International Data Transfers: Moving Data Outside the EU
When personal data leaves the European Economic Area (EEA), GDPR imposes additional requirements to ensure that data continues to receive equivalent protection. For organizations using cloud services, working with international vendors, or operating across borders, understanding these transfer rules is essential.
Key Takeaways
| Point | Summary |
|---|---|
| Transfer restrictions | Personal data can only leave the EEA with appropriate safeguards in place |
| Adequacy decisions | Transfers to certain countries (UK, Canada, Japan, etc.) are permitted without additional measures |
| Standard Contractual Clauses | Most common mechanism for transfers to non-adequate countries |
| Schrems II implications | Post-2020 transfers require assessment of destination country laws |
| Documentation | Transfer mechanisms must be documented in ROPA and privacy policy |
Quick Answer: Data transfers outside the EEA require appropriate safeguards. The most common approach is Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment. Transfers to "adequate" countries like the UK, Canada, or Japan can proceed more simply.
What Counts as a Transfer?
A transfer occurs when personal data moves from within the EEA to a recipient outside the EEA. The European Data Protection Board (EDPB) identifies three cumulative criteria:
| Criterion | Description |
|---|---|
| Exporter is subject to GDPR | The organization sending data is within GDPR scope |
| Data is disclosed to another party | Data is transmitted, made accessible, or otherwise shared |
| Recipient is in a third country | The receiving organization is located outside the EEA |
Common Transfer Scenarios
| Scenario | Transfer? |
|---|---|
| Using AWS with EU region | May still involve transfers for support/maintenance |
| US-based SaaS with EU data center | Often involves transfers for technical operations |
| Sending data to UK subsidiary | Yes (post-Brexit, though UK has adequacy) |
| EU employee accessing data while traveling | Generally not considered a transfer |
| Sharing with US-headquartered vendor | Yes, regardless of where data is processed |
Transfer Mechanisms
GDPR provides several mechanisms for lawful international transfers:
1. Adequacy Decisions (Article 45)
The European Commission can formally recognize that a third country provides "essentially equivalent" protection to GDPR. Transfers to adequate countries can proceed without additional safeguards.
Countries with full adequacy decisions:
| Country | Status |
|---|---|
| Andorra | Adequate |
| Argentina | Adequate |
| Canada (commercial) | Adequate |
| Faroe Islands | Adequate |
| Guernsey | Adequate |
| Israel | Adequate |
| Isle of Man | Adequate |
| Japan | Adequate |
| Jersey | Adequate |
| New Zealand | Adequate |
| Republic of Korea | Adequate |
| Switzerland | Adequate |
| United Kingdom | Adequate |
| Uruguay | Adequate |
EU-US Data Privacy Framework:
The United States has a partial adequacy decision through the EU-US Data Privacy Framework. Transfers are permitted to US organizations that have self-certified under the Framework.
2. Standard Contractual Clauses (Article 46)
Standard Contractual Clauses (SCCs) are pre-approved contract terms that impose GDPR-equivalent obligations on data importers. They represent the most common transfer mechanism for non-adequate countries.
SCC Modules:
| Module | Scenario |
|---|---|
| Module 1 | Controller to Controller |
| Module 2 | Controller to Processor |
| Module 3 | Processor to Processor |
| Module 4 | Processor to Controller |
Key SCC Requirements:
- Use the 2021 European Commission SCCs (older versions are no longer valid)
- Execute SCCs before transfers begin
- Complete applicable annexes with specific transfer details
- Conduct Transfer Impact Assessment for destination country
3. Binding Corporate Rules (Article 47)
Binding Corporate Rules (BCRs) are internal data protection policies approved by supervisory authorities for multinational corporate groups. They allow intra-group transfers without SCCs.
| Aspect | BCRs |
|---|---|
| Approval required | Yes, from lead supervisory authority |
| Approval timeline | Often 12-24 months |
| Suitable for | Large multinational groups with significant intra-group transfers |
| Cost | Significant (legal and administrative) |
| Flexibility | High, once approved |
BCRs are generally practical only for large enterprises due to the approval process and cost involved.
4. Derogations (Article 49)
Derogations allow transfers in specific circumstances without other mechanisms. They should be used sparingly and cannot justify routine, repetitive transfers.
| Derogation | Use Case |
|---|---|
| Explicit consent | Individual specifically consents to the transfer with full awareness of risks |
| Contract necessity | Transfer necessary to perform a contract with the individual |
| Legal claims | Transfer necessary for legal proceedings |
| Vital interests | Transfer necessary to protect life |
| Public interest | Transfer necessary for important public interest reasons |
Limitations:
- Derogations cannot be used for systematic, large-scale transfers
- Must be interpreted narrowly
- Should be documented thoroughly when relied upon
Transfer Impact Assessments
Following the Schrems II decision, organizations using SCCs must assess whether the destination country's laws effectively allow the importer to fulfill SCC obligations.
