Overview
Many AI systems are based on cloud infrastructure or external API services. As soon as personal data are transmitted to providers outside the European Union or the European Economic Area, a so-called third-country transfer occurs.
Art. 44--49 GDPR regulate the conditions for such transfers. Particularly when using US-based AI providers, cloud services or LLM APIs, the question regularly arises: Is this permissible under data protection law?
This article explains:
- When a third-country transfer occurs
- Which legal mechanisms are permissible
- The role of the EU-US Data Privacy Framework
- Standard Contractual Clauses (SCCs)
- Transfer Impact Assessment (TIA)
- AI-specific issues
When Does a Third-Country Transfer Occur?
A third-country transfer occurs when:
- personal data
- are transmitted to or made accessible to a recipient outside the EU/EEA
This can happen through:
- Cloud storage
- API calls
- Remote access
- Support services
Misconception
A third-country transfer also occurs when data are stored in the EU but access from a third country is possible.
Typical AI Scenarios
| Scenario | Third-Country Transfer? |
|---|---|
| Using a US LLM via API | Yes |
| EU cloud provider with US parent company | Case-by-case assessment |
| On-premise model without external access | No |
| EU provider with sub-processor in third country | Yes |
Legal Mechanisms for Third-Country Transfers
The GDPR permits third-country transfers only if an adequate level of protection is guaranteed.
Adequacy Decision (Art. 45)
The European Commission can determine that a third country provides an adequate level of data protection.
Example:
- EU-US Data Privacy Framework (DPF)
Prerequisite:
- The specific provider is certified.
Check the DPF
Not every US provider is automatically DPF-certified. An individual assessment is required.
Standard Contractual Clauses (SCCs) -- Art. 46
SCCs are contract templates approved by the European Commission.
They regulate:
- Data protection obligations
- Data subject rights
- Liability
- Security measures
SCCs are the most common mechanism for AI cloud services.
Transfer Impact Assessment (TIA)
Following the Schrems II judgment, it must additionally be assessed:
- Whether government access possibilities exist in the third country
- Whether these are compatible with EU fundamental rights
- Whether additional protective measures are required
The TIA documents this assessment.
Schrems II -- Significance for AI
The CJEU clarified:
- SCCs alone are not always sufficient
- A risk assessment is required
Relevance for AI:
- Major US cloud providers
- Training data processing
- API-based LLM usage
Additional Protective Measures
Technical measures may include:
- End-to-end encryption
- Pseudonymisation before transmission
- Data minimisation
- Access restrictions
Organisational measures:
- Contract controls
- Sub-processor transparency
- Audit rights
API Call to a US LLM -- Is That a Transfer?
Yes, if:
- personal data are contained in the prompt
- the model processes them
- storage or logging occurs
Therefore, the following should be assessed:
- Logging policies
- Retention periods
- Training usage
- Sub-processor chains
Prompt Contents
Personal data in prompts can trigger a third-country transfer.
Exceptional Cases (Art. 49)
In exceptional cases, transfers are permissible:
- Explicit consent
- Performance of a contract
- Establishment of legal claims
These exceptions are to be interpreted restrictively and are not intended as permanent solutions.
Connection to the EU AI Act
The AI Act additionally requires:
- Transparency regarding data sources
- Risk management
- Documentation
Third-country transfers can form part of data governance obligations.
Practical Implementation
Step 1 -- Transfer Inventory
- Which AI services are being used?
- Where are the servers located?
- Who has access?
Step 2 -- Assess Legal Mechanism
- Is DPF certification available?
- Are SCCs concluded?
- Has a TIA been conducted?
Step 3 -- Technical Protective Measures
- Is encryption implemented?
- Is pseudonymisation applied before API calls?
Step 4 -- Documentation
- Update records of processing activities
- Document third-country transfers
- Archive contractual documents
Common Errors
| Error | Risk |
|---|---|
| No assessment of sub-processors | Violation of Art. 28 & 44 |
| Reliance on SCCs without TIA | Schrems II risk |
| Unchecked API prompts | Uncontrolled data transfer |
| Missing documentation | Violation of accountability |
Governance Recommendation
Third-country transfers should:
- be audited regularly
- be part of the AI architecture review
- be coordinated with security and compliance teams
Particularly with generative AI, transparency about data flows is decisive.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.
Next Steps
- Identify all AI-related third-country transfers.
- Check DPF certifications or SCCs.
- Conduct a Transfer Impact Assessment.
- Implement technical protective measures.
- Update your privacy notice accordingly.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.