Sub-processors outside the EU: what Schrems II still requires

Using AWS, Google, or Microsoft? Then some of your data flows through the US. Since Schrems II, that's no longer a given. Here's what actually works today.

Processing EU residents' data outside the EEA is only permitted with explicit safeguards in place. The Schrems II ruling (2020) invalidated the old Privacy Shield.

The current options

\n
• EU-US Data Privacy Framework (2023): the successor to Privacy Shield. Applies to US vendors that have certified under this framework.
\n
• Standard Contractual Clauses (SCCs): European template clauses between an EU and a non-EU party. Often used alongside a Transfer Impact Assessment.
\n
• Binding Corporate Rules (BCRs): used within large corporate groups — not a typical SMB solution.
\n

Microsoft, Google, AWS — where do things stand?

\n
• Microsoft 365: the EU Data Boundary means that EU customer data stays in the EU for most services. Microsoft holds DPF certification for the parts that do touch the US.
\n
• Google Workspace: similar approach — EU data stays in the EU, with DPF covering US-side components.
\n
• AWS: configurable per region. Choose an EU region (Frankfurt, Amsterdam, Ireland). For managed services, check where the control plane is located.
\n
• Cloudflare: data can pass through the global edge network. The Business tier offers an "EU-only" option.
\n

Smaller US SaaS tools (Slack, Notion, Intercom)

Most now hold DPF certification. Check their DPA or trust page. For genuinely sensitive data, consider an EU-based alternative.

Documentation

In your records of processing activities: for each processing activity, note whether data leaves the EU and on what legal basis.

See also: GDPR pillar, DPAs.