Loading auth config...
Skip to main content
Lokker

Cross-Border Data Transfers and International Compliance

This guide explains how to legally transfer personal data across international borders while complying with GDPR, CCPA, and other privacy regulations. Learn about adequacy decisions, Standard Contractual Clauses (SCCs), Transfer Impact Assessments, and practical implementation strategies.

Table of Contents

Overview: Understanding Cross-Border Transfers

What Is a Cross-Border Data Transfer?

A cross-border data transfer occurs when personal data is:

  • Sent from one country to another
  • Accessed from another country
  • Processed in another country
  • Stored in another country

Key Point: The physical location of data storage or processing matters, not just where your company is located.

Why This Matters

Legal Requirements:

  • GDPR: Restricts transfers outside EEA without safeguards
  • CCPA: Requires disclosure of data transfers
  • State Laws: May restrict transfers to certain jurisdictions

Business Reality:

  • Many cloud services are US-based
  • Many vendors operate globally
  • Data often flows across borders automatically

Transfer Restrictions

GDPR General Rule:

  • ✅ Transfers within EEA: Allowed
  • ⚠️ Transfers outside EEA: Require safeguards
  • ❌ Transfers without safeguards: Prohibited

Common Scenarios:

  • Using US-based cloud services (AWS, Google Cloud, Microsoft Azure)
  • Using US-based SaaS providers (Salesforce, HubSpot, etc.)
  • Using US-based analytics (Google Analytics)
  • Using US-based email services (Mailchimp, SendGrid)

When Do Transfers Occur?

Direct Transfers

Examples:

  • Sending customer data to US-based CRM system
  • Storing data on US-based cloud servers
  • Processing data through US-based analytics platform

Characteristics:

  • You directly send data to another country
  • Clear transfer relationship
  • Easier to identify and document

Indirect Transfers

Examples:

  • Vendor uses sub-processors in other countries
  • Cloud provider replicates data across regions
  • CDN serves content from multiple locations

Characteristics:

  • Transfer happens through vendor
  • May not be immediately obvious
  • Requires vendor transparency

Automatic Transfers

Examples:

  • Cloud provider automatically replicates data
  • Vendor routes data through multiple data centers
  • Load balancing across regions

Characteristics:

  • Happens automatically
  • May not be obvious
  • Requires understanding of vendor architecture

Transfer Identification Checklist

Step 1: Map Data Flows
  • Identify all data collection points
  • Map where data is stored
  • Map where data is processed
  • Identify all third parties involved
  • Document data flow paths
Step 2: Identify Geographic Locations
  • Where are your servers located?
  • Where are vendor servers located?
  • Where are sub-processor servers located?
  • Are there automatic replications?
  • Are there backup locations?
Step 3: Identify Transfers
  • List all transfers outside your jurisdiction
  • Identify transfers to non-adequate countries
  • Document transfer purposes
  • Assess transfer necessity
  • Document transfer mechanisms

GDPR Transfer Requirements

GDPR Transfer Rules

Article 44: General principle - transfers only allowed with appropriate safeguards

Article 45: Adequacy decisions - transfers to adequate countries allowed

Article 46: Appropriate safeguards - SCCs, BCRs, etc.

Article 49: Derogations - limited exceptions

Transfer Mechanisms (In Order of Preference)

1. Adequacy Decision (Article 45)

  • Country has adequate data protection
  • No additional safeguards needed
  • Best option if available

2. Appropriate Safeguards (Article 46)

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Codes of conduct
  • Certification mechanisms

3. Derogations (Article 49)

  • Explicit consent
  • Contract performance
  • Important public interest
  • Limited use cases

GDPR Transfer Decision Tree

Step 1: Is Transfer Within EEA?
  • Is data staying within EEA?
  • If Yes → No transfer restrictions
  • If No → Proceed to Step 2
Step 2: Is Country Adequate?
  • Check adequacy decision list
  • Is destination country adequate?
  • If Yes → Transfer allowed (no safeguards needed)
  • If No → Proceed to Step 3
Step 3: Implement Safeguards
  • Use Standard Contractual Clauses (SCCs)
  • Or use Binding Corporate Rules (BCRs)
  • Or use other approved safeguards
  • Conduct Transfer Impact Assessment (TIA)

Adequacy Decisions

What Is an Adequacy Decision?

An adequacy decision is a European Commission determination that a country provides an adequate level of data protection, allowing transfers without additional safeguards.

Countries with Adequacy Decisions

Current Adequate Countries:

  • Andorra
  • Argentina
  • Canada (commercial organizations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Republic of Korea
  • Switzerland
  • United Kingdom
  • Uruguay

Note: List changes over time. Check European Commission website for current list.

