Burst SMS often receives questions about the locality of data we process for our customers – where data is being stored depending on where it originates. Businesses all over the world use and trust Burst SMS, and they interact with their users also everywhere in the world.

In new world of GDPR, the question of “where are you keeping my data” is coming up even more. That question, particularly if you’re a small shop, may also be getting you down. Maybe you’ve built your app on the Burst SMS platform or use other non-European Union based service providers. Maybe your own operations are not based in the EU, but you have lots of EU-based users. Even the spectre that you might have to re-architect your app and invest in new infrastructure in the EU just to make sure EU personal data stays in the EU could feel like an existential threat.

Unfortunately, there is a lot of misunderstanding and misinformation on this topic. While some believe (or would try to have you believe) that EU personal data can’t leave the EU, this is simply not true.

What does GDPR say about transferring personal data out of the EU?

Chapter 5 of GDPR is titled “Transfers of personal data to third countries or international organisations” and consists of Articles 44 through 50.

The general principle for transfers is outlined in Article 44, which can be summed up as saying, if you transfer EU personal data out of the EU, make sure that this data still enjoys the same level of protection it gets under GDPR. In other words, the entity or company that you pass the data to outside the EU must be under a legally binding obligation to follow GDPR data protection principles or the equivalent. 

This legally binding obligation can be achieved in multiple ways. Here is a sampling:

  • The entity to whom you pass the data to happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission).

  • The entity to whom you pass the data to agrees by legally binding contract to follow GDPR principles of data protection.

  • The company has enacted Binding Corporate Rules.

  • There is some regulatory-approved code of conduct to which the entity subscribes.

Notably, the existing law, the Data Protection Directive, already has these same cross-border transfer rules. GDPR is not actually creating a sudden sea change when it comes to data transfer.

What does a transfer mean?

A transfer may mean moving the source data to a machine outside the EU, but it can also be when an employee outside the EU views the data. For instance, a developer in Vietnam may be looking at the logs, or a support engineer in the Philippines may be helping a customer and view their data. At that point, the data moves, and the transfer is occurring. To ensure there were no transfers, you have to make sure that all the machines, and all the people that could interact with the data are all in the EEA. Both storage in, processing in, and access from outside the EEA all count as transfer. Don’t dismay. Remember, all of this is okay if you agree to apply GDPR data protection principles to EU personal data wherever it goes and use an approved transfer safeguard.

What this means to you?

GDPR says a lot about how you can get the data, how you manage it, and when and for what you are allowed to use it. But it doesn’t place any absolute restrictions on the location of the data. If you’re complying with GDPR’s principles in how you handle data, the requirements of these safeguards should not be hard to meet. As long as you make use of the recognized GDPR safeguards available like standard contractual clauses with vendors like Burst SMS who offer these cross-border transfer safeguards to help enable customers to be 100% GDPR compliant as we are.