Thanks for the info, this is however not what i asked about specifically.

Argh, argh, argh, no.

I do not know where to start on how wrong most of that is. 

If you are working in a field where the GDPR matters, please seek out some decent training on it before doing any more.  It doesn't take long, and you're not expected to be a lawyer, just know enough to know when you need to ask more questions. 

One of the things you've implied you believe landed me in a GDPR refresher course when I suggested it, and a lot of the other stuff you've said are red-flags I've had to haul up colleagues on more than once.

Please, stop.  On two levels.

The point of the original question is that Jonas absolutely needs to know where the data is stored, and be able to guarantee that it will not be moved outside an area covered by the regulations.   You don't seem to be grasping that.

There are instances, as I noted, where there is no option but to store data outside the EU.

This is compliant with the GDPR, and the assessment of if it is necessary and can be done is outlined on the ICO's website.  It is subject to the necessary "safe guards", and other stuff like a BCR, ACM etc being in place, but can be done.

Even if the transfer is not covered by an adequacy decision, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the ‘exceptions’ set out in Article 49 of the GDPR.

This exception tells the person who's data it is all about what you need to transfer and why.

You tell them stuff like:

• the identity of the receiver, or the categories of receiver;
• the country or countries to which the data is to be transferred;
• why you need to make a restricted transfer;
• the type of data;
• the individual’s right to withdraw consent; and
• the possible risks involved in making a transfer to a country which does not provide adequate protection for personal data and without any other appropriate safeguards in place. For example, you might explain that there will be no local supervisory authority, and no (or only limited) individual data protection or privacy rights.

There are also instances where you do not need consent, although these are a little more uncommon, but still possible.  Such as there must be an EU or UK law which states or implies that this type of transfer is allowed for important reasons of public interest, which may be in the spirit of reciprocity for international co-operation.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/

It also notes things about "after transition", so my reference to us being in the process of leaving the EU was correct.  The ICO state that they are monitoring how any transition change may apply to data stored, or crossing between UK and EU, but that things might be subject to change.

So yes, you can store data outside EU.

But also, the provider you are using, should tell you similar, as there is an equal obligation to you as a user/provider and they will be bound by same rules.

So you do understand that what you were saying earlier is wrong?  Good.

@Stephen AddisThanks for your comments. However about the question of wether or not it's ok to store data outside EU, it was stated by our DPO that unless she approved an appropriately specific description of what data and to what extend, the data had to reside inside EU. So when i ask this question, i primarely search for a way to guarantee that all our data are stored inside EU. Just to emphasize that part of my question: Is there a way to guarantee that our data are stored inside EU?

If a service provider states to you they are GDPR compliant, that means they are GDPR compliant.

Some may only give you a rough location, possibly the country (as country is all you really need to know), for example, AWS (amazon) and others, are very cagey about where their data centres even are, not from any GDPR perspective, but from terrosim and targeting ... if sombody knows which building they are in, they can cause a lot of damage with well, a bomb.

In the absence of anything else, a statement from them will discharge your responsibility and show you have taken all reasonable steps, place that on file with their ICO info ... possibly enquire with the ICO, as they are the ones that will be writing the letters.

Thanks. This is a bit too general for me to decipher. I don't see any indications in that article, that there's a way for us to specifically force our storage of JIRA data to be kept physically in EU servers.

Several topics of explanation are available from a sub-page, specifically here:
https://www.atlassian.com/trust/reliability/infrastructure

For example it reads:

Can I choose the location of where my Jira or Confluence cloud site data resides?

Atlassian will optimize where customer data is located based on how it is accessed around the world. As an example, if the majority of the users access Jira or Confluence cloud instances from Europe, then their data will be migrated to one of our European regions.

But as Nic said later here in this thread, there is a specific question to the data location and I understand that you, Jonas, say you would need to decipher the given information as no specific region is written to the docs.

Have you already had a support request open on this with Trust team? The page linked above suggests to contact them in case of further questions and I'd see no reason to do it and ask for the specific data storage region.

Cheers,
Daniel