US-EU Data Privacy Framework

Status: Adequacy decision granted (July 2023)

What It Means:

  • US companies certified under DPF can receive EU data
  • No SCCs needed for DPF-certified companies
  • Must verify vendor is DPF-certified

How to Verify:

  • Check DPF certification list
  • Verify vendor is certified
  • Review vendor's DPF certification

Adequacy Decision Checklist

Step 1: Check Destination Country
  • Identify where data is being transferred
  • Check European Commission adequacy list
  • Verify country has adequacy decision
  • Check if decision covers your use case
Step 2: Verify Adequacy Applies
  • Confirm data destination
  • Verify adequacy decision is current
  • Check for any limitations
  • Document adequacy decision reliance

Standard Contractual Clauses (SCCs)

What Are SCCs?

Standard Contractual Clauses (SCCs) are pre-approved contract templates from the European Commission that provide appropriate safeguards for data transfers.

Key Points:

  • Pre-approved by European Commission
  • Legally binding contract
  • Provides appropriate safeguards
  • Must be used as-is (cannot modify core terms)

Types of SCCs

Module 1: Controller to Controller

  • Both parties are controllers
  • Example: Sharing data with business partner

Module 2: Controller to Processor

  • You are controller, vendor is processor
  • Example: Using cloud hosting provider

Module 3: Processor to Processor

  • You are processor, vendor is sub-processor
  • Example: Your vendor uses sub-processor

Module 4: Processor to Controller

  • You are processor, vendor is controller
  • Less common scenario

2021 SCCs (Current Version)

Key Features:

  • Updated in 2021
  • Modular approach (choose applicable modules)
  • Includes Transfer Impact Assessment requirement
  • Addresses Schrems II concerns

Structure:

  • Clauses 1-8: General provisions
  • Module-specific clauses
  • Annexes (data details, security measures, etc.)

Implementing SCCs

Step 1: Determine Applicable Module

Module Selection
  • Identify your role (controller or processor)
  • Identify vendor's role (controller or processor)
  • Select applicable module(s)
  • Verify module selection is correct

Step 2: Complete SCCs

SCC Completion
  • Download current SCCs from European Commission
  • Complete party information
  • Complete Annex I (data details)
  • Complete Annex II (security measures)
  • Complete Annex III (sub-processors, if applicable)
  • Sign SCCs with vendor

Step 3: Conduct Transfer Impact Assessment

TIA Requirement
  • Assess destination country laws
  • Assess vendor's ability to comply
  • Identify supplementary measures if needed
  • Document TIA findings
  • Implement supplementary measures if required

SCC Implementation Checklist

Step 1: Prepare SCCs
  • Download current SCCs (2021 version)
  • Identify applicable module(s)
  • Gather required information
  • Complete all sections
  • Review for completeness
Step 2: Negotiate with Vendor
  • Send SCCs to vendor
  • Explain SCC requirements
  • Address vendor questions
  • Negotiate any necessary terms
  • Obtain vendor agreement
Step 3: Execute and Document
  • Execute SCCs with vendor
  • Store executed SCCs
  • Conduct Transfer Impact Assessment
  • Document TIA findings
  • Implement supplementary measures if needed

Binding Corporate Rules (BCRs)

What Are BCRs?

Binding Corporate Rules (BCRs) are internal data protection policies that multinational companies can adopt to govern transfers within their corporate group.

Key Points:

  • For transfers within corporate group
  • Must be approved by supervisory authority
  • Complex and time-consuming to obtain
  • Expensive to implement and maintain

When to Use BCRs

Best For:

  • Large multinational corporations
  • Frequent transfers within corporate group
  • Long-term solution
  • Significant resources available

Not Suitable For:

  • Small organizations
  • One-time transfers
  • Limited resources
  • Simple vendor relationships

BCR Process

Steps:

  1. Develop BCR policies
  2. Submit to lead supervisory authority
  3. Review and approval process (6-18 months)
  4. Ongoing compliance and monitoring

Requirements:

  • Comprehensive data protection policies
  • Internal enforcement mechanisms
  • Training programs
  • Regular audits
  • Supervisory authority oversight

US-EU Data Privacy Framework

What Is the DPF?

The US-EU Data Privacy Framework (DPF) is an adequacy decision that allows transfers from EU to US companies that are certified under the framework.

Status: Adequacy decision granted (July 2023)

Previous Frameworks:

  • Safe Harbor (invalidated 2015)
  • Privacy Shield (invalidated 2020)
  • Data Privacy Framework (current, 2023)

How DPF Works

For EU Companies:

  • Can transfer to DPF-certified US companies
  • No SCCs needed
  • Must verify certification

For US Companies:

  • Must self-certify to DPF
  • Must comply with DPF principles
  • