In this blog where software as a service (or SaaS in short) is mentioned it refers to the software companies providing cloud-based software. With these software companies they may use business process outsourcing certain operations functions outside of the EU to another third party learn about complying with GDPR regulations with subcontractors.
Business processing outsourcing off shore?
Your customer or their DPO may be wondering what personal data is being processed outside of Europe. Their major concern is going to be – do we need to obtain consent and if this means additional work.
If you are carrying out certain business processing outsourcing functions offshore make sure it is clear in the processing activities along with its lawful basis in your contracts as to what happens outside of Europe. There should be a written authorisation from your customer in the contract that they have given you approval to use any of their offshore subcontractors.
Whilst some of your other customers will not agree to any offshore suppliers and they may push to bring offshore processing locally within EU this has to be weighed by the SaaS provider as to what’s achievable at the time. Larger groups of businesses should also consider putting in place inter binding corporate rules if their sister software companies which are also operating outside of Europe.
So let’s consider as the ICO mentions in international data transfers, then it does not apply, where the provider does not operate outside of Europe. The key thing here is to ensure that the correct agreements are in place which outline what is going on. Along with any adequate technical, security measures which are demonstratable.
What do we need to capture about the offshore subcontractors?
Ensure that there is a contract, role, purpose of processing, binding corporate rules or standard contractual clauses, processing activities technical and security measures. There should be confidentiality provisions which are committed to by those everyone who has access to the personal data.
Replacement to a new subcontractors?
Several times this area is a recurring issue for many customers they feel a software as a service provider will replace a subcontractors without their input and quite often they add additional consent language. Sometimes this also covered off in the contract and the data processing agreement.
In line with Article 28 of the GDPR regulations consider what is in the contract if a general consent is given for replacement of a supplier where the customer is informed then avoid any additional consent language. This then can be aligned to any subcontracting clauses in the contract.
Any replacement of a subcontractors should be in line with the above GDPR article and clearly outline the steps whereby the customer is able to object or resolve objections.
Pre GDPR offshore subcontracting?
The software as a service provider, if not having already done so, should review where they are with the updates to their current contract agreement, GDPR data processing agreements and any standard contractual clauses with the offshore business process outsourcing subcontractors. It is worth doing a sense check and gap analysis. Making sure you want to cover any of the GDPR regulation changes which make any pre GDPR data processing agreement to meet GDPR compliance for software companies . This demonstrates to your customer and auditors that you take data protection seriously as a business.
If there are any new data processing agreements being put in place a thorough review of the supplier contract, information security schedules and where applicable standard contract clauses should be the basis of the contract review.
Will the offshore subcontractors be liable?
As a SaaS company, you sign up to GDPR specific language in a contract then you could come unstuck the processor will be liable for all the subcontractors including any acts or omissions or unable to fulfil obligations as per Article 28 GDPR. Also for damages for each processor to data subject as per Article 82 of the GDPR regulation. Often, you will have multiple suppliers which may have limited liability in the contract
It is important to assess all the points above along with the potential liability level risks and advise the business of the gaps on a case by case basis. Where there are high liability gaps think of the risk this creates for the business and the levels of insurance signed up.
No goods, no services, personal data processed offshore will GDPR apply?
A service as a software provider or any other business if they are not providing services or goods under the scope the GDPR regulation then the only other part in scope is where they are monitoring behaviour. With the latter part, this includes the internet and use of personal data including processing techniques such as profiling in order to make decisions about them for analysing or predicting his or her personal preferences, behaviours and attitude.
If a car business was based in Mexico with local data subjects only and was processing personal data with a Spain provider, the Mexico business would not be caught but the Spanish service provider would be under the scope the GDPR regulation (see European Data Protection Board Guideline 3/2018). Your customer may want to cover the appropriate local Mexican privacy laws and Spanish supplier’s processing activities correctly in data processing agreement.
Offshore subcontracting supplier need appropriate measures?
The level of technical and security measures agreed or guaranteed by the offshore business process outsourcing provider may be found in either the binding corporate rules or the standard contractual clauses including any deletion of personal data on exit. This is the ideal time to consider whether the offshore provider has enough security controls in place. Your customer may request that these can be confirmed by the service as a software company.
As a software as a service company, using any subcontractors they must provide sufficient guarantees and reliable meeting the requirements of the GDPR regulation including encryption, availability, resilience, and evaluation regularly these measures.
Find out how we helped one client with their GDPR compliance requirements.Download Our Case Study
Your business may have support requirement in one or more area why not talk to us and see if can assist with your data protection or the GDPR with our consultancy data protection services by emailing email@example.com or request a proposal from us.Get Your Free Consultation