--- title: "GDPR and Cloud Storage: Legally Compliant Handling of Personal Data" date: 2025-12-02T09:15:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/dsgvo-und-cloud-speicherung-rechtskonformer-umgang-mit-personenbezogenen-daten" section: "Entries: Articles" --- ### GDPR Articles 44 to 49: Third-Country Transfers [\#](#gdpr-articles-44-to-49-third-country-transfers "GDPR Articles 44 to 49: Third-Country Transfers") #### What Is a Third-Country Transfer? [\#](#what-is-a-third-country-transfer "What Is a Third-Country Transfer?") **Third country:** A country outside the EU/EEA (for example the USA, China, Singapore) **Third-country transfer:** Transmitting personal data to these countries **The problem:** Many countries outside the EU offer a lower level of data protection. The GDPR allows transfers only if an adequate level of protection is ensured, through an adequacy decision or appropriate safeguards. #### Which Countries Have an Adequacy Decision? [\#](#which-countries-have-an-adequacy-decision "Which Countries Have an Adequacy Decision?") **The European Commission has recognised, among others:** - Switzerland - Japan - South Korea - United Kingdom - Argentina - Canada (commercial organisations under PIPEDA) - Uruguay - New Zealand **No general adequacy decision exists for:** - China - India - Australia **The USA is a special case:** Transfers to US companies certified under the EU-US Data Privacy Framework (DPF) are covered by the adequacy decision of 10 July 2023. Transfers to non-certified US companies require other safeguards. #### Transfers Without an Adequacy Decision (Art. 46 to 49) [\#](#transfers-without-an-adequacy-decision-art-46-to-49 "Transfers Without an Adequacy Decision (Art. 46 to 49)") If no adequacy decision covers the transfer, you need one of the following instruments: ##### 1. Standard Contractual Clauses (SCC) **What are they?** Contractual clauses signed by the data importer (for example a cloud provider), committing it to GDPR-level protection even where local law does not require it. **Problem:** The CJEU made clear in Schrems II (2020) that SCCs alone are not always sufficient. Where the law of the destination country allows disproportionate government access, the exporter must assess the transfer and add supplementary measures, or stop the transfer. **In practice:** SCCs plus a documented transfer impact assessment plus technical measures (such as encryption with customer-held keys). ##### 2. Binding Corporate Rules (BCR) **What are they?** Approved internal group policies for multinational corporate groups. The group commits to uniform data protection standards across all locations. **When to use:** Only for corporate groups, after approval by the competent supervisory authority. Not a realistic option for most SMEs. ##### 3. Derogations (Art. 49) Narrow exceptions for specific situations, for example explicit consent for a specific transfer or transfers necessary for a contract. Not suitable as a basis for routine, large-scale cloud storage. --- ### GDPR Article 28: Data Processing [\#](#gdpr-article-28-data-processing "GDPR Article 28: Data Processing") #### What Is a Data Processor? [\#](#what-is-a-data-processor "What Is a Data Processor?") **Controller:** The organisation that determines purposes and means of processing (typically you) **Data processor:** The organisation that processes data **on your behalf** (for example a cloud provider) **Example:** - You collect customer data (controller) - You store it in AWS S3 (AWS acts as data processor) - AWS may process the data only in accordance with your documented instructions #### Requirements for Data Processing [\#](#requirements-for-data-processing "Requirements for Data Processing") **You must conclude a contract with the data processor (Data Processing Agreement, DPA).** **Key points in the DPA:** - Purpose and nature of processing - Security measures (encryption, access controls) - Location of processing (cloud region) - Duration of processing - Controller’s right to audit - Deletion or return after contract end - Sub-processors (including approval mechanisms) **Major cloud providers offer standard DPA documents:** - AWS: Data Processing Addendum - Microsoft Azure: Data Protection Addendum - Google Cloud: Cloud Data Processing Addendum **Important:** Without a DPA, you are in breach of GDPR Art. 28, regardless of where the data sits. --- ### “Adequate Level of Protection”: What Does It Mean? [\#](#adequate-level-of-protection-what-does-it-mean) The GDPR requires that personal data transferred outside the EU remains protected at a level essentially equivalent to EU law. **Criteria the Commission and courts look at:** - Data protection rules comparable to the GDPR - Transparency about government access to data - Limits and proportionality for intelligence and law enforcement access - Effective redress for affected individuals - Independent supervision and enforcement **Why the USA has been