How is Data Residency In the EU Affected by GDPR and Schrems II ?

Table of Contents

Data residency refers to the geographical or physical placement of personal data. This includes collecting the data, storing and processing it. Each region has its set of laws and regulations that must be followed. There are many data residency requirements that limit the data to its country’s borders that is called “Data Localization”.
Share This Post

Table of Contents

Data Residency

Data residency refers to the geographical or physical placement of personal data. This includes collecting the data, storing and processing it. Each region has its set of laws and regulations that must be followed. There are many data residency requirements that limit the data to its country’s borders which is called “Data Localization”.
General Data Protection Regulation (GDPR) is the European Union’s law that regulates the processing of personal data within the EU.

GDPR in short

The General Data Protection Regulation is a law that protects data and privacy within the European Union (EU) and the European Economic Area (EEA). In 2016, the European Parliament and Council adopted the GDPR to replace the 1955 Data Protection Directive. GDPR includes regulations regarding transference of personal data outside the EU and EEA areas. Most companies handle large amounts of personal data on a daily basis online so it’s extra important to have laws and regulations that keep that data safe.

What does GDPR Consider Personal Data?

Any information that could directly or indirectly lead to identifying a person is considered personal data according to GDPR. This could be their “name, an identification number, location data, an online identifier, a characteristic which expresses physical, physiological, genetic, mental, commercial, cultural or social identity” of a person. 

This definition is broad and it all boils down to correctly interpreting the given definition. For example, a user’s IP address counts as personal data since the provider will be able to identify the person behind the IP address. General examples of personal data include name, address, ID card/Passport number, income, data held by hospitals, etc.

Safe Harbor Privacy Principles

The European Commission’s Data Protection Directive was put in motion in October 1998, which prohibited the transfer of personal data of EU citizens to non-EU nations that do not meet the EU’s required standards of privacy protection. To not violate EU laws, businesses that wish to collect personal data on EU citizens via a website, mobile app, etc, are urged to become Safe Harbor compliant. Otherwise, you must obtain consent from each country within the EU in order to collect their citizen’s personal data.
The Safe Harbour privacy program ended in October 2015 and organizations were left with very few options to transfer data from the EU.

EU-US Privacy Shield

The EU Commission and Department of Commerce announced a framework called Privacy shield in August 2016, which would be available from August 1st of that year.
The Privacy Shield agreement allows the transfer of personal data from the EU to the US. GDPR requires personal data to be transferred to countries that are considered to meet the requirements. This framework allows companies involved to meet the adequate requirements of personal data protection. Privacy Shield is integral to US companies operating in the EU.

Are Safe Harbor and Privacy Shield Still Valid?

Safe Harbor was invalidated in 2015 by the Court of Justice of the European Union and US data transferred based on Safe Harbor is considered unlawful.
The Court of Justice of the European Union declared the Privacy Shield invalid on July 16, 2020.

gavel and block

Schrems II Judgement

In July 2020, the Court of Justice of the European Union (CJEU) announced the invalidation of Privacy Shield. The U.S authorities’ surveillance capacities allow the authorities to surveil EU data subjects without adequate safeguards, which goes against the EU fundamental rights, so the Privacy Shield decision was deemed invalid. While it is no longer a valid mechanism for transferring data from the EU, it still acts as a way for companies to show their commitment to meeting the GDPR requirements.

SOC 2 Compliance and Data Privacy

SOC 2 was developed by the American Institute of CPAs (AICPA), and it is intended to ensure a customer’s data privacy. It is based on five trust service principles:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Outside auditors assess how well a vendor complies with the trust principles above and issue certification based on that. Every six to twelve months the organizations must perform a new SOC 2 audit to ensure that security measures are evolved with the ever-changing data privacy requirements.

Is Data Protection Outside the EU Adequate?

Within the EU/EEA, all the member states of the EU can freely transfer data as they have the same protection of personal data. However, permission to transfer data outside the EU/EEA is allowed under conditions. It’s important that the country the data lands in has an adequate level of protection, the companies that transfer the data must take protection measures and might have to apply for licenses such as the “Swedish Authority for Privacy Protection” or another supervisory authority within the European Union.

Simply put, storing data outside the EU is risky and a lot of hard work, and companies could be facing hefty fines if they make any mistakes. Not complying with the GDPR can result in penalties of up to 4% of a company’s global turnover. In Sweden, several companies have faced penalties, such as Stockholm Public Transport (SL) having to pay a fine of 16 million Swedish Crowns for unlawful surveillance.

monday dot com to the rescue!

It may be overwhelming to keep up with the strict data regulations above. This is where comes into play, they help companies to keep their customer’s data secure and give them the opportunity to have their data inside the EU borders.
With over 100,000 accounts around the world, they manage sensitive data from all sorts of industries that require the strictest security measures. is a cloud-based software platform that allows you to choose who can access your data, and when and from where, this ensures that the right people have access to the data.

Our experts at Omnitas strongly recommend to those looking for world-class data protection and an intuitive and effective work operating system (Work OS). No matter the size of your organization, can be the perfect solution to your problems! We, at Omnitas have perfected the art of navigating, creating, and managing accounts on

Book a meeting with us so we can discuss your upcoming steps!

More To Explore

powered by Advanced iFrame. Get the Pro version on CodeCanyon.

Prenumerera på vårt nyhetsbrev

Vi skickar ut en samling av våra artiklar en gång i månaden.