What additional requirements does a SaaS provider have in relation to the updated GDPR regarding data protection and us being considered a processor of data, when customers of our customers (end users) could potentially provide personal or sensitive information to our customers, stored on our platform.
To clarify, we develop and sell to our customers a cloud hosted service desk solution which our customers use to support their customers. Our customers are either businesses using the solution to support internal users (employed by them) or businesses providing services to other businesses or consumers.
In any case, there are no end of free text notes fields which could contain any kind of information added by our customers or the end user. Generally it will be mundane like “my computer is broken” but there is nothing stopping someone from disclosing information such as their race, sexual orientation etc. and this then being saved into a database hosted on our platform. While we as the provider do not do any additional processing of this data for our benefit, it may be automatically processed further for the benefit of helping our customer more easily do their job, or may be surfaced to our customers helpdesk agents for example during a search to find related or historical tickets.
In addition, our customer may store data about their customers which could be considered comercially sensitive or secret (e.g details of software licenses and license keys installed on particular computers). The same as above applies, so we do no processing of this data for our gain, and only authorised users from our customers staff can view this data.
Is there anything we need to do (such as update clauses our SaaS terms and conditions) to say we only process the information given to our customer (and by extension, us) in order for our customer to provide their service to their end user. Basically a way of saying we sell this product to our customer and we have no real control over what data our customer or their end users input into the software and we end up storing in our platform on their behalf. Neither do we really care what that data might be, nor do we do any kind of data mining or the like on it for the commercial gain of us as the provider. We are simply storing it and processing it for use by our customer as they see fit to provide their service.
Alasdair Taylor's Answer
In data protection terms, you are probably the “data processor” here, while your customer is the “data controller”. The individuals whose data you are processing are “data subjects”.
In contrast to the existing data protection regime, the GDPR places a range of specific legal obligations upon data processors (as well as data controllers).
One of these requirements is set out in Article 28, which specifies certain terms that must be in the controller-processor contract. See Art 28 here:
https://www.privacy-regulation.eu/en/28.htm
You can see some example (short from) contract clauses in the previews of one of my templates, here:
https://docular.net/documents/template/5300/data-processing-agreement-basic-controller-processor
It is unlikely that a contract that hasn’t been drafted to comply with the GDPR will comply with the Article 28 requirements.
My comments on some of the issues affecting processors trying to deal with Article 28 are here:
https://seqlegal.com/blog/article-28-gdpr-problems-processors
But this isn’t just a paper exercise: in order to comply with the requirements of the Article 28 contract clauses and the GDPR more generally, you may well have to make significant changes to how you handle personal data.
If you would like to have a chat about this, please do call or drop me an email.
