Data Residency (EU vs US)
aka data localisation, EU data centres, data sovereignty
Where customer personal data is stored and processed. Storing inside the EU/EEA simplifies GDPR compliance; processing in the US triggers transfer-mechanism obligations under Schrems II.
Last reviewed April 2026
Definition
Data residency is the answer to 'in which legal jurisdiction does this software actually store and process my customer data?' Under the GDPR, transferring personal data outside the European Economic Area (EEA) requires a valid transfer mechanism, typically the EU-US Data Privacy Framework (DPF) for US-based recipients certified under it, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. The Schrems II ruling (Case C-311/18, 2020) made all transfers to the US conditional on supplementary measures and a Data Transfer Impact Assessment (DTIA) demonstrating an essentially equivalent level of protection. The EU-US Data Privacy Framework adopted in July 2023 partially restored simpler transfers to certified US recipients, but it remains under legal challenge and could be invalidated. Many SaaS providers offer a regional EU instance (Frankfurt, Dublin, Amsterdam) that keeps data inside the EU; others process exclusively in the US or offer 'data at rest in EU, processing globally', which is a different legal posture. Some processors (notably HR and payroll, which handle special-category data) effectively require an EU-only stance for Irish controllers.
Why it matters for software choice
EU-only data residency reduces GDPR transfer obligations to near zero. US or 'global' processing requires SCCs, a DTIA, vendor cooperation, and willingness to defend the choice if Schrems III invalidates the DPF. Ask vendors to confirm in writing exactly where data is stored, replicated, and accessed from.
Authority sources
- Data Protection Commission: International data transfers (www.dataprotection.ie)
- EU Commission: EU-US Data Privacy Framework (commission.europa.eu)
Software categories this affects
Vendors covered by this term
Claude for Business
Anthropic's AI assistant with strong safety focus, long context handling, and business-grade data privacy
ChatGPT Enterprise
OpenAI's enterprise AI assistant with advanced reasoning, data analysis, and custom GPTs
Microsoft Copilot
AI assistant integrated into Microsoft 365, with EU data boundary for European customers
Gemini Business
Google's AI assistant integrated with Google Workspace, with EU data processing for European customers
HiBob
Modern HR platform designed for mid-size companies with strong culture and engagement tools
BambooHR
Intuitive HR platform for Irish SMEs who need hiring, onboarding, and people management
Related terms
Data Protection Commission
Ireland's national data protection authority. Lead supervisory authority for many large US tech companies headquartered in Dublin under the GDPR's one-stop-shop mechanism.
Standard Contractual Clauses
Pre-approved contractual templates issued by the European Commission for transferring personal data outside the EEA. The default fallback when no adequacy decision applies.
Data Transfer Impact Assessment
Documented assessment of whether a non-EEA jurisdiction provides essentially equivalent protection for personal data, required after Schrems II for transfers under SCCs.
Data Processing Agreement
Mandatory contract under GDPR Article 28 between a data controller and a data processor. Sets out subject matter, duration, processing purposes, and required security measures.