Compliance

International Data Transfers

Advanced

Moving personal data across borders is regulated. Under GDPR, sending EU personal data outside the EU/EEA is restricted unless specific safeguards are in place. This is not abstract for us. Choosing a cloud region, a SaaS tool, or an AI provider can quietly export customer data. So data location must be a deliberate, checked decision.

GDPR limits transfers of EU personal data to "third countries" that lack adequate protection. You need a legal mechanism (an adequacy decision, Standard Contractual Clauses, and so on) and often extra safeguards. A "transfer" is not just moving data. It also includes making data accessible from outside the region. So a vendor that stores data or gives support from another country counts.

This is closely linked to data residency (see Azure & Cloud Platform, where running production in the wrong region was a real audit finding) and to choosing vendors (see Vendor & Third-Party Risk). The engineer's job is to know where data goes, keep it in-region by default, and escalate any transfer rather than create one silently.

Keep data where it belongs

AlwaysStore and process EU/regulated personal data in the correct region by default. Treat moving it (or making it accessible) outside that region as a decision that needs approval (see Azure & Cloud Platform).
DoKnow where every service, vendor, backup, and sub-processor actually stores and accesses our data, including support and AI providers (see Vendor & Third-Party Risk).
DoPin cloud resources, queues, storage, and logs to the approved region. Check the defaults, which often are not where you assume (see Infrastructure as Code).
ConsiderThat telemetry, analytics, and error-reporting tools often send data abroad. Verify their data location (see Product Analytics Privacy, Observability).
NeverSend EU personal data to a third country without an approved transfer mechanism and the required safeguards in place.

When a transfer is genuinely needed

DoRaise it through the proper process so the legal mechanism (SCCs/adequacy) and safeguards are in place before data moves. Do not improvise it in code.
DoTransfer as little as possible, and protect it: only what is needed, encrypted, and ideally pseudonymised (see Data Masking & Redaction).
DoRecord the transfer and its legal basis so it can be evidenced to a regulator (see Auditability & Evidence).
AvoidChoosing a tool or region because it is convenient or cheaper, without checking where it puts our customers' data.

Self-review checklist

AskWhere does the personal data in this feature, service, or vendor actually live, and from where is it accessed?
AskAm I about to send or expose EU data outside its region, directly, through a vendor, or through telemetry?
AskIf a transfer is needed, is there an approved mechanism, and have I raised it?
AskAre regions explicitly pinned, or am I relying on a default I have not checked?

Why it matters: Unlawful international transfers are a serious GDPR breach with heavy penalties, and they happen easily: a default cloud region, a foreign-hosted SaaS tool, an analytics SDK. Keeping regulated data in-region by default, and treating any transfer as a deliberate, approved, evidenced decision, protects both our customers and our right to operate.