Navigated to blog › cross-border-data-transfer-csv-us-eu
Back to Blog
csv-guides

Cross-Border CSV Data: Processing EU Customer Files in the US After TikTok's €530M Fine

March 18, 2026
13
By SplitForge Team

Quick Answer

Every transfer of EU personal data outside the EEA requires a legal transfer mechanism under GDPR Chapter V. The TikTok €530 million fine (30 April 2025) established that Standard Contractual Clauses alone are not sufficient if you haven't assessed whether the destination country's laws provide essentially equivalent protection. For US-based organizations processing EU customer CSV files, this means transfer impact assessments, SCCs, and potentially supplementary measures are required — not optional. Uploading an EU customer CSV to a US-based cloud CSV tool is a cross-border transfer.

Fast Fix (2 Minutes)

If you're processing EU customer CSV files on US-based tools and haven't reviewed GDPR transfer obligations:

  1. Identify whether your CSV contains EU personal data — any identifiable EU/EEA resident: name, email, IP, location, customer ID tied to an EU account.
  2. Check where your processing tool is hosted — US-based cloud CSV tools process files on US servers. That's a transfer outside the EEA under GDPR Chapter V.
  3. Check whether a DPA or SCCs exist — your tool's terms of service or privacy policy should reference EU Standard Contractual Clauses (SCCs). If absent, the transfer may lack a legal basis.
  4. Conduct a Transfer Impact Assessment (TIA) — assess whether US law provides essentially equivalent protection to EU law. The TikTok fine clarified that SCCs alone are not sufficient without this assessment.
  5. Consider local processingSplitForge Data Masking processes files in your browser. For raw file contents, nothing is transmitted to any server, eliminating the transfer entirely.

TL;DR: Uploading an EU customer CSV to a US cloud tool is a cross-border personal data transfer under GDPR. TikTok's €530 million fine clarified that SCCs are necessary but not sufficient — organizations must also assess whether US laws provide essentially equivalent protection. The most direct way to eliminate transfer risk for CSV processing is to process locally. If you use cloud tools, verify SCCs are in place and a Transfer Impact Assessment has been conducted.

Table of Contents

On 30 April 2025, the Irish Data Protection Commission fined TikTok €530 million for transferring EEA user data to China without adequately verifying that Chinese law provided essentially equivalent protection to EU standards. The fine — €485 million for the transfer violation under Article 46(1) GDPR and €45 million for transparency failures under Article 13(1)(f) — was the largest GDPR transfer penalty ever imposed and the first enforcement action specifically targeting data transfers to China.

The DPC's decision established a precedent that matters beyond TikTok and beyond China. The ruling confirmed that remote access to EU personal data by personnel in a third country is a "transfer" under GDPR, regardless of where the data is physically stored. Standard Contractual Clauses do not automatically validate a transfer — the organization must assess and verify that the destination country's laws and practices do not undermine the SCCs' protections.

For data teams processing EU customer CSVs, the implications are concrete. Uploading a file containing EU customer names, emails, or behavioral data to any US-based cloud processing tool is a cross-border transfer subject to these rules.

Each scenario in this post was assessed against GDPR Chapter V requirements and the Irish DPC's 30 April 2025 decision, March 2026.

What "Cross-Border Transfer" Means for CSV Files

A cross-border transfer under GDPR occurs when personal data moves from inside the EEA to a location outside the EEA, including by remote access.

The DPC's TikTok ruling explicitly confirmed that remote access counts as a transfer. An employee in the US accessing EU customer data stored in an EU server is a transfer. A cloud tool processing EU CSV data on US servers is a transfer. A US-based SaaS platform with EU customers uploading data to a US backend is a transfer.

❌ TRANSFER SCENARIO (triggers Chapter V obligations):
EU customer CSV → Upload to US-based cloud CSV tool
                → File processed on US servers
                → Transfer of EU personal data outside EEA
                → Requires: legal basis + SCCs + TIA + supplementary measures

REDUCED EXPOSURE:
EU customer CSV → Process locally in browser (Web Worker threads)
                → File never leaves the machine
                → No transfer occurs
                → Chapter V obligations don't arise for the processing step

The second scenario doesn't eliminate all GDPR obligations — but it eliminates Chapter V transfer obligations for the processing activity itself.

The rule that matters most: If you upload a file containing EU personal data before anonymizing it, you have already triggered the regulation. The transfer obligation arises at the moment of upload — not at the moment of sharing the output. Anonymize locally first. Then the output you share is outside GDPR scope.

Operator Rules: Cross-Border CSV Transfers

Short. Non-negotiable. Reference these before uploading any EU customer CSV to an external tool.

