International Data Transfers

What it is

Datadog may transfer personal data internationally, including to the United States, and states it uses EU Standard Contractual Clauses for transfers from the European Economic Area and participates in the APEC Cross-Border Privacy Rules system.

Why it matters (compliance & governance perspective)

The policy identifies Standard Contractual Clauses as the primary transfer mechanism for EEA personal data, which requires Datadog to conduct transfer impact assessments where required and to maintain compliant SCC documentation; APEC CBPR participation provides a separate framework for Asia-Pacific transfers.

Consumer impact (what this means for users)

Personal data from EU, EEA, and UK users may be transferred to the United States and other countries; the policy states that Standard Contractual Clauses are used as the legal transfer mechanism for EEA data, though the adequacy of protections in recipient countries depends on jurisdiction-specific assessments.

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: International transfers of EEA personal data engage GDPR Chapter V (Articles 44-49), including requirements for transfer impact assessments following the Schrems II ruling, and UK GDPR transfer requirements including the UK International Data Transfer Agreement. The APEC CBPR system provides a framework for transfers involving APEC economies. EU data protection authorities and the UK ICO are primary enforcement bodies. GOVERNANCE EXPOSURE: Medium. The policy's reliance on Standard Contractual Clauses as the stated transfer mechanism is a recognized and commonly used approach; however, post-Schrems II requirements mean that transfer impact assessments should be conducted and documented, and the EU-US Data Privacy Framework (where applicable) may provide an alternative or supplementary basis. The policy does not specify which updated SCC modules (2021 versions) are used. JURISDICTION FLAGS: EEA and UK organizations transferring personal data to Datadog bear primary responsibility for ensuring that the SCCs or UK IDTA are correctly executed and that transfer impact assessments are documented. Swiss organizations face additional requirements under the revised Federal Act on Data Protection. APEC member economies each have varying levels of CBPR implementation. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers with EEA or UK data must confirm that the executed DPA incorporates current SCC modules appropriate to the controller-to-processor transfer scenario, and that Datadog's subprocessor agreements also include appropriate transfer mechanisms. Any changes to Datadog's subprocessor list or data center locations should trigger a review of transfer adequacy. COMPLIANCE CONSIDERATIONS: Legal teams should request confirmation of which SCC module versions are in use and whether Datadog has conducted or made available transfer impact assessments for US transfers. Organizations subject to UK GDPR should confirm that a UK IDTA or addendum is in place in addition to EU SCCs.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Collection Scope medium
• Controller and Processor Dual Role high
• Third-Party Sharing for Advertising and Analytics medium
• California Consumer Privacy Act Rights medium
• Data Retention low
• Cookies and Tracking Technologies medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.