contentious:** - US surveillance law (Section 702 FISA, Executive Order 12333) permits broad intelligence collection on non-US persons - The CJEU found in Schrems II (2020) that the previous Privacy Shield framework did not provide essentially equivalent protection and lacked effective redress - The EU-US Data Privacy Framework (2023) introduced new safeguards, including the Data Protection Review Court; the EU General Court upheld the framework in September 2025, and an appeal before the Court of Justice is pending Separately, the US CLOUD Act (2018) obliges US providers to comply with valid US orders for data they hold, regardless of server location. This does not invalidate the DPF, but it is a factor in any risk assessment for data held by US providers. --- ### Practical Implications [\#](#practical-implications "Practical Implications") #### Scenario 1: Customer Data with a DPF-Certified US Provider [\#](#scenario-1-customer-data-with-a-dpf-certified-us-provider "Scenario 1: Customer Data with a DPF-Certified US Provider") **Legal position:** - With DPF certification (AWS, Microsoft and Google are certified): the transfer is covered by the adequacy decision and currently lawful - With Standard Contractual Clauses alone: possible, but requires a transfer impact assessment and supplementary measures - Without any transfer mechanism: unlawful **Residual risk:** The DPF is under judicial challenge. If it is invalidated in the future, organisations relying on it must switch to another mechanism. Plan for that contingency. #### Scenario 2: Customer Data with an EU Cloud Provider [\#](#scenario-2-customer-data-with-an-eu-cloud-provider "Scenario 2: Customer Data with an EU Cloud Provider") **Legal position:** - No third-country transfer occurs if the provider and all sub-processors process data within the EU/EEA - A DPA under Art. 28 is still required - Check the ownership structure: an EU subsidiary of a US group may still be subject to US orders for data it holds #### Scenario 3: Customer Data with a Provider in a Country Without Adequacy [\#](#scenario-3-customer-data-with-a-provider-in-a-country-without-adequacy "Scenario 3: Customer Data with a Provider in a Country Without Adequacy") **Legal position:** - Only possible with SCCs or BCRs plus a transfer impact assessment - For countries with extensive government access rights and weak redress, the assessment will often come out negative - **Recommendation:** Avoid for personal and business-critical data #### Scenario 4: On-Premises Storage [\#](#scenario-4-on-premises-storage "Scenario 4: On-Premises Storage") **Legal position:** - No third-country transfer, no transfer mechanism needed - You remain responsible for security measures under Art. 32 - For backup and archive data, on-premises systems remove the entire transfer question from scope --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Is a DPA sufficient to use a US cloud provider?**No. A DPA governs the processing relationship under Art. 28. For the transfer itself you additionally need a valid transfer mechanism: DPF certification of the provider, or SCCs plus supplementary measures. **What counts as a supplementary protective measure?**For example: - Encryption at rest and in transit with keys you control (the provider cannot decrypt) - Pseudonymisation before upload - Data minimisation (transfer only what is necessary) **What happens if I am not compliant?**Fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. Affected individuals can also claim damages, and supervisory authorities can order the suspension of transfers. **Is keeping data in the EU automatically compliant?**It removes the third-country transfer problem, which is the hardest part. You still need a DPA, appropriate security measures and a lawful basis for the processing itself. For the most sensitive data, on-premises storage gives you the strongest position: no transfer, no provider dependency, full control. --- ### Further Resources [\#](#further-resources "Further Resources") → What Is Data Sovereignty? Definition and Three Dimensions (/en/blog/was-ist-datensouveraenitaet/) → EU-US Data Privacy Framework: How Stable Is the New Framework? (/en/blog/eu-us-data-privacy-framework/) → US CLOUD Act Explained: Why Server Location Alone Does Not Protect You (/en/blog/us-cloud-act-erklaert/) → EU Data Act: What Changes for Cloud Users (/en/blog/eu-data-act-cloud-nutzer/) → Silent Brick System: On-Premises Secondary Storage (/en/produkte/silent-brick-system/) → Request a demo (/en/kontakt/demo/) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### Data Sovereignty Data sovereignty describes an organization's complete control over its data: where it is stored, who can access it, which legal framework applies to it and whether it is available at any time without dependency on a single provider. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/data-sovereignty) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)