  • If the tool is US-based and not EU-hosted, uploading EU personal data is a cross-border transfer
  • SCCs without a Transfer Impact Assessment are not sufficient — TikTok's €530M fine proved this
  • DPF certification lapses — verify at dataprivacyframework.gov before every significant transfer, not just at procurement
  • Remote access from US employees to EU-hosted data is still a transfer — server location alone doesn't protect you
  • If you upload before anonymizing, you've already triggered Chapter V obligations for that file
  • Local processing eliminates the transfer event for the processing step — that's the cleanest path for sensitive workflows

GDPR Chapter V: The Three Transfer Mechanisms

Under GDPR Chapter V, transfers outside the EEA require one of three legal bases:

1. Adequacy decision (Article 45) The European Commission has determined that the destination country provides essentially equivalent protection. The EU-US Data Privacy Framework (DPF) provides an adequacy decision for certified US organizations. If your cloud tool's parent company is DPF-certified, this may provide a transfer basis — but verify current certification at dataprivacyframework.gov.

2. Standard Contractual Clauses (Article 46) Pre-approved contract clauses between the exporter (you) and the importer (the cloud tool). SCCs are the most common transfer mechanism. However, the TikTok decision confirmed that SCCs alone are insufficient — you must also conduct a Transfer Impact Assessment.

3. Binding Corporate Rules, codes of conduct, or certification (Article 46) Used primarily within corporate groups or for specific industry frameworks. Less common for CSV tool procurement.

What about derogations (Article 49)? Derogations — including explicit consent, contractual necessity, and vital interests — exist under Article 49 but are narrow exceptions, not routine transfer mechanisms. The EDPB has repeatedly cautioned against relying on Article 49 for systematic transfers.

What this means for your EU customer CSV workflows:

  • If your cloud CSV tool is US-based and not DPF-certified, you need SCCs plus a Transfer Impact Assessment before uploading any EU personal data
  • EU-hosted instances of US cloud tools (AWS EU-West, Azure West Europe) generally avoid the transfer trigger — verify your instance region before uploading
  • Processing locally eliminates the transfer event for the processing step itself, removing the Chapter V requirement for that activity

Transfer Decision Tree

Use this before uploading any EU customer CSV to an external tool:

Does the file contain EU/EEA personal data?
│
├── NO → Chapter V does not apply. Normal GDPR obligations still apply.
│
└── YES → Is the processing tool hosted in the EEA?
           │
           ├── YES (EU-hosted instance confirmed) → No transfer. Proceed.
           │
           └── NO (US or non-EEA servers) → Transfer triggered.
                  │
                  ├── Is the tool DPF-certified? (verify: dataprivacyframework.gov)
                  │    ├── YES → Adequacy decision applies. Still verify DPA.
                  │    └── NO → Need SCCs + Transfer Impact Assessment.
                  │
                  ├── Are SCCs in the tool's DPA?
                  │    ├── NO → Do not upload. No legal transfer basis.
                  │    └── YES → Also need a documented TIA.
                  │
                  └── Have you conducted a Transfer Impact Assessment?
                       ├── YES + documented → Upload with supplementary measures.
                       └── NO → Process locally until TIA is complete.

If you reach "process locally" — SplitForge Data Masking processes EU customer CSV files in your browser. For raw file contents, no transfer event occurs for that processing step.

Transfer Impact Assessment: What TikTok's Fine Requires You to Do

The TikTok fine's most important practical implication for CSV workflows: SCCs are necessary but not sufficient.

The Irish DPC found that TikTok had SCCs in place. The fine was imposed because TikTok failed to adequately assess whether those SCCs were effective given Chinese law's actual requirements. The DPC found TikTok's transfer impact assessment was inadequate — it identified divergences from EU standards but did not assess them in the specific context of the specific transfers.

For EU-to-US transfers, a Transfer Impact Assessment must address:

Assessment ElementWhat It Covers
Destination country legal frameworkDo US surveillance laws (CLOUD Act, FISA Section 702) undermine SCCs?
Nature of the dataIs the data likely to be of interest to US intelligence agencies?
Technical and organizational measuresDoes encryption, pseudonymization, or access controls reduce risk?
Practical likelihood of accessHas the importer received government access requests before?
Importer's response to government requestsWill the importer notify you and challenge overbroad requests?

For most routine EU customer CSV processing (marketing lists, CRM exports, support ticket data), the practical likelihood of US intelligence access is low. A TIA that documents this assessment and the supplementary measures in place is generally sufficient.

For sensitive categories (health data, financial data, data of minors), the assessment must be more rigorous.

What a TIA looks like in practice (marketing list example):

Data type: EU customer email list, names, purchase history — no special category data. Destination: US-based cloud CSV tool, AWS us-east-1 region. Legal framework assessed: CLOUD Act (enables US government requests for data held by US companies); FISA Section 702 (targets foreign intelligence — standard marketing lists are unlikely targets). Conclusion: Practical likelihood of US intelligence access to routine marketing data is low. Risk is mitigated by encryption in transit, no special category data, pseudonymization before upload. Supplementary measures: Encryption at rest and in transit, contractual notification obligation if government request received. Assessment outcome: SCCs are effective for this transfer. Proceed with documented assessment on file.

