Transferring personal data to non-EU countries (in particular the US)

Last changed: 11 June 2024

If you use or co-operate with another party to process personal data, you must know in which country the other party is based. This page contains recommendations from SLU’s legal counsel and other important information on the transfer of personal data.

The General Data Protection Regulation (GDPR) allows the transfer of personal data to other countries within the EU and the EEA. Other countries – the United States, the United Kingdom, Australia, Japan and others – are referred to as ‘third countries’. For personal data to be transferred to a third country, one of the options below must apply.

  1. There is an adequacy decision by the European Commission.

  2. The recipient country is deemed to have an adequate level of protection under the GDPR and the European Commission’s standard contractual clauses are included in the agreement.

  3. For transfers to the United States, the recipient organisation/actor must be party to a specific agreement.

Please note that if the personal data is transferred to a server in the EU/EEA owned by, for example, a US company such as Google, Microsoft or Amazon, this is considered a transfer to a third country.

Research projects

For transfers of personal data in international research collaborations involving third countries without an adequacy decision, including the US, see option 2 below.

1. Countries with an adequacy decision by the European Commission

The European Commission can decide that a country has an adequate level of protection and that personal data can therefore be transferred to that country without any specific authorisation. In the GDPR, this is called an adequate level of protection.

Such a decision can also apply to a specific territory, an international organisation or one or more sectors in a third country. Only the European Commission can make such a decision.

The following countries have been granted adequacy status by the European Commission and are therefore authorised:

  • Andorra
  • Argentina
  • Faroe Islands
  • Guernsey
  • Isle of Man
  • Israel
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • South Korea
  • United Kingdom
  • Uruguay

The European Commission has also recognised Canada as having an adequate level of protection if its legislation on the protection of personal data in the private sector applies to the recipient's processing of personal data.

2. European Commission's standard contractual clauses

The European Commission's standard contractual clauses can be used as a basis for transferring personal data to countries outside the EU provided that the recipient country, in practice, complies with the standard clauses. For SLU to be able to determine whether this is the case, we must assess in each case whether the data will be adequately protected.

This assessment will take into account whether the legal system of the recipient country allows national authorities to access the transferred data without judicial review.

You must make this assessment before initiating a transfer. You should therefore look at which personal data really needs to be transferred. Can you change your working methods to avoid transferring personal data? If it is a research project, can the data be pseudonymised?

If you are considering transferring personal data to a party in a third country under standard contractual clauses, please contact dataskydd@slu.se for a discussion.

3. Transferring personal data to a cloud service or a service in the US

The United States is home to several major IT providers such as Google, Amazon and Microsoft, and many providers of various cloud services are based in the US. There have been several attempts to reach an agreement between the EU and the US that would allow the personal data of EU parties to be processed by US parties. One such attempt was the Privacy Shield framework, which was challenged and overturned by the European Court of Justice.

Since July 2023, a new agreement, the EU-U.S. Data Privacy Framework (DPF), allows the transfer of personal data to organisations/actors in the US that are parties to the framework.

Before engaging or cooperating with a US actor, it is important to check whether the actor is included in the list of organisations/actors that are parties to the DPF. If that is not the case, the organisation is not authorised by the European Commission. This means that you will instead have to make an assessment under option 2 above.

SLU’s legal counsel recommend that if US operators are used, they should be parties to the DPF and you should have an exit and change strategy if that is no longer the case. The European Centre for Digital Rights (NOYB), an interest organisation, has announced that it will appeal the DPF to the European Court of Justice.