TIA Components
| Step | Description |
|---|---|
| Know your transfers | Document specific data, recipients, and purposes |
| Identify transfer tool | SCCs, BCRs, or other mechanism |
| Assess third country law | Evaluate surveillance laws and government access powers |
| Identify supplementary measures | Determine if additional technical/organizational measures are needed |
| Procedural steps | Implement measures, monitor, and re-evaluate periodically |
Supplementary Measures
When destination country laws may undermine SCC protections, organizations may need to implement supplementary measures:
| Measure Type | Examples |
|---|---|
| Technical | Strong encryption with keys held only in EEA, pseudonymization, split processing |
| Contractual | Enhanced audit rights, commitment to challenge government access requests |
| Organizational | Strict access controls, transparency commitments |
High-Risk Destinations
Certain destinations require particular attention in TIAs:
- Countries without independent data protection authorities
- Countries with broad surveillance laws
- Countries with government access to private sector data
- Countries without effective legal remedies for individuals
Practical Implementation
Step-by-Step Transfer Compliance
Step 1: Map Your Transfers
- Identify all vendors and systems processing personal data
- Determine where data is stored and processed
- Identify any sub-processors in third countries
Step 2: Determine Transfer Mechanism
- Check if destination country has adequacy decision
- If not, implement SCCs (most common approach)
- Consider BCRs for intra-group transfers (large organizations)
Step 3: Conduct Transfer Impact Assessment
- Evaluate destination country laws
- Assess practical enforcement risk
- Document your analysis and conclusions
Step 4: Implement Supplementary Measures (if needed)
- Identify appropriate technical or organizational measures
- Implement before transfers begin
- Document measures taken
Step 5: Document and Monitor
- Update ROPA with transfer details
- Update privacy policy to disclose transfers
- Monitor for changes in destination country laws or adequacy status
Vendor Due Diligence Questions
When evaluating vendors for international transfers:
| Question | Why It Matters |
|---|---|
| Where is data stored and processed? | Identifies transfer destinations |
| Do you use sub-processors outside the EEA? | Expands transfer scope |
| Are you certified under EU-US DPF? | Simplifies US transfers |
| Can you execute our SCCs? | Confirms transfer mechanism |
| What encryption do you use? | Supports supplementary measures |
| How do you handle government access requests? | Informs TIA |
Common Challenges
Challenge 1: Cloud Services
Many cloud services involve complex data flows that may constitute transfers even when primary data centers are in the EU.
Approach:
- Request detailed data flow documentation from providers
- Verify sub-processor locations
- Ensure SCCs or other mechanisms cover all transfer scenarios
- Consider providers with strong data localization commitments
Challenge 2: US Vendors
US transfers require particular attention due to surveillance law concerns, though the EU-US Data Privacy Framework provides a pathway.
Approach:
- Verify if vendor is certified under EU-US DPF
- If not, implement SCCs with robust TIA
- Consider supplementary measures based on data sensitivity
- Document your assessment thoroughly
Challenge 3: Acquisitions and Mergers
Corporate transactions involving non-EEA entities may trigger transfer requirements.
Approach:
- Assess data transfer implications early in due diligence
- Implement appropriate mechanisms before data sharing
- Plan for ongoing compliance post-transaction
Documentation Requirements
ROPA Updates
Your Record of Processing Activities should document:
- Categories of recipients in third countries
- Transfer mechanisms used
- Third country destinations
Privacy Policy Disclosures
Privacy policies should inform individuals about:
- That international transfers occur
- Destination countries or categories of destinations
- Safeguards relied upon (e.g., SCCs, adequacy decisions)
How Bastion Helps
International data transfer compliance involves legal analysis, technical assessment, and ongoing monitoring. Working with experienced partners helps ensure transfers are properly structured and documented.
| Challenge | How We Help |
|---|---|
| Transfer Mapping | Identifying all data flows that constitute international transfers |
| Mechanism Selection | Guidance on appropriate transfer mechanisms for your situation |
| TIA Preparation | Support conducting and documenting Transfer Impact Assessments |
| SCC Implementation | Templates and guidance for proper SCC execution |
| Vendor Assessment | Due diligence support for evaluating international vendors |
| Ongoing Monitoring | Tracking changes in adequacy status and regulatory guidance |
International transfers represent an area where getting the approach right from the start helps avoid the need for retrospective remediation—which can be complex and disruptive.
Questions about your international data transfers? Talk to our team →
Sources
- GDPR Chapter V (EUR-Lex) - Official text on international transfers
- EDPB Recommendations on Supplementary Measures - Post-Schrems II guidance
- European Commission SCCs - Official Standard Contractual Clauses
- EU-US Data Privacy Framework - US adequacy mechanism