When your startup processes personal data of EU residents using services hosted outside the European Economic Area — such as US-based AI providers, cloud platforms or analytics tools — you are performing a cross-border data transfer. Under GDPR, this requires additional legal safeguards to ensure the data receives equivalent protection.
What you need to do:
- Check adequacy: If the destination country has an EU adequacy decision (e.g. the EU-US Data Privacy Framework), transfers are permitted without additional measures. Verify your provider participates in the framework.
- Standard Contractual Clauses (SCCs): For countries without adequacy, use the European Commission's standard contract templates. Most major cloud and AI providers already include SCCs in their terms — check their DPA.
- Transfer Impact Assessment (TIA): Evaluate whether local laws in the destination country could undermine the protection provided by SCCs. Document your assessment and any supplementary measures.
- Map your data flows: Create an inventory of all services that process personal data and where that data is stored. This is often more complex than expected — subprocessors may route data through multiple countries.
The Dutch Data Protection Authority provides detailed guidance on international transfers. Tidal Control helps you document data flows, track SCC compliance and maintain your TIA as part of your privacy management system.