/https%3A%2F%2Fcuroflow.com%2Fwp-content%2Fuploads%2F2026%2F01%2Ffemale_nurse_holding_patient_shoulder-min-scaled.jpg)
/https%3A%2F%2Fcuroflow.com%2Fwp-content%2Fuploads%2F2025%2F11%2Faccesscare_cover-scaled.jpg)
/https%3A%2F%2Fcuroflow.com%2Fwp-content%2Fuploads%2F2026%2F01%2Fmale_doctor_video_consultation_smiling-min-scaled.jpg)
The Schrems II Ruling and Data Transfers to the US
In the Schrems II ruling (Case C-311/18), the Court of Justice of the European Union invalidated the former Privacy Shield agreement between the EU and the US in 2020. The decision was based on the fact that US surveillance laws, such as FISA, did not provide EU citizens with protection equivalent to what GDPR requires.
The court ruled that Standard Contractual Clauses (SCCs) may still be used for transfers to third countries—but only if the recipient country offers a level of protection essentially equivalent to the EU. This requires individual risk assessments and, often, supplementary safeguards—especially when using US-based cloud services.
European Organizations Are Choosing European Cloud Services
In light of Schrems II and subsequent EDPB guidelines, many Swedish authorities and healthcare providers are moving away from US cloud services in favor of European alternatives. Examples include:
-
The Swedish Public Employment Service, Tax Agency, Social Insurance Agency, and Transport Administration
-
The Swedish Mapping, Cadastral and Land Registration Authority has decided to switch to European providers
-
The City of Stockholm has chosen not to migrate to Microsoft 365
Similar trends are visible across the EU, where regulators are increasing scrutiny of services that don’t fully comply with GDPR’s third-country transfer requirements.
You Are Responsible – as the Data Controller
When choosing a digital communication platform for patients, your organization is the data controller under GDPR. If the platform uses services outside the EU/EEA, you must ensure that:
-
A valid legal transfer mechanism is in place (SCCs, DPF, BCR, etc.)
-
The recipient country’s legal system has been assessed and documented
-
Supplementary technical protections are implemented
-
Data processing agreements are signed with all providers
It’s a misconception that explicit consent from each patient is always required for third-country transfers. In healthcare, the legal basis is often public interest or legal obligation. What matters is that the transfer is legal, secure, and documented.
Curoflow Stores Personal Data on Servers in the EU
Curoflow is built to simplify data protection. All personal data is processed on dedicated servers in Europe, with no transfers to third countries. We do not use US-based cloud services like Microsoft Azure, Zoom, Twilio, or AWS. Our integrations—for BankID, Swish, SITHS, SMS, and more—come from Swedish or EU-based providers.
This means that as a healthcare provider, you don’t need to perform individual risk assessments or implement additional safeguards for third-country transfers. You retain full control and transparency over how and where your data is processed.
CE-Marked Under MDR – Built for Healthcare
Curoflow is not only GDPR-compliant—it is also CE-marked as medical device software under the EU MDR regulation (EU 2017/745). This ensures that our platform meets regulatory requirements for safety, performance, and risk management in healthcare.
We also maintain a quality management system aligned with ISO 13485, tailored for healthcare operations. This provides additional assurance that you are using a platform that meets the highest standards for patient safety and data protection.
