Unity may move your personal data to the United States or other countries with different privacy laws, and it says it uses EU-approved contractual protections (standard contractual clauses) to cover these transfers.
This analysis describes what Unity's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
International data transfers carry risk because data protection laws in destination countries, particularly the US, may offer weaker protections than GDPR; standard contractual clauses help but require Unity to conduct transfer impact assessments to verify they are effective in practice.
Interpretive note: The practical effectiveness of standard contractual clauses as a transfer safeguard depends on transfer impact assessments and supplementary measures that are not publicly detailed in this policy; adequacy of these measures is subject to supervisory authority scrutiny.
EU and UK users' personal data may be transferred to the US and other jurisdictions, and while Unity states it relies on standard contractual clauses, the practical enforceability of these protections depends on ongoing transfer impact assessments and the legal environment in the destination country.
How other platforms handle this
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
We may transfer, process, and store all personal information we collect anywhere in the world. Different countries have different data protection laws. If we transfer personal information from the European Economic Area, Switzerland, Brazil and/or the United Kingdom to a country that does not provid...
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been found to provide an adequate level of protection under applicable law, we take steps to provide appropriate safeguards, including through the use of Standard Contract...
Monitoring
Unity has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure that your personal data is protected in accordance with applicable law.— Excerpt from Unity's Unity Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Chapter V on international data transfers, as interpreted following the Schrems II judgment of the Court of Justice of the EU (Case C-311/18), which invalidated Privacy Shield and imposed additional obligations on controllers relying on standard contractual clauses including transfer impact assessments. The EU-US Data Privacy Framework (DPF) established in 2023 provides an alternative adequacy mechanism for transfers to DPF-certified US organizations, but its long-term stability has been questioned by European privacy advocates. The UK has its own international transfer regime under UK GDPR with International Data Transfer Agreements as the equivalent mechanism. GOVERNANCE EXPOSURE: Medium. The reliance on standard contractual clauses is a common and facially compliant approach, but post-Schrems II obligations require documentation of transfer impact assessments and supplementary measures for high-risk transfer destinations. Failure to maintain adequate documentation could create exposure in supervisory authority audits. JURISDICTION FLAGS: EEA and UK users are most directly affected. The Finnish DPA as lead supervisory authority may audit Unity's transfer impact assessments. Transfers to countries without an adequacy decision (including the US for organizations not enrolled in the DPF) require enhanced documentation. CONTRACT AND VENDOR IMPLICATIONS: Organizations entering data processing agreements with Unity should verify that SCCs are properly executed, that transfer impact assessments are documented, and that Unity's DPF enrollment status (if applicable) is current. B2B contracts should include obligations requiring Unity to notify counterparties of changes to transfer mechanisms that could affect compliance. COMPLIANCE CONSIDERATIONS: Legal teams should request copies of Unity's executed SCCs and transfer impact assessments as part of vendor due diligence for EEA-facing operations. Monitoring Unity's DPF certification status (if applicable) and any changes to EU adequacy decisions affecting data transfers to the US should be incorporated into ongoing vendor compliance monitoring.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
International data transfers carry risk because data protection laws in destination countries, particularly the US, may offer weaker protections than GDPR; standard contractual clauses help but require Unity to conduct transfer impact assessments to verify they are effective in practice.
EU and UK users' personal data may be transferred to the US and other jurisdictions, and while Unity states it relies on standard contractual clauses, the practical enforceability of these protections depends on ongoing transfer impact assessments and the legal environment in the destination country.
ConductAtlas has identified this type of provision across 4 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unity.