This is the minimum documentation a TIA should contain. Legal counsel should review any TIA for sensitive categories.

What this means for your EU customer CSV workflows:

  • For routine marketing lists and CRM exports to US tools: a documented TIA assessing CLOUD Act and FISA 702 exposure is typically sufficient — don't let legal complexity become paralysis
  • For health, financial, or children's data: a more rigorous TIA and legal review is required before transfer
  • SCCs without a TIA are insufficient after the 30 April 2025 TikTok ruling — document the assessment, don't assume SCCs cover everything

What This Means for Cloud CSV Tools

Most US-based cloud CSV processing tools accept EU personal data through their standard terms of service. Before uploading any EU customer CSV to a US-based tool, verify:

1. Are SCCs in place? The tool's Data Processing Addendum (DPA) or privacy policy should reference EU Standard Contractual Clauses or the EU-US Data Privacy Framework. If no DPA exists, the transfer lacks a documented legal basis.

2. Is the tool DPF-certified? Check dataprivacyframework.gov. DPF certification provides an adequacy decision basis for transfers to certified organizations. Certification must be current — verify annually.

3. Has a Transfer Impact Assessment been conducted? Most SaaS vendors provide TIA documentation or security white papers. If unavailable on request, escalate to legal review before uploading.

4. What is the file retention period? Many SaaS tools retain uploaded files temporarily for debugging, caching, or processing purposes. Retention policies vary by vendor. Review the tool's ToS for specific retention periods. Files retained on US servers after processing remain subject to Chapter V transfer obligations.

Many CSV processing tools upload your file to remote US servers, may retain it temporarily, and process it using infrastructure subject to US law. For files containing EU customer names, emails, purchase history, or behavioral data, this creates obligations under GDPR Chapter V — DPA, SCCs, and a Transfer Impact Assessment. SplitForge processes files in Web Worker threads in your browser. For raw file contents, if nothing is transmitted server-side, the cross-border transfer event for that processing step is eliminated.

What this means for your EU customer CSV workflows:

  • Before uploading an EU customer CSV to any US tool: check for a DPA with SCCs, verify DPF certification, and confirm a TIA has been conducted
  • File retention period is often overlooked — a tool that retains your file for 90 days after processing keeps EU personal data on US servers for 90 days, creating ongoing transfer obligations
  • If a tool can't provide DPA documentation on request, that's a signal to use a different tool or process locally

For a complete overview of privacy regulations and how client-side processing addresses each one, see our privacy-first data processing guide.

Common Mistakes Teams Make With EU Customer CSV Transfers

Mistake 1: Assuming SCCs alone are sufficient After the TikTok ruling of 30 April 2025, SCCs without a documented Transfer Impact Assessment are not sufficient. Many teams sign a DPA with SCCs and consider the transfer covered. It isn't — the TIA is required.

Mistake 2: Treating EU-hosted instances as always safe AWS EU-West and Azure West Europe are within the EEA. But if your SaaS tool's parent company has remote access to EU-instance data from US personnel, that remote access is a transfer — the same mechanism TikTok was fined for. Verify your tool's data access model, not just server location.

Mistake 3: Uploading full records when only a subset is needed A marketing campaign needs email and a segment flag. Uploading full customer records — with address, purchase history, and behavioral data — expands the transfer footprint unnecessarily. Minimize before uploading: smaller transfer scope means lower TIA complexity and lower breach exposure.

Mistake 4: Forgetting deletion at the destination The transfer isn't over when processing finishes. If the tool retains your file for 30 or 90 days afterward, the transfer and its obligations continue for that period. Confirm the tool's file deletion schedule and request confirmation of deletion if you need it documented.

Mistake 5: Relying on DPF certification without verifying it's current DPF certification lapses. An organization certified last year may not be certified today. Verify current status at dataprivacyframework.gov before each significant transfer, not just at procurement time.

The EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF), adopted July 2023, provides an adequacy decision for transfers to certified US organizations. It replaced Privacy Shield after its invalidation in Schrems II (2020).

Organizations certified under the DPF can receive EU personal data without needing SCCs. However:

  • Certification must be actively maintained and renewed annually
  • The DPF only covers US organizations certified by the US Department of Commerce
  • DPF certification is not universal — verify each tool individually at dataprivacyframework.gov
  • The DPF itself faces legal uncertainty — Schrems III litigation was filed in 2024 and remains ongoing as of March 2026

For CSV tool procurement, DPF certification is a positive signal but should be combined with SCCs as a belt-and-suspenders approach given ongoing legal uncertainty.

