Its confusing, I guess. See: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en. Perhaps it may come down to the issue of what is personal data. Maybe as long as we don't keep and transfer research notes about specific living people, their families, business interests and so on, then there is little issue. This didn't come from me today, but from an organization with which I am affiliated and its Information Assurance Service branch that would not permit me to use Zotero on its servers because they had no certainty that information saved to Zotero cloud services is not transferred outside of the European Economic Area (EEA).

Sorry for the topic kick, but I am checking to see if we can use Zotero within our University and would like to know if there are any other Universities in Europe that officially allow the use of Zotero cloud? Our legal department is quite strict, but if there are other reputable universities using Zotero cloud, that might help persuade them.

@pascoa341: We don't disclose institutional customers, but yes, there are large European universities with institutional storage subscriptions, and Zotero is obviously recommended widely by libraries at universities across Europe and around the world.

I'd encourage you to read through our privacy policy if you have any doubts about this. Privacy is a reason to use Zotero, not a reason not to.

I think the aspects mentioned here are quite valid. The current privacy policy does not fulfill the requirements set out by the GDPR (see Art. 13, e.g. the naming of the users' rights and the legal basis for the processing of personal data is currently missing) and for cooperation with bigger institutions a data processing agreement (see Art. 28 GDPR) is necessary. All these steps can be automated as part of the registration process (or as one-click-solution in the backend). Zotero Sync does fall under the scope of application of the GDPR, since at least the e-mail addresses are personal data (and actually also the entries in the bibliography, since they are connected to - personal - user account).

Are there any plans to update the privacy policy and offer data processing agreements? Did that topic never come up with institutional customers?

Of course, I'm only talking about Zotero Sync, the offline client is not affected by these privacy issues.

I haven't looked into it, I just know people in our org have issues of this kind. I pay for my own storage, and my zotero library is not related to my work.

I want to second that this is a very important issue for institutional users in Europe as the European Court of Justice has invalidated the adequacy decision. Servers in the US, even if they uphold the strongest privacy requirements, simply won't do. At least for the foreseeable future.
This makes the Zotero dataserver and especially a deployable option like ZotPrime really interesting. It is a pity that there is so few documentation and that the Zotero desktop client seemingly must be modified to accept home-brewed sync servers for groups as well.