May my supplier store data outside the EU?

See our article international transfer. Core: data transfer outside EU/EEA requires basis under Art. 44-49 GDPR. Three main routes: (1) Adequacy decision (Art. 45) — UK, Switzerland, Japan, South Korea, Canada (commercial), US (via Data Privacy Framework since July 2023). Free transfer. (2) Standard Contractual Clauses + Transfer Impact Assessment (Art. 46(2)(c)) — for non-adequate countries like China, India, Brazil. Since 2021 new SCCs required. (3) Binding Corporate Rules (Art. 47) — for intra-corporate (Google, IBM, etc) with EDPB approval. Schrems III risk: NOYB has challenged EU-US Data Privacy Framework — ruling expected 2026-2027. On defeat = hundreds of businesses suddenly unlawful. For SMB: ask supplier: (a) where data is stored, (b) which transfer basis, (c) TIA report if SCC route. No solid answer = supplier in non-compliance. Safe alternatives: EU-only cloud (TransIP, Hetzner, OVH), locally hosted tools. GDPR priority AP 2025: cross-border data transfers extra enforcement + fines over €1m possible.