continue to lawfully process and transfer personal data between the EU and the UK following a no deal Brexit.

Continue reading

SaaS Agreements – Data Protection – Brexit Update

UK SaaS Agreements: In light of the various leaving scenarios of which a “no deal Brexit” is looking likely, it is highly advisable that SaaS suppliers and SaaS customers now take steps to ensure that they can continue to lawfully process and transfer personal data between the EU and the UK following Brexit.

Continue reading

SaaS Agreements – FAQs – EU Standard Contractual Clauses

EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).

Where personal data is transferred from:

a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;

the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.

Continue reading

SaaS Agreements – Data Protection – EU US Privacy Shield

A new privacy agreement called the Privacy Shield has been agreed by the US and EU to replace the safe harbour scheme. The Privacy Shield is based upon safe harbour but has additional protections, particularly with regard to public authority access to personal data. The Privacy Shield must now be reviewed by the European Commission before it can be relied upon and adopted by SaaS suppliers or customers. The European Commission is currently assessing whether or not the Privacy Shield provides adequate protection in accordance with EU data protection laws. This process is expected to take up to 3 months.

Continue reading

SaaS Agreements – Terms and Conditions – Safe Harbor Adequacy

European data protection authorities have recently raised serious reservations about the effectiveness of the safe harbour scheme and its ability to adequately protect SaaS customer data to the same standard as European data protection laws. If you are a SaaS supplier and are considering/or are already using a company located in the US to provide part of your SaaS services i.e. for hosting, you should be aware of the existence and limitations of the safe harbor scheme.

Continue reading
Bodle Law