What are cross-border data-transfer requirements?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Here's the scenario: You've got EU subscribers. You use an ESP based in the US. Their servers are in the US. GDPR says that subscriber data can't just flow across the border without legal protection. You need a mechanism to ensure it's still protected once it lands overseas.
GDPR only allows data to move outside the European Economic Area if one of three things is true. One, the destination country provides "adequate" data protection (as determined by the European Commission). Two, you've put specific contractual safeguards in place. Three, a narrower legal derogation applies to your situation.
Most companies use Standard Contractual Clauses (SCCs). These are pre-written contract terms the EU approved, and both the exporter (you) and the importer (your vendor) sign them. They essentially say the vendor promises to handle data like GDPR requires, even though they're outside the EU. SCCs are the practical go-to for US-based ESPs and SaaS tools. If your vendor hasn't already attached their SCC to your data processing agreement, ask for it.
There's also the EU-US Data Privacy Framework, a newer mechanism that lets US companies certified under this framework transfer data directly from the EU. Some major providers now use this. Ask your vendor which mechanism they rely on.
Here's what makes this complicated: Even with the right contract in place, you should still think through whether the destination country's laws (especially government surveillance laws) might undermine the protections you've put in your contract. That's called a Transfer Impact Assessment, and it's what regulators really want to see. If you're worried about it, supplementary measures like encryption (where you hold the encryption key) can help.
Start simple: Ask your ESP and every other vendor that touches EU subscriber data what transfer mechanism they use (SCC, Data Privacy Framework, or something else). Get it in writing. If you can't get a clear answer, that's your signal to find a vendor with better compliance documentation. Once you've got that sorted, you've closed one of the bigger GDPR gaps that trip up email marketers.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.