#SaaS and European Legislation on #DataProtection

This article presents a summary of the legislative and regulatory aspects that European companies must take into account when choosing a SaaS provider. Particularly in terms of #DataProtection. When choosing a SaaS provider, companies must implement a checklist with controls and negotiations that they would apply if they work with a relocated service provider for their IT operations.


The main features of Software as a Service are as follows:


– The user accesses the application via the Internet.

– The cost depends on the actual consumption of the service (software).

– The supplier of the application (software) is responsible for its maintenance and availability.


Typically, when a European company adopts a cloud service, it’s responsible for how the SaaS provider processes its data, not the other way around. Due to some uncertainty, as to how and where the SaaS provider will store the data, there is a risk that it may overstep on its customers national or European regulations, which impose strict controls on the processing data of outside the European Union.


In SaaS solutions, the client company data is stored on the servers of the provider. This may include personal data or sensitive data such as health data. This relocation of the data implies respecting their confidentiality and ensuring their safety. The contract must frame the risks and remind everyone of their obligations.


In accordance with the 1995 European Data Protection Directive, which was transposed into the national law of 27 EU Member States, the transfer of personal data outside the European Economic Area (EEA), including the countries of the European Union (plus Iceland, Liechtenstein and Norway) is prohibited unless certain conditions are met. By transfer, the Directive implies that the data will be processed in one way or another in a non-EEA country; On the other hand, the transit of data via these countries is authorized.


For Directive, personal data is equal to any information concerning an identified or identifiable natural person. This broad definition may include various information about a person, such as name, address, IP address, or credit card information.


Cloud Computing = Outsourcing?


Outsourcing is the well-known method whereby a third party supports one or more company functions, which often lack resources (time, expertise or both). It is common, for example, to outsource a project that requires an increase in resources or a function that will no longer be useful once the project is completed (one-time need for development, software integration, etc.).


With cloud computing, companies do not realize that they need to take the same precautions as outsourcing. Personal data may be transferred outside the EEA if they are processed in a country on the European Commission’s list of countries or territories which provide adequate protection for personal data. (Visit the European Commission website to check countries list ).


The United States is not on the list of countries approved by the Commission, but data can be transferred to US companies that have signed the Safe Harbor agreement requiring them to apply seven principles for the processing of information under the supervision of the Federal Trade Commission.


If a country is not on the European Commission’s list of approved non-EEA countries, companies or service providers may take other measures to provide suitable protective policies for personal data and enable their transfer.


The security of the SaaS provider must be evaluated by the companies


In addition to these measures, companies considering SaaS and wanting to avoid the failure to comply with #DataProtection laws generally have to prove that they have evaluated the safety of the supplier and specified measures to protect personal or other sensitive data processed by the supplier.


These measures may include asking the supplier a security evaluation from a third party, requesting that the data must be encrypted during transit, checking the provider’s data retention and destruction policies, setting up audit trails or the data and obtain information about any third-party company with which the supplier could share data.


With that being said, companies should not just look at data protection legislation when they want to adopt SaaS. Thus, national laws on financial legislation in EU countries limit the places where companies can store financial information. For example, European companies must keep electronic invoices for five to ten years. In addition, amendments to the European Council Directive 2010/45 / EU stipulate that this information must be stored on servers located either in the country of establishment of the undertaking or in a neighboring country providing access to the relevant tax authorities.


Confidentiality of Data


The confidentiality of data hosted in Cloud is today the most important of the brakes for the companies wanting to use this service. The standard of confidentiality becomes very important when the hosted data presents a strategic content for the company or when it can be considered as personal data.


The confidentiality of the data may be called into question by members of the service provider or the client company, as well as by a person totally outside these services. It is therefore necessary to put in place, a high level of security, for access to these data, especially if they are accessible via the Internet. The confidentiality of data can also be undermined by regulations applicable to the claimant, especially if the applicant is domiciled in the United States.


As the SaaS market matures, it is becoming increasingly simple to use these services without fear of breaking the law. Over the years, we have seen the evolution, the contracts have grown and different models have been set up on both the customer and the service provider’s side.