Legal Risk 10 min read·

Data Transfer Outside the EU: Are You in Violation?

80% of French SMEs transfer data outside the EU without knowing it — via Google Analytics, Mailchimp, Stripe, Slack. Every US SaaS tool used is potentially a transfer. Here's how to audit and comply.

What is a transfer outside the EU?

A transfer of data outside the European Union (and outside the EEA — European Economic Area) occurs whenever personal data of a European resident is sent, stored or made accessible to an entity located in a third country. This includes:

  • Sending emails via Mailchimp (USA): transfer.
  • Hosting a site on AWS us-east-1: transfer.
  • Using HubSpot CRM stored on American servers: transfer.
  • Integrating Google Analytics (even with IP anonymization): transfer.
  • Allowing a US sub-processor to remotely access your EU servers: transfer.

The Schrems II ruling of the Court of Justice of the European Union (July 2020) invalidated the Privacy Shield (the former EU-US agreement) and imposed strict rules: any transfer to a third country must rely on a valid legal mechanism, and the controller must verify that the destination country offers a level of protection equivalent to the GDPR.

The 5 valid legal mechanisms in 2026

1. Adequacy Decision

The EU recognizes that certain countries offer an equivalent level of protection: Switzerland (2024 renewal), Canada (PIPEDA), Japan, UK, New Zealand, South Korea, Israel, Argentina. Transfers to these countries = no additional formality.

2. EU-US Data Privacy Framework (DPF)

Adopted July 2023, replaces Privacy Shield. Covers certified US companies (list at dataprivacyframework.gov). Google, Meta, Amazon, Microsoft, Stripe, Mailchimp are on it. Risk: CJEU legal challenge pending.

3. Standard Contractual Clauses (SCCs)

Standard contracts published by the European Commission (2021 version). Contractually frame transfers. Available on the CNIL website. Applicable to any non-adequate third country. Must be accompanied by a risk assessment (TIA — Transfer Impact Assessment).

4. Binding Corporate Rules (BCRs)

For multinational groups: internal data protection policy approved by CNIL. Long and costly process (12-18 months), reserved for large companies.

5. Art. 49 Derogations (limited)

Explicit consent of the person, contractual necessity, vital interest, public interest mission. These derogations are strictly limited and cannot be used as a general transfer mechanism.

Is your site sending data to the US without knowing it?

RGPDScan detects in 60 seconds all third-party scripts that transfer data outside the EU from your site.

The riskiest transfers for French SMEs

ToolCountryMechanismRisk
Google AnalyticsUSADPFModerate
Meta PixelUSADPFHigh
MailchimpUSADPF + SCCModerate
StripeUSADPF + SCCLow
HubSpotUSADPF + SCCModerate
BrevoFranceUEMinimal
PlausibleEstonieUENone

Documented sanctions for unlawful transfers

Meta Ireland — 1,2 Md€ (2023)

Irish DPC — systematic transfers of EU data to the US via Facebook without sufficient legal mechanism. World record GDPR fine. Decision DPC IN-18-5-5.

TikTok — 345 M€ (2023)

Irish DPC — transfers to China, access to children's data by employees in China, lack of transparency. Decision DPC IN-22-9-1.

CNIL → Google Analytics (2022)

Formal notice to several French sites for unlawful transfers via Google Analytics to the US. Deliberation MED-2022-008 — reference case law for SMEs.

How to audit your transfers in 4 steps

1
Inventory all your SaaS tools

Complete list: CRM, email, analytics, support, payment, collaboration, HR. Every tool accessing personal data is a potential transfer.

2
Identify the publisher's country

Country ≠ server. A tool hosted in EU but published by a US company = potential transfer (US access possible). Check each tool's privacy policy.

3
Verify the legal mechanism

For US: verify DPF certification at dataprivacyframework.gov. Sign the DPA offered by the provider. Keep a timestamped copy.

4
Document in the register

For each processing involving a transfer: note the legal mechanism, DPA signature date, and destination country. Essential in case of CNIL inspection.

Going further

Frequently asked questions

Does using Stripe constitute a transfer outside the EU?
Yes. Stripe Inc. is a US company. Even if your data transits through European servers, Stripe can access it from the US. Stripe is DPF-certified and offers an Art. 28-compliant DPA. Signable online from your Stripe dashboard.
Is the Data Privacy Framework reliable in 2026?
Theoretically yes — the EU recognized an adequate level of protection in July 2023. Practically, the DPF faces a legal challenge before the CJEU (NOYB / Max Schrems). A 'Schrems III' invalidation is possible in the medium term. Documenting SCCs as a supplement remains prudent.
Does AWS Frankfurt guarantee GDPR compliance?
Not automatically. AWS EMEA (Luxembourg) is the legal controller for the EU region, but AWS can access data from the US (Cloud Act). Configure AWS to disable global diagnostics, sign the AWS DPA, and enable the 'EU data only' policy in IAM Organizations.
Can Google Workspace be compliant for a French company?
Yes under conditions: Business/Enterprise subscription with EU Data Regions enabled, signed DPA, commitment to processing in EU regions, disabling AI model improvements on your data. Document in the privacy policy.
What if my sub-processor refuses to sign SCCs?
Change providers or accept the documented risk. A sub-processor refusing SCCs without a valid alternative mechanism exposes your company to a direct CNIL sanction. Note it in your processing register with the decision made.
Are Slack, Notion, Zoom compliant for a French company?
Conditionally. All three are DPF-certified and offer compliant DPAs. Slack and Zoom offer EU storage options. Notion is less robust on this point. In all cases: sign the DPA, enable EU region if available, document in the register.

Detect your transfers outside the EU in 60 seconds

RGPDScan identifies all third-party scripts that transfer data outside Europe from your site. Free scan.