Storage of data outside the EU is forbidden by the GDPR, however - no rules without exceptions eg:
- Personal data about air passengers are shared more liberally e.g. shared with US and Australia.
- If the country in questions is a so called safe third country. EU has a list of these, it includes (as of May 2018) amongst other Andorra, Faroe Islands, Schweitz, New Zealand, and Uruguay. But not the United States of America.
- As far as the US goes there is an agreement between US-EU on this topic, the so called “EU-U.S. Privacy Shield” This agreement set out standards that US companies needs to follow in order to be allowed to store European Personal Data within the US. A searchable list of US companies on the list is found on the website.
Practical implications for us, well you might know that we use Zendesk for our support. You might know that Zendesk is an American registered company and they store data outside EU. As they are found on the Privacy Shield list and have issued us with a Data Processor Agreement (see example of the Zendesk DPA here) we are free to use them as a Supplier including storage of customers email addresses and names.