Why Your HR Data Shouldn't Be on US Servers

When you sign up for an HR platform, you're handing over some of the most sensitive data in your business: employee salaries, health records, disciplinary files, bank account details. Where that data lives matters, and "we comply with GDPR" on a vendor's website is not the same as your data being protected under EU law.

Here's why the server location question is more serious than a checkbox on a compliance form.

What Schrems II Actually Changed

In July 2020, the European Court of Justice struck down the EU-US Privacy Shield framework in the Schrems II ruling. This was the agreement that made it legally straightforward to transfer personal data from the EU to the US.

The court found that US surveillance law, specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, gives US intelligence agencies access to data in ways that are incompatible with EU fundamental rights. The Privacy Shield wasn't providing genuine protection.

A replacement framework, the EU-US Data Privacy Framework, was adopted in 2023. It's currently being challenged legally by Max Schrems and noyb. Given that Schrems II invalidated Privacy Shield on essentially the same grounds, another challenge succeeding would not be a surprise.

If the EU-US Data Privacy Framework is invalidated, companies relying on it will need to scramble again. This is not a theoretical risk.

The CLOUD Act Problem

Even if a US company stores your data in an EU data centre, it may not be protected.

The US CLOUD Act (2018) allows US law enforcement to demand data from US companies regardless of where that data is stored. A US company operating a server in Frankfurt can still be compelled to hand over data to US authorities without an EU court order and, under certain conditions, without even notifying the data subject.

This is the fundamental tension. You can have a data centre in Germany and still be subject to US legal reach if the controlling entity is a US company. GDPR prohibits transferring data to authorities in third countries unless specific GDPR conditions are met. The CLOUD Act creates situations where US companies may be legally required to violate GDPR.

Some large vendors argue that they would challenge such requests and that encryption provides protection. That's a reasonable argument in some cases, but it's a legal and technical gamble, not a guarantee.

Why Standard Contractual Clauses Aren't a Complete Solution

Standard Contractual Clauses (SCCs) are legal contracts between an EU data exporter and a non-EU data importer that establish GDPR-equivalent protections. They're the most common mechanism for legitimising EU-to-US data transfers after Schrems II.

The problem is that Schrems II didn't just invalidate Privacy Shield. The court also said SCCs alone are not sufficient if the legal system of the destination country doesn't provide adequate protection. US surveillance law is the issue. SCCs can't override FISA Section 702.

This means that for transfers to the US, you need SCCs plus a Transfer Impact Assessment (TIA), an analysis of whether the destination country's laws actually allow the SCCs to be effective. For most transfers to US-based HR platforms, a rigorous TIA would be difficult to conclude positively.

In practice, EU data protection authorities have started issuing fines for transfers to the US that rely solely on SCCs without proper TIAs. The Austrian, French, Italian, and Greek data protection authorities have all found that data transfers to Google Analytics (US-based) violated GDPR, specifically because SCCs didn't provide adequate protection given US surveillance law.

The same logic applies to HR platforms.

What "EU-Hosted" Actually Means

"EU-hosted" means more than a server in Europe. To genuinely remove the CLOUD Act risk, you need:

EU-based company: The controlling entity should be incorporated and operating under EU law. Not a US parent with a European subsidiary.

No US parent company access: If a US parent can access, manage, or be compelled to produce data held by a European subsidiary, the CLOUD Act risk doesn't disappear.

EU-jurisdiction cloud infrastructure: Data stored in Hetzner Cloud (Germany), OVHcloud (France), or IONOS (Germany/EU) is on infrastructure controlled by EU companies under EU law. Data stored in AWS eu-west-1 (Ireland) is on US-controlled infrastructure subject to the CLOUD Act.

Subprocessors: Check whether the vendor's own subprocessors are EU-based. An EU-incorporated HR vendor that sends email notifications through SendGrid (US) is partially transferring your data outside the EU.

PersoHR is incorporated in the EU, runs on Hetzner Cloud in Germany, and selects EU-based subprocessors. The design choice was deliberate: we're not trying to retrofit GDPR compliance onto a US-first product.

The Practical Risk for Employers

If you're an EU employer storing employee data on a US-based platform:

1. You are the data controller. Under GDPR, the responsibility for lawful processing sits with you, not just the vendor. If the vendor's data transfers are unlawful, you have a compliance problem, not just them.
2. Employees have rights you must honour. If an employee asks where their data is stored and with whom it's shared, you need an accurate answer. "We use Workday" is not a complete answer.
3. DPAs may come knocking. EU data protection authorities have shown increasing willingness to investigate US data transfers. A complaint from one employee could trigger a broader investigation.
4. Vendor lock-in makes switching harder. The longer your employee data lives in a US-based system, the more complex it becomes to migrate if the legal situation changes, or if the DPA Framework is struck down again.

Alternatives

There are genuine EU-native HR platforms on the market. The landscape has expanded significantly since Schrems II created clear demand.

When evaluating alternatives, ask vendors directly:

• Where is your company incorporated?
• Which data centres do you use, and who owns them?
• List your subprocessors and their countries of incorporation.
• Has a lawyer reviewed your Transfer Impact Assessments for US-based subprocessors?
• What would happen to my data if the EU-US Data Privacy Framework were invalidated tomorrow?

A vendor who can answer these questions clearly and specifically is worth taking seriously. One who responds with vague statements about "GDPR compliance" and "EU servers" probably hasn't thought it through.

The server location question isn't paranoia. It's a genuine legal and operational risk for EU employers. The data your employees trust you with deserves infrastructure that's actually under EU jurisdiction.