Storage of data outside the EU is forbidden by the GDPR, however - no rules without exceptions e.g.:
- Personal data about air passengers are shared more liberally, e.g. shared with the US and Australia.
- If the country in question is a so-called safe third country. EU has a list of these, and it includes (as of May 2018) amongst others Andorra, Faroe Islands, Schweitz, New Zealand, and Uruguay. But not the United States of America.
- On July 16th, 2020, the Court of Justice of the European Union (EUCJ) ruled the “Schrems II” case regarding the international transfers of personal data from the EU to the US (and other third countries). This ruling invalidated the Privacy Shield as an accepted measure for transferring personal data between the EU and the US. The remaining legal means for transferring data e.g. to the US is then through the EU SCC (Standard Contractual Clauses). The services we use, which were on the Privacy Shield listing have been changed or incorporated the SCC into their (new) DPA.
- We have reached out to all third-party services we use and made sure we agreed on this and have the lawful right to still transfer data.
As for the practical implications for us, you might know that we use Zendesk for our support. You might know that Zendesk is an American registered company and they store data outside the EU. Previously the legal reason was Privacy Shield; now the Zendesk DPA has incorporated the Standard Contractual Clauses.