Data movement case study banner

Data Moves Cross Borders

A cross-border data transfer scenario: EU collection, non-EU storage/processing, and compliance guardrails.

IaaS Data residency GDPR Legal mechanisms
Case Study

Problem statement

ABC is a US-based TAXI service company with a subsidiary operating in the EU. Through its EU operations, ABC collects personal data of EU residents such as names, addresses, travel history, location data, and payment details when customers pay by card.

While the data is collected in the EU, it is stored and processed on the IaaS of a third-party cloud provider used by the US-based parent company. The cloud provider is American, and its data centers are located in the United States and parts of the APAC region. As a result, EU residents’ data ultimately resides in US data centres.

Question: What due diligence should the EU subsidiary have done, and what laws apply to make this work from a legal and compliance perspective?

Hints

Think: IaaS, Data Sovereignty, Data Localization, Data Residence, Privacy Impact Assessment, Binding Corporate Rules (BCR), Privacy Shield/Treaty & Data Privacy Framework (DPF), and GDPR.

Back to Case Studies Solution
```