GDPR for the UK: Brexit and international transfers of personal data
Our tech lawyers specialise in acting for early stage companies and for startups, and the key asset of many such businesses is their technology. Our priority is to protect rights for technology businesses and to allow realisation of maximum value from technology assets.
Our tech lawyers may advise you on general commercial/contractual matters at the same time as they advise you on a corporate transaction (i.e. on an investment, restructuring, trade sale or listing). In a fast moving sector, you will need a lawyer who has a deep understanding of your technology business, and who can co-ordinate the approach you take on all legal issues.
Our technology solicitors can advise on a technology specific issue or draft or comment upon technology agreements, including in relation to the development, licensing and maintenance of software, provision of software as a service, R&D, consultancy services, escrow arrangements and systems integration.
If you sell or market through a website, we can draft your e-commerce terms and conditions, your site and privacy terms, and negotiate the basis on which your site is hosted, maintained and designed. We also advise on the outsourcing of specific IT functions or applications, and on high value business process outsourcing arrangements in relation to back office and front office functions, and where a managed service is provided.
Terms of website use are required to set out the basis upon which a visitor to the site may access and use it. These terms should be used to comply with the website owner’s legislative information requirements by making it clear who operates the site and how to contact them. The terms are also an opportunity for a website owner to limit its liability relating to content on the site via the inclusion of disclaimers relating to reliance on that content.
A privacy notice is required on a website to notify visitors about how their personal data is collected, used, shared, stored, retained and secured by the website operator. From 25th May 2018 website privacy notices will need to comply with the General Data Protection Regulation (GDPR) and should therefore include specific details regarding the legal rights exercisable by individuals in respect of their personal data, including the right to be provided with access to it, to ask for it to be erased it and to transfer it to a third party provider.
An acceptable use policy (AUP) will be required if your website contains functionality which allows visitors to upload comments and/or other materials to the site. The AUP should set out the rules and standards governing those uploads and, if drafted carefully, should assist in excluding the website operator’s liability in the event that those uploads are defamatory or breach a third party’s intellectual property rights.
E-commerce websites should contain terms and conditions of sale setting out the terms on which goods and/or services are sold via the website. If sales are made to consumers, website operators will be subject to numerous obligations pursuant to the Consumer Rights Act 2015 and associated regulations, the vast majority of which can be complied with via well drafted terms and conditions of sale.
Under the GDPR, a data controller may only engage a data processor in accordance with the terms of legally binding contract containing certain mandatory terms. Typically, providers of a cloud-based software-as-a-service platform are data processors under the GDPR, whereas their customers are data controllers, given that the software provider typically processes the personal data of the customer on its behalf.
The mandatory terms which must be set out in contracts for the provision of affected cloud-based software applications are briefly summarised below and more details can be found in our blog:
If you are a cloud software platform provider who is yet to tackle this aspect of GDPR compliance, you will therefore need to: (a) vary the terms of all existing contracts with your customers; and (b) ensure that standard terms and conditions are amended appropriately so that your new customers sign up to compliant agreements.
Subscription and pricing model. Consideration needs to be given as to whether access to the software will be provided on a price-per-user basis or whether the subscription fee will allow unlimited numbers of personnel at a customer organisation to access the platform. If the former, you should include a mechanism in the agreement for additional user subscriptions to be purchased during the term of the licence.
Term and termination. The industry standard is for the licence to last for an initial term of usually a month, a quarter or a year. The licence would then automatically renew for the initial term if neither party serves notice to cancel prior to the end of the initial term or any renewal term.
Data protection. As a provider of a cloud-based software platform, you are likely to be deemed a data processor in accordance with the General Data Protection Regulation (GDPR). If so, your licence must contain certain mandatory terms [ACS1] in accordance with the GDPR. In addition, it’s prudent to add a schedule to the licence setting out the specific technical security measures that you have in place to protect your customer’s personal data.
Availability. SaaS software is typically made available to customers by suppliers on a 24-7 basis. If a warranty of this nature is included in the licence, it should ideally be accompanied with carve outs for forseeable periods of downtime. This may include scheduled maintenance which is to periodically take place in stated downtime windows during the term of the licence and/or unscheduled periods of maintenance which can take place at any time, provided your customers are given sufficient notice. Downtime and delays caused by problems with the customer’s internet connection should also be carved out from any 24-7 availability warranty.
Support. If users are provided with helpdesk support, a comprehensive support policy should be provided setting out the extent of that service e.g. methods of contact (telephone, e-mail, live web-chat etc.), hours of operation etc.
IP. The licence should make it clear that your organisation owns all of the intellectual property rights in the software, which are only licensed to the customer during the term. Given that position, customers will usually expect you to indemnify them against any costs they incur defending a third party’s claim relating to ownership of the IP in the software.
Limitations and exclusions of liability. As is the case with all commercial agreements, it’s prudent to insert a cap limiting your total liability to the customer under the licence. Such caps are only enforceable if they are reasonable and a cap based on the total subscription fee paid by the customer is likely to be considered reasonable. Ideally, you should also exclude liability for certain unreasonable heads of loss, such as indirect or consequential losses which haven’t directly arisen from your breach of contract.
Access to source code is essential to allow a party to modify and support the software program to which the source code relates. Software suppliers understandably want to ensure that they keep hold of the source code relating to the software they license to their customers and therefore software is licensed in machine readable object code form. As such, the customer is dependent on the software supplier for modifications, maintenance and error correction of the software on an ongoing basis. If business critical software is being licensed, a savvy customer may require a mechanism that allows them (or a third party appointed by them) to take over these software support functions if the supplier fails to provide them.
An escrow agreement serves as a reasonable compromise to satisfy the supplier’s need to maintain control over its source code and the customer’s need to gain access to the source code in certain circumstances. A copy of the source code is deposited with an independent third party (the escrow agent) which enters into the escrow agreement with the supplier and the customer. Upon the occurrence of any mutually agreed ‘trigger event’, e.g. the supplier becoming insolvent or failing to maintain the software if it has been contracted to do so, the escrow agent will release the source code to the customer for the limited purposes of maintaining and updating the software.
Partner and Head of Department
"...sensible, realistic view of cases - seizing only the points worth arguing..."
Chambers UK, A Client's Guide to the Legal Profession
Skip to content Home About Us Insights Services Contact Accessibility