Don’t Get SaaS’d: Contractual Tips For In-House Counsel Regarding GDPR Compliance (Part III)

As you have probable collected by now, the Common Details Defense Regulation (“GDPR”) has designed compliance worries for not only providers gathering “personal data” (running as GDPR-outlined “data controllers”), but all those provider companies (believe SaaS) that are running as “data processors” underneath the GDPR as very well.  In my prior two columns, I laid the groundwork for taking a technological innovation-oriented systemic approach to GDPR compliance as very well as preliminary contractual things to consider for these types of compliance.  Having an understanding of what personal knowledge is currently being collected and how it is currently being processed, specific guidelines are important to entirely apply GDPR compliance, these types of as privacy guidelines, knowledge security guidelines, and knowledge retention guidelines. For SaaS companies, addressing these guidelines successfully is important, but for additional explanations than you may possibly believe.

Except if you have been hiding underneath a rock, you probably know that the GDPR has upended how (and even if) providers can gather “personal data” from EU “data topics.”  Provided the sizeable fines that can be imposed for non-compliance (i.e., 4 percent of total annual world turnover or $20M euros, whichever is increased), U.S. providers have been scrambling to ensure compliance these types of as getting the requisite consent from targeted EU knowledge topics to collect and use these types of own knowledge.  Even however the GDPR implementation date has been regarded for the last couple of decades, it has not stemmed what can only be described as substantial scrambling by providers to comply.  As a result, a particular amount of contractual chaos has ensued. Why? It comes down to liability and possibility allocation.

For SaaS companies, this challenge is all way too real. Most provider companies have uncovered by themselves squeezed between their enterprise-consumers (running as “data controllers”) and the real consumers of their enterprise-consumers (potential “data subjects”) since these types of provider companies are commonly “data processors” that are “processing” the “personal knowledge.” Though present agreements may possibly have addressed some level of possibility allocation among the parties pertaining to knowledge, the GDPR has prompted many providers (performing as knowledge controllers) to seek endless liability for provider service provider breach. Why? Due to the fact knowledge processors not only have specific obligations to knowledge controllers but have specific responsibilities these types of as guaranteeing the security of its processing as very well as document-maintaining obligations.  If not, the GDPR states that knowledge processors can be held directly liable underneath the GDPR by the proper knowledge protection authority (“DPA”) underneath Posting 28.  Of program, there is significant publicity to the providers running as knowledge controllers, but the point right here is that SaaS companies require to be vigilant in avoiding the imposition of liability far further than what is important.

As the GDPR involves that knowledge processors have composed contracts with knowledge controllers, it goes without saying that SaaS companies have an opportunity to level the taking part in area with their enterprise-consumers.  In simple fact, the GDPR involves particular elements and minimum phrases (i.e., only performing on the composed instructions of the controller, compliance with confidentiality obligations by people processing the knowledge, employing proper security actions to guarantee the security of the own knowledge, and so on.).  When applied to present agreements, however, specific guidelines ought to be reviewed (or carried out) and addenda may possibly be important (or otherwise have to have modification).  Here are a couple parts in which these types of companies can (and in truth, ought to) address these problems:

Details Security Addenda.  Without problem, these types of guidelines are at the forefront of GDPR compliance.  As the U.S. approach to “personal information” is different than the additional expansive GDPR definition of “personal knowledge,” it is important to not only apply the proper definitional phrases in any knowledge security addendum, but particularly insert needed elements.  Generally, this ought to include things like elements further than mere security of own knowledge, these types of as  (i) the processing of own knowledge currently being executed, (ii) staff obligations (i.e. duty of confidentiality), (iii) any use of sub-processors to do so (including but not restricted to any knowledge backup and disaster recovery companies contracted by the knowledge processor), (iv) conversation with the controller pertaining to controller compliance with its obligations, including own knowledge breach notification and management, and (v) liability limitations.  Auditing of these types of processing by the controller will probable be asked for by the client-enterprise performing as a controller so as to guarantee that they both equally satisfy Posting 28 obligations, but ought to be delicately addressed so as to stay away from unreasonable (or needless) prerequisites (these types of as broad or endless audits, or audits without fair detect).

Details Retention Policies.  Under Posting 5 (1)(e) of the GDPR, personal knowledge require not be retained for a longer time than important when considered in relation to the purpose for which these types of knowledge is processed. For companies that do not have knowledge retention guidelines in place, they require to do so — the GDPR involves that providers handle “personal data” with treatment, and if a enterprise does not have these types of a policy in place, GDPR compliance will be like striving to strike s shifting target with your eyes closed.   Also, the correct of obtain and “right to be forgotten” impose obligations on controllers (and by extension, knowledge processors) that ought to not be stymied by ineffective knowledge retention guidelines.  In simple fact, SaaS companies ought to particularly request their client-providers about their data retention guidelines so that present agreements can adequately address knowledge retention underneath the GDPR.  In any function, these types of guidelines will enable create a baseline from which to address (or modify) present knowledge obligations.

Privacy Policies.  I know what you are thinking — these types of guidelines are commonly client-going through, so how does this occur into engage in contractually among SaaS companies and their client-providers?  The very simple remedy is that these types of guidelines are probable currently being revisited by these types of client providers as a consequence of the GDPR.  As a consequence, examining the client-enterprise privacy policy will enable form the risk allocation underneath the present contract.  Further, for Privacy Defend-certified companies obtaining own knowledge from the EU, the Privacy Shield’s onward-transfer prerequisites will have to be satisfied (and for providers not yet licensed, their vendor agreements will require to address these types of prerequisites ahead of they can be licensed).  These guidelines deliver a window into the enterprise running as a knowledge controller, and ought to be considered accordingly.

Unnecessary to say, there are a good deal of factors for provider companies to take into account when it comes to GDPR compliance and the points set forth over and in my prior columns on the subject matter certainly only scratch the surface. That reported, these ways at the very least point in the correct route, and ought to enable in addressing the multi-layered worries of GDPR compliance.  So don’t get “SaaS’d” by the GDPR — your enterprise (and consumers) will thank you for it.

Tom Kulik is an Mental Property & Data Technological innovation Lover at the Dallas-dependent legislation organization of Scheef & Stone, LLP. In private practice for more than 20 decades, Tom is a sought-immediately after technological innovation attorney who works by using his sector encounter as a previous computer system methods engineer to creatively counsel and enable his consumers navigate the complexities of legislation and technological innovation in their business enterprise. News outlets access out to Tom for his perception, and he has been quoted by nationwide media businesses. Get in contact with Tom on Twitter (@LegalIntangibls) or Facebook (, or get hold of him right at

Shares 0

Post Author: gupta

Leave a Reply

Your email address will not be published. Required fields are marked *