What are cross-border data-transfer requirements?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Here's the scenario: You've got EU subscribers. You use an ESP based in the US. Their servers are in the US. GDPR says that subscriber data can't just flow across the border without legal protection. You need a mechanism to ensure it's still protected once it lands overseas.

GDPR only allows data to move outside the European Economic Area if one of three things is true. One, the destination country provides "adequate" data protection (as determined by the European Commission). Two, you've put specific contractual safeguards in place. Three, a narrower legal derogation applies to your situation.

Most companies use Standard Contractual Clauses (SCCs). These are pre-written contract terms the EU approved, and both the exporter (you) and the importer (your vendor) sign them. They essentially say the vendor promises to handle data like GDPR requires, even though they're outside the EU. SCCs are the practical go-to for US-based ESPs and SaaS tools. If your vendor hasn't already attached their SCC to your data processing agreement, ask for it.

There's also the EU-US Data Privacy Framework, a newer mechanism that lets US companies certified under this framework transfer data directly from the EU. Some major providers now use this. Ask your vendor which mechanism they rely on.

Here's what makes this complicated: Even with the right contract in place, you should still think through whether the destination country's laws (especially government surveillance laws) might undermine the protections you've put in your contract. That's called a Transfer Impact Assessment, and it's what regulators really want to see. If you're worried about it, supplementary measures like encryption (where you hold the encryption key) can help.

Start simple: Ask your ESP and every other vendor that touches EU subscriber data what transfer mechanism they use (SCC, Data Privacy Framework, or something else). Get it in writing. If you can't get a clear answer, that's your signal to find a vendor with better compliance documentation. Once you've got that sorted, you've closed one of the bigger GDPR gaps that trip up email marketers.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Verify your cross-border transfer safeguards.

I'm unclear on whether my international setup complies with cross-border transfer rules. Here's what I'm doing: [Share: Where are my EU subscribers' data stored? Where are my vendors based? Do I have SCCs or Data Privacy Framework agreements? Do I have a transfer impact assessment?] Based on my answers, help me: (1) Confirm I have the right legal mechanism in place, (2) Spot any gaps, (3) What questions to ask my vendors, (4) The fastest way to get compliant.

Edit the yellow boxes, then send to the AI of your choice.