Executive Summary: International data transfers

By using web analytics tools you transmit data to the third parties providing the service. If the third-party provider is located outside the European Economic Area (EEA), the operator must comply with the regulatory framework for international data transfers under the General Data Protection Regulation (GDPR).

The transfer of personal data to third parties outside the EEA can be based solely on user consent if the third country, where the data recipients are located, has an adequacy decision by the EU Commission, i.e. confirmation of an adequate level of data protection. If such is not given, user consent is not a sufficient legal basis and the transfer needs an alternative justification.

Following the invalidation of the EU-U.S. Privacy Shield by the CJEU Schrems II ruling, practically the only remaining option for the data transfer to third-party providers based in the U.S., such as Google Analytics, is to rely on standard contractual clauses.

However, according to the ruling even if standard contractual clauses are in place, you must provide “supplementary measures” to protect against access by U.S. authorities and to ensure effective legal protection for data subjects against unauthorized access.

According to the guidelines of the European Data Protection Board (EDPB), pseudonymization is an effective supplementary measure as long as the singling-out or re-identification of individual users is not possible.

For the UK, no longer a member of the EU, different rules may apply.

Please be aware that this only serves informational purposes and does not constitute legal advice.