Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Datenschutz & Compliance Glossary

DSGVO Drittstaatentransfer - Internationale Datenweitergabe rechtssicher gestalten

Chapter V of the GDPR governs the transfer of personal data to third countries outside the EU/EEA. The legal bases are: adequacy decisions (e.g., the EU-US DPF since 2023), Standard Contractual Clauses (SCCs), Binding Corporate Rules, and exceptions under Article 49. U.S. cloud services (AWS, Azure, Google, Salesforce) have been legally usable again since the EU-US Data Privacy Framework.

GDPR data transfers to third countries pose a practical problem for many companies: the desired cloud service is based in the U.S., and the GDPR imposes strict requirements on data transfers there. The EU-U.S. Data Privacy Framework (2023) has clarified the situation—but pitfalls remain.

Why data transfers to third countries are regulated

The fundamental problem: The GDPR applies to the processing of EU citizens’ data. Non-EU countries typically have lower data protection standards.

Without regulation, an EU company would send data to a U.S. cloud, U.S. authorities would have access, and the affected EU citizen would have no right to sue U.S. authorities—GDPR protection would effectively be undermined.

Art. 44 GDPR – Basic Principle:

> “A transfer of personal data that is being processed or is intended to be processed after the transfer to a third country or an international organization is permitted only if...” – a legal basis under Articles 45–49 exists.

What is a third country?

  • Any country that is not an EU/EEA member
  • EEA = EU + Norway, Iceland, Liechtenstein
  • After Brexit, the UK is also considered a third country (although an adequacy decision is in place)

Level 1: Adequacy Decision (Art. 45) – Simplest Solution

The European Commission determines that a specific country offers an “adequate level of protection.” The transfer is then permitted without further measures.

Adequate countries (as of 2025):

  • Andorra, Argentina, Canada (commercial), Faroe Islands
  • Guernsey, Israel, Isle of Man, Japan, Jersey
  • New Zealand, Switzerland, South Korea, United Kingdom
  • Uruguay, USA (only DPF-certified companies!)

EU-US Data Privacy Framework (DPF) - since July 2023:

  • Successor to Privacy Shield (overturned in 2020 by Schrems II)
  • US companies can obtain certification: dpf.gov
  • Certified companies: AWS, Microsoft Azure, Google Cloud, Salesforce, HubSpot, Slack, Zoom, etc.
  • Check: dpf.gov/s/search
  • Schrems III risk: Max Schrems (NOYB) has challenged the DPF—as a precautionary measure, the additional use of SCCs is recommended

Level 2: Standard Contractual Clauses (SCCs) – most common practice

  • Contract clauses approved by the EU Commission
  • Legally ensure that the recipient complies with GDPR standards
  • Current version: SCCs 2021 (since June 2021; older versions are invalid!)
  • Require signing with the cloud provider

Setting up AWS SCCs:

  • The AWS Customer Agreement includes a Data Processing Addendum (DPA) that automatically incorporates SCCs—no separate agreement required
  • Check: aws.amazon.com/compliance/gdpr-center

Microsoft Azure SCCs:

  • Online Services DPA + EU SCCs
  • Automatically activated when using Azure

Transfer Impact Assessment (TIA) for SCCs:

  • Mandatory: verify whether SCCs actually provide protection
  • For the U.S.: FISA 702, EO 12333 – Is NSA access possible?
  • For DPF-certified U.S. companies, the TIA is effectively obsolete
  • For other countries: individual TIA required

Level 3: Binding Corporate Rules (BCRs) - for corporate groups

  • Group-internal data protection rules, approved by the competent supervisory authority (Lead-DPA)
  • Enables transfers between group companies worldwide
  • Effort: 2–3 years, several hundred thousand EUR – suitable only for large corporations

Level 4: Exceptions under Art. 49 – only for individual cases

  • Explicit consent of the data subject (not a permanent solution!)
  • Performance of a contract (e.g., hotel booking in the U.S.)
  • Vital interests
  • Substantial public interest
  • Legal claims
  • Publicly accessible registers

> Important: Art. 49 is not a permanent solution for regular transfers!

Practical Implementation

Checklist for US Cloud Services

  1. Check the service provider: Look up DPF certification at dpf.gov/s/search. If certified, the transfer is generally permitted; otherwise, SCCs are required.
  2. Conclude a DPA/AVV: Data Processing Agreement pursuant to Art. 28 GDPR. Usually available in the customer portal (AWS: aws.amazon.com/agreement/; Google: Admin Console → Privacy & Security → DPA).
  3. Check SCCs: Are SCCs part of the DPA? Only the new modules (2021) are valid. Recommended for DPF-certified U.S. providers, but not mandatory.
  4. Update the processing inventory: List service providers as data processors; document data categories, purposes, and transfers to third countries.
  5. Update the privacy policy: Include a reference to transfers to the U.S. based on the EU-U.S. DPF or the Standard Contractual Clauses.

Common pitfalls

1. Google Analytics (Universal Analytics)

  • IP addresses in the US = transfer to a third country
  • Solution: Google Analytics 4 + server-side tagging
  • Alternative: Plausible Analytics (EU server, no transfer)

2. Google Fonts embedded via URL

  • Bavarian Data Protection Authority: Direct links to Google Fonts = GDPR violation
  • Solution: Host fonts locally (simple: npm install fontsource)
  • Munich Regional Court: 100 EUR in damages for direct link to Google Fonts

3. US email providers (Mailchimp, Mailgun)

  • Recipient email addresses = personal data = transfer
  • Check DPF certification and DPA
  • Alternative: EU hosting (Brevo, formerly Sendinblue, CleverReach)

4. Support tools with screen sharing

  • Zendesk, Freshdesk, Intercom: US companies
  • Customer data flows into the support tool
  • Check DPA + DPF/SCCs

5. LinkedIn Recruitment Tool

  • LinkedIn: US company (Microsoft), DPF-certified
  • Applicant data (possibly special categories under Art. 9): extra care required

New Developments (2024-2025)

EU-US Data Privacy Framework - Status as of 2025

  • Status: In effect since July 10, 2023
  • Schrems III risk: Max Schrems (NOYB) has challenged the DPF; the ECJ could overturn it (as with Privacy Shield in 2020)
  • Recommendation: Use SCCs in addition to the DPF (double safeguard: if the DPF fails, the SCCs take effect)

US CLOUD Act

  • US authorities can demand data from US companies—even if it is stored on EU servers
  • Affected: AWS, Azure, Google (US parent companies)
  • The DPF contains safeguards, but the CLOUD Act remains problematic
  • Alternative for highly sensitive data: EU-only cloud (OVH, IONOS, Hetzner) – no US parent company, no CLOUD Act risk

EU Cloud Act (planned)

  • The EU is working on its own framework for government access to cloud data
  • EUCS (EU Cybersecurity Certification Scheme): high level = EU providers only
  • Status 2025: still under development

UK GDPR

  • Following Brexit, the UK has its own version of the GDPR
  • EU → UK: Adequacy decision in place (renewed until 2025)
  • UK → third countries: UK-specific SCCs ("IDTA" - International Data Transfer Agreement)

AWARE7 Services on This Topic

ISO 27001 Beratung
Back to Glossary Book a free consultation