In this blog where SaaS is mentioned it refers to the software as a service business. With these companies as part of their business operations, some of the SaaS providers outsource certain functions outside of the EU to either their own group of businesses or other outsourced partners.
What About Off Shore Business Processing Outsourcing?
Your customer or their DPO may be wondering what Personal Data is being processed outside of Europe. Their major concern is going to be – do we need to obtain consent and if this means additional work.
If you are carrying out certain business processing functions offshore make sure it is clear in the processing activities along with its lawful basis in your contracts as to what happens outside of Europe. There should be a written authorisation from your customer in the contract that they have given you approval to use any of their offshore suppliers.
Whilst some of your other customers will not agree to any offshore suppliers and they may push to bring offshore processing locally within EU this has to be weighed by the SaaS provider as to what’s achievable at the time. Larger groups of businesses should also consider putting in place inter binding corporate rules if their sister companies which are also operating outside of Europe.
So let’s look at when this does not apply; typically this is whereas the ICO mentions in international data transfers, then it does not apply, where the provider does not operate outside of Europe. The key thing here is to ensure that the correct agreements are in place which outline what is going on. Along with any adequate technical, security measures which are demonstratable.
What Do We Need to Capture About the Offshore Suppliers?
Ensure that there is a contract, role, purpose of processing, binding corporate rules or standard contractual clauses, processing activities technical and security measures. There should be confidentiality provisions which are committed to by those everyone who has access to the personal data.
Replacement of Offshore Providers with a New Supplier?
Several times this area is a recurring issue for many customers they feel a SaaS provider will replace a supplier without their input and quite often they add additional consent language. Sometimes this also covered off in the contract and the data processing agreement.
In line with the GDPR article consider what is in the contract if a general consent is given for replacement of a supplier where the customer is informed then avoid any additional consent language. This then can be aligned to any subcontracting clauses in the contract.
Any replacement of a supplier should be in line with the GDPR article and clearly outline the steps whereby the customer is able to object or resolve objections.
What About Any Pre-May 2018 Agreement With the Offshore Suppliers or New Suppliers?
The SaaS provider, if not having already done so, should review where they are with the updates to their current contract agreement, GDPR agreements and any standard contractual clauses with the offshore provide. It is worth doing a sense check and gap analysis. Making sure you want to cover any of the current regulation changes which make any pre-GDPR agreement GDPR compliant for your SaaS business. This demonstrates to your customer and auditors that you take data protection seriously as a business.
If there are any new agreements being put in place a thorough review of the supplier contract, information security schedules and standard contract clauses should be the basis of the contract review.
Will the Offshore Suppliers be Liable?
As a SaaS provider, you sign up to GDPR specific language then you’ll be liable for offshore suppliers acts or omissions liability with your customer. Often, you will have multiple suppliers which may have limited liability in the contract
It is important to assess all the points above along with the potential liability level risks and advise the business of the gaps on a case by case basis. Where there are high liability gaps think of the risk this creates for the business and the levels of insurance signed up.
We Don’t Supply Any Goods Or Services, If Personal Data is Processed Offshore – Does GDPR Apply to Us?
A SaaS Provider or any other business if they are not providing services or goods under the scope the GDPR regulation then the only other part in scope is where they are monitoring behaviour. With the latter part, this includes the internet and use of Personal Data including processing techniques such as profiling in order to make decisions about them for analysing or predicting his or her personal preferences, behaviours and attitude.
If a car business was based in Mexico with local Data Subjects only and was processing Personal Data with a Spain provider, the Mexico business would not be caught but the Spanish service provider would be under the scope the GDPR regulation (see European Data Protection Board Guideline 3/2018). Your customer may want to cover the appropriate local Mexican privacy laws and Spanish supplier’s processing activities correctly in agreements.
Does the Offshore Provider Have Appropriate Technical and Security Measures in Place?
The level of measures agreed or guaranteed by the offshore provider may be found in either the binding corporate rules or the standard contractual clauses including any deletion of Personal Data on exit. This is the ideal time to consider whether the offshore provider has enough security controls in place. Your customer may request that these can be confirmed by the SaaS provider.
As a SaaS provider, any offshore provider must provide sufficient guarantees and reliable meeting the requirements of the GDPR regulation including encryption, availability, resilience, and evaluation regularly these measures.
Find out how we helped one client with their GDPR compliance requirements.Download Our Case Study