Practical Steps for EU Customer CSV Workflows

Step 1: Inventory your CSV workflows List every workflow that involves EU personal data — CRM exports, marketing segments, support ticket data, HR files for EU employees, analytics exports. For each workflow, identify where the data goes and what tools process it.

Step 2: Identify which tools are US-based Check where each tool's servers are located. EU-hosted instances of cloud tools (AWS EU-West, Azure West Europe) generally do not constitute a transfer if data stays within the EEA. US instances do.

Step 3: Verify transfer mechanisms for each tool For each US-based tool processing EU data: confirm DPA with SCCs, check DPF certification, request TIA documentation.

Step 4: Apply data minimization before transfer Remove columns not required by the downstream workflow before uploading. If a tool needs email and a campaign flag, don't upload full customer records. Minimizing before transfer reduces the scope of what's subject to Chapter V.

Step 5: Consider local processing for sensitive workflows For CSV workflows involving sensitive personal information (health, financial, children's data), local processing eliminates the transfer step entirely.

Additional Resources

Official GDPR Sources:

Enforcement:

EU-US Data Privacy Framework:

For the vendor evaluation checklist before selecting any CSV processing tool, see our CSV tool security checklist. For the legal agreements required before any transfer, see our DPA, BAA, and SCCs guide. To verify whether a specific tool is client-side, see our DevTools verification guide.

Disclaimer: This post is for informational purposes only and does not constitute legal advice. Transfer obligations depend on your specific architecture, data categories, and processing activities. Consult qualified legal counsel before drawing compliance conclusions.

FAQ

Yes, if Google processes the data on US servers (which it does by default unless you use Google Workspace with EU data processing configured). Google does offer SCCs and DPF certification for Workspace customers, but default consumer Google Sheets accounts do not provide DPA or transfer documentation. For business use involving EU customer data, use Google Workspace with data processing terms and verify EU region settings.

SCCs are necessary but not sufficient by themselves. The TikTok fine established that you must also conduct a Transfer Impact Assessment to verify that the SCCs are effective given the destination country's laws and practices. For US transfers, this means assessing whether US surveillance laws (CLOUD Act, FISA Section 702) undermine the SCCs' protections for your specific data types. A documented TIA is required.

Transfers without a valid legal basis violate Article 46(1) GDPR. The TikTok fine for this violation was €485 million. For smaller organizations, fines would be proportionate — but the violation itself is serious and enforcement is increasing. The EDPB's cooperation mechanism means any EU DPA can escalate transfer violations to the lead supervisory authority.

No. DPF certification is voluntary and must be actively maintained. Only organizations listed on the DPF participant list at dataprivacyframework.gov are covered. If a US cloud tool is not DPF-certified and has no SCCs in its DPA, transfers to that tool lack a documented legal basis under GDPR Chapter V. Verify each tool individually.

Pseudonymized data is still personal data under GDPR Article 4(5) — it can be re-identified with additional information. Chapter V obligations still apply. Truly anonymous data (meeting the Recital 26 standard — not reasonably re-identifiable by any means) falls outside GDPR scope entirely and is not a regulated transfer. Most masking and pseudonymization techniques do not meet the anonymization standard.

For the processing activity itself, yes. If a file is processed entirely in browser Web Worker threads and raw file contents are never transmitted to a server, no transfer occurs for that processing step. This doesn't eliminate all GDPR obligations — you still need a lawful basis for the processing, must handle data subject rights, and must ensure downstream sharing is handled correctly. But the Chapter V cross-border transfer obligation for the processing step itself is eliminated.

Process EU Customer CSVs Without Cross-Border Transfer Exposure

Mask or pseudonymize EU personal data before any sharing or upload
Process CSV files locally — no server transmission, no Chapter V transfer event for the processing step
Files never leave your browser — SCCs, TIAs, and DPA requirements don't apply to the processing step itself
Handle files containing millions of EU customer records without creating a cross-border transfer

Continue Reading

More guides to help you work smarter with your data

ai-data-prep

AI-Ready Data Checklist: 10 Things to Verify Before Upload (2026)

Before uploading to ChatGPT, Claude, or a fine-tuning API, run through this 10-point checklist. UTF-8 encoding, clean headers, PII removed, size within limits.

Read More
ai-data-prep

Convert Excel to JSON for AI APIs and LLM Pipelines (2026)

AI APIs and LLM pipelines expect JSON, not spreadsheets. Fine-tuning needs JSONL; direct prompts take arrays. Convert locally — no upload, no conversion server.

Read More
ai-data-prep

Prepare Data for AI: The Complete Guide (Privacy-First, 2026)

How to prepare a CSV or Excel file for ChatGPT, Claude, or an AI API — encoding, PII, format, size, and privacy. The complete local-first prep workflow.

Read More