Data Transfer Outside the EU: Are You in Violation?
80% of French SMEs transfer data outside the EU without knowing it — via Google Analytics, Mailchimp, Stripe, Slack. Every US SaaS tool used is potentially a transfer. Here's how to audit and comply.
What is a transfer outside the EU?
A transfer of data outside the European Union (and outside the EEA — European Economic Area) occurs whenever personal data of a European resident is sent, stored or made accessible to an entity located in a third country. This includes:
- Sending emails via Mailchimp (USA): transfer.
- Hosting a site on AWS us-east-1: transfer.
- Using HubSpot CRM stored on American servers: transfer.
- Integrating Google Analytics (even with IP anonymization): transfer.
- Allowing a US sub-processor to remotely access your EU servers: transfer.
The Schrems II ruling of the Court of Justice of the European Union (July 2020) invalidated the Privacy Shield (the former EU-US agreement) and imposed strict rules: any transfer to a third country must rely on a valid legal mechanism, and the controller must verify that the destination country offers a level of protection equivalent to the GDPR.
The 5 valid legal mechanisms in 2026
The EU recognizes that certain countries offer an equivalent level of protection: Switzerland (2024 renewal), Canada (PIPEDA), Japan, UK, New Zealand, South Korea, Israel, Argentina. Transfers to these countries = no additional formality.
Adopted July 2023, replaces Privacy Shield. Covers certified US companies (list at dataprivacyframework.gov). Google, Meta, Amazon, Microsoft, Stripe, Mailchimp are on it. Risk: CJEU legal challenge pending.
Standard contracts published by the European Commission (2021 version). Contractually frame transfers. Available on the CNIL website. Applicable to any non-adequate third country. Must be accompanied by a risk assessment (TIA — Transfer Impact Assessment).
For multinational groups: internal data protection policy approved by CNIL. Long and costly process (12-18 months), reserved for large companies.
Explicit consent of the person, contractual necessity, vital interest, public interest mission. These derogations are strictly limited and cannot be used as a general transfer mechanism.
Is your site sending data to the US without knowing it?
RGPDScan detects in 60 seconds all third-party scripts that transfer data outside the EU from your site.
The riskiest transfers for French SMEs
| Tool | Country | Mechanism | Risk |
|---|---|---|---|
| Google Analytics | USA | DPF | Moderate |
| Meta Pixel | USA | DPF | High |
| Mailchimp | USA | DPF + SCC | Moderate |
| Stripe | USA | DPF + SCC | Low |
| HubSpot | USA | DPF + SCC | Moderate |
| Brevo | France | UE | Minimal |
| Plausible | Estonie | UE | None |
Documented sanctions for unlawful transfers
Irish DPC — systematic transfers of EU data to the US via Facebook without sufficient legal mechanism. World record GDPR fine. Decision DPC IN-18-5-5.
Irish DPC — transfers to China, access to children's data by employees in China, lack of transparency. Decision DPC IN-22-9-1.
Formal notice to several French sites for unlawful transfers via Google Analytics to the US. Deliberation MED-2022-008 — reference case law for SMEs.
How to audit your transfers in 4 steps
Complete list: CRM, email, analytics, support, payment, collaboration, HR. Every tool accessing personal data is a potential transfer.
Country ≠ server. A tool hosted in EU but published by a US company = potential transfer (US access possible). Check each tool's privacy policy.
For US: verify DPF certification at dataprivacyframework.gov. Sign the DPA offered by the provider. Keep a timestamped copy.
For each processing involving a transfer: note the legal mechanism, DPA signature date, and destination country. Essential in case of CNIL inspection.
Going further
- Google Analytics: detailed transfer risks
- Meta Pixel: €1.2B fine and compliance
- Complete GDPR compliance checklist
- Sub-processor DPA: the missing clause
- GDPR for SaaS publishers: complete guide