• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Designing your SaaS solution in compliance with data protection regulations as a US company!

5. January 2021
in Data protection Law
Reading Time: 4 mins read
0 0
A A
0
communication 1927706 1280 384x192 1
Key Facts
  • European Court of Justice declared Privacy Shield invalid on July 16, 2020
  • The standard contractual clauses from 2010 remain valid, but with additional conditions for data protection.
  • Over 5,300 companies lose the legal basis for transferring data to the USA.
  • The use of unencrypted data is insecure and inadmissible due to the powers of the US authorities.
  • Companies have to disclose customer information, which puts them at a competitive disadvantage.
  • Obtain the consent of the data subjects for data transfers to the USA.
  • The decision offers opportunities for SaaS providers to adapt their business models and gain competitive advantages.

In its judgment of July 16, 2020 (Case C311/18), the European Court of Justice declared the European Commission’s Decision 2016/1250 on the transfer of personal data to the United States (Privacy Shield) invalid. At the same time, the ECJ found that Commission Decision 2010/87/EC on standard contractual clauses remains valid in principle.

Content Hide
1. What are the consequences of the decision according to the current state of discussion?
2. Simply maintaining a server in the European Union, at least without encrypting the data, is probably not enough.
3. So what do providers who transfer data to the USA need to do?
4. The opportunity for a competitive advantage
4.1. Author: Marian Härtel

As a result of this decision, it is now questionable whether and under what circumstances a US company can offer a SAAS solution in Europe or, more precisely, whether someone in Europe can use the SaaS solution of a US provider without committing a breach of data protection by using it.

What are the consequences of the decision according to the current state of discussion?

The decision deprived more than 5,300 registered companies as processors of the legal basis for transferring and receiving data. The main justification for this is that data transferred to the USA can be processed by the authorities there for the purposes of public security, national defense and national security. As an alternative, there are now only the standard contractual clauses as regulated in Decision 2010/87/EU of 05.02.2010. Theoretically, these can still be used, but only if the level of protection of the GDPR can be guaranteed during and after the transfer by the processor based in the USA. This is unlikely to be the case, at least for unencrypted data and for companies that are not 100% independent of a US company under group law.

Simply maintaining a server in the European Union, at least without encrypting the data, is probably not enough.

Following the ruling, the supervisory authorities will, indeed must, press for the standard contractual clauses to be adapted in line with the ruling. However, it is to be expected that processors will not be able to guarantee the GDPR level of protection due to the far-reaching powers of the US authorities under Section 702 of the Foreign Intelligence Surveillance Act. The transfer of data to the USA is therefore not permitted. According to the ECJ ruling, national authorities are even obliged under Art. 58 (2) f) and j) GDPR to suspend or prohibit data traffic with the USA and to impose heavy fines in the event of a violation. Non-European companies that want to process data from Europeans, be it in the area of streaming, cloud, data processing, etc., will have a hard time. Those who process customer data directly may have three options, but all of them will be difficult to implement.

  1. Customers can be fully informed about the circumstances where and which data is processed and which persons and authorities in the USA have access to this data, possibly even if this data is stored on European servers. As this customer consent may not be hidden in general terms and conditions and must be comprehensive, this is likely to be at least a major competitive disadvantage.
  2. Data can be fully encrypted. And “end to end”. The future will show to what extent this is technically possible, e.g. for streaming solutions etc., where not only the person who uploads the data has access again. It is clear that US providers will require extensive technical updates, adjustments to server structures, legal adjustments and possibly also adjustments to business models.
  3. The data of Europeans may only be processed by companies that are involved in the transfer of data to a US company under group law or by contract. If at all, providers must establish independent European subsidiaries that are only linked to the US company via profit transfer or license agreements, for example. The extent to which this is practicable for the majority of US providers is difficult to assess.

So what do providers who transfer data to the USA need to do?

  • First of all, it must be checked whether there are data processes with the USA that are still based solely on the EU Privacy Shield. This is the obligation of every controller as part of the processing directory pursuant to Art. 30 GDPR. If this is the case, the transfer must be stopped immediately and alternatives must be examined as to how the conversion of the data processes can be managed while remaining in the EU.
  • If standard contractual clauses are used in addition to the EU Privacy Shield or if these must be agreed as an alternative, it must be checked in accordance with the ECJ ruling whether the level of protection can be complied with. Otherwise, data traffic must also be avoided. Under certain circumstances, the standard contractual clauses could be supplemented to the effect that requests from US authorities must be disclosed to the controller so that it can react in such cases and, under certain circumstances, inform its customers or other data subjects of this. Consideration should also be given to having the so-called Binding Corporate Rules approved by the national supervisory authorities in accordance with Art. 47 GDPR. However, this involves a long and cumbersome process.
  • The most important measure to be taken immediately is to obtain the consent of each data subject in accordance with Art. 49 para. 1 a) GDPR. Alternatively, the transfer of data must be based on Art. 49 para. 1 c) GDPR, according to which this is necessary for the performance of a contract between the data subject and the controller. However, this requires a corresponding data protection declaration. However, this legal basis is only a temporary remedy for individual cases and cannot be used for the regular transfer of data to the USA.

The opportunity for a competitive advantage

Even if the ECJ, as an independent judicial body, cannot be assumed to have political intentions, this ruling and the situation can be a great opportunity for a SaaS provider to change its corporate structure and/or business concept in such a way that the above-mentioned points are fulfilled. This would represent a major competitive advantage over all other providers and would also be a great opportunity for marketing, growth and a highly interesting investment case.

The Federal Data Protection Commissioner has also brought into play options for simple data storage such as pseudonymization or the use of trustees who process data on behalf of US companies and who do not have to grant access to US security authorities. As this will take a long time to implement for larger providers, there are enormous opportunities here for smaller, agile providers.

I have and can provide comprehensive advice on these issues and help US providers to create the corporate and other contractual foundations to take advantage of this opportunity.

Simply contact me without obligation and let’s find out how I can help you to offer your own SaaS solution in Germany in a legally compliant manner!

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: AGBCompetitive advantageCorporateCustomizationInvestmentLizenzmarketingModelPrivacySaasServerSicherheitStandard contractual clausesVerträge

Weitere spannende Blogposts

GTCs are not invalid solely because of their length!

GTCs are not invalid solely because of their length!
7. November 2022

There are two types of legal texts that almost no one reads, but they can have enormous legal effects. Terms...

Read moreDetails

FDP wants to change TMG in line with cookie ruling

ECJ: Cookies require explicit consent of users
23. October 2019

The FDP parliamentary group has tabled an entry to amend the Telemedia Act in response to the ECJ's cookie ruling:...

Read moreDetails

AI and the law: An analysis of 47 US Code § 230 and its implications

AI and the law: An analysis of 47 US Code § 230 and its implications
21. May 2024

As you know, much has already been written on this blog about the legal issues surrounding artificial intelligence (AI). Today,...

Read moreDetails

Fees on SEPA transfers for old contracts inadmissible

Fees on SEPA transfers for old contracts inadmissible
29. October 2019

In a case brought by the VZBV against Vodafone, the Munich Regional Court ruled that the ban on fees for...

Read moreDetails

AI and contract generators for GTC – An opportunity for standard contracts or a risk for your company?

AI and contract generators for GTC – An opportunity for standard contracts or a risk for your company?
9. May 2023

AI and contract generators - the future of T&C creation? In today's digital world, artificial intelligence (AI) and automated processes...

Read moreDetails

New judgment of the Munich Regional Court: The case of the Sky cancel button and its significance

New judgment of the Munich Regional Court: The case of the Sky cancel button and its significance
29. November 2023

Introduction: The recent ruling by the Munich I Regional Court on Sky's cancel button plays a central role in the...

Read moreDetails

New obligations in the transparency register

New obligations in the transparency register
7. November 2022

The Transparency Register is an electronic register designed to provide information on the beneficial owners of companies. In concrete terms,...

Read moreDetails

Advocate General at the ECJ on the admissibility of cheat software

Lego brick still protected as a design patent
14. June 2024

Advocate General at the ECJ on the admissibility of cheat software For many years, I had the opportunity to accompany...

Read moreDetails

Cookies for advertising purposes only with the active consent of the user

ECJ: Cookies require explicit consent of users
5. June 2020

The BGH has ruled on the question of the requirements for consent to telephone advertising and the storage of cookies...

Read moreDetails
Contractual regulations for no-code/low-code software development
Other

Contractual regulations for no-code/low-code software development

21. May 2025

No-code and low-code platforms enable rapid software development without extensive manual programming. Applications are increasingly being developed on the basis...

Read moreDetails
Erotic content on OnlyFans: Copyright and personality rights protection for creators

Erotic content on OnlyFans: Copyright and personality rights protection for creators

20. May 2025
Goodbye hustle culture? Startup life between 24/7 grind and work-life balance

Goodbye hustle culture? Startup life between 24/7 grind and work-life balance

19. May 2025
Startup buzzwords 2025: Bullshit bingo in marketing German Introduction: Bullshit bingo in marketing German

Startup buzzwords 2025: Bullshit bingo in marketing German Introduction: Bullshit bingo in marketing German

18. May 2025
From the metaverse boom to AI euphoria – a tech lawyer in the hype cycle

From the metaverse boom to AI euphoria – a tech lawyer in the hype cycle

17. May 2025

Podcastfolge

AI in law: opportunities, risks and regulation – the IT Media Law Podcast Episode 3

AI in law: opportunities, risks and regulation – the IT Media Law Podcast Episode 3

24. September 2024

Welcome to the third episode of our podcast "IT Media Law"! In this episode, we delve into the fascinating world...

Read moreDetails
9e9bbb286e0d24cb5ca04eccc9b0c902

Legal challenges of innovative business models

1. October 2024
75df8eaa33cd7d3975a96b022c65c6e4

Life as an IT lawyer, work-life balance, family and my career

26. September 2024
da884f9e2769f2f96d6b74255be62c27

The role of the IT lawyer

5. September 2024
d5ab3414c7c4a7a5040c3c3c60451c44

The metaverse – legal challenges in virtual worlds

26. September 2024

Video

My transparent billing

My transparent billing

10. February 2025

In this video, I talk a bit about transparent billing and how I communicate what it costs to work with...

Read moreDetails
Fascination between law and technology

Fascination between law and technology

10. February 2025
My two biggest challenges are?

My two biggest challenges are?

10. February 2025
What really makes me happy

What really makes me happy

10. February 2025
What I love about my job!

What I love about my job!

10. February 2025
  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung