From the 25th of May 2018, the EU General Data Protection Regulation (GDPR) will come into force and change existing data protection laws in all 28 EU member states. The GDPR will place direct obligations on SaaS suppliers (data processors) in relation to data processing activities. In addition customers (data controllers), their clients (data subjects) and local data protection authorities will be able to enforce breaches of the new rules directly against SaaS suppliers.
SaaS suppliers need to amend the provisions of their existing SaaS terms and conditions in order to comply with the upcoming changes in data protection law.
Written Data Processing Terms
SaaS suppliers will need to include the following minimum terms in a written data processing agreement with all customers:
- The duration, nature and purpose of the data processing;
- The types of data being processed;
- The obligations and rights of the customer.
The written data processing terms must state that:
- Personal data will only be processed in accordance with documented instructions from the customer;
- The SaaS supplier will assist the customer in complying with its own obligations as a data controller;
- The SaaS supplier is obliged to inform the customer if it believes an instruction to give personal data to the customer breaches the GDPR or any other EU or Member State law.
Unless one of the exceptions applies, the main one being that the SaaS supplier has less than 250 employees, SaaS suppliers must keep records of all categories of processing activities that they carry out.
The following details must be recorded:
- Information about the customer and any other data processors;
- Names of relevant data protection officers (DPOs);
- The categories of data processing carried out;
- Any transfers to third countries; and
- The general technical and organisational security measures used by the SaaS supplier.
If requested by a supervisory authority, SaaS suppliers must provide such records.
SaaS suppliers will need to obtain prior written consent to the subcontracting of any data processing activities: for example, the using a third-party hosting centre such as AWS or Microsoft Azure. Although SaaS suppliers can include a general consent to subcontracting in the provisions of their SaaS terms and conditions, SaaS suppliers will still be obliged to inform customers before adding or replacing any sub-processors in order to give customers time to object to a change.
SaaS suppliers will be required to notify customers of any breach of their obligations, without undue delay, after becoming aware of the breach.
Data Protection Officers
SaaS suppliers will be obliged to appoint a data protection officer (DPO) in some specific circumstances: for example where the SaaS supplier is processing special data (sensitive data) or if required to do so under a Member State law.
The contact details of any DPO appointed must be published and communicated to the applicable supervisory authority.
Deletion or Return of Data
SaaS suppliers must allow customers to choose between deletion or return of all personal data on termination or expiry of the SaaS agreement (unless the applicable mandatory law requires storage). Customers will be entitled to check compliance with this requirement.
Transfers outside the EEA
Although SaaS suppliers are required to follow a SaaS customer’s instructions with regard to data processing, SaaS suppliers may only transfer personal data outside of the EEA if the SaaS supplier or SaaS customer has provided appropriate safeguards: for example by using of EU model clauses or Binding Corporate Rules (BCRs).
Fines and Compensation
Data subjects will be able to take action against SaaS suppliers directly and claim damages for the SaaS supplier’s breach of:
- Any obligations under the GDPR; or
SaaS suppliers will be potentially liable to both the customer and data subjects for the same breach. In addition, data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover for some breaches.
Preparing for Change
SaaS suppliers need to review the terms of their existing SaaS terms and conditions and their internal procedures to ensure that they comply with the new rules on the use of subcontractors, data security requirements, the appointment of DPOs and having in place appropriate organisational and technical measures.
SaaS suppliers should ensure that existing and future agreements with their sub-processors impose the same data processing obligations on all subcontractors, as the SaaS supplier will be liable to the customer and data subjects for any breaches of the new rules caused by any subcontractors.
SaaS suppliers should ensure that their insurance cover and indemnities and limitations on liability contained in existing SaaS agreements relating to the use of personal data are sufficient to cover the higher levels of fines and direct claims for damages by data subjects.
Irene Bodle is an international IT lawyer who specialises in IT law, in particular, SaaS and cloud computing. Irene provides specialist, pragmatic and business-focused legal advice to companies who provide IT services to business customers. She has over 14 years experience (gained both in-house and in private practice) advising technology companies across all business sectors on the legal and commercial risks of operating a technology business. Whether you are a start-up who needs help creating a legally compliant business website or are an established technology company who needs assistance drafting and negotiating complex legal agreements, Irene can help you achieve your commercial objectives, efficiently and cost effectively. As a dual-qualified English and Irish lawyer, Irene advises primarily on English law, but also advises on Irish IT law. Being based in Berlin and fluent in German, Irene can also assist in negotiating or advising on technology agreements drafted in German.
Visit https://www.bodlelaw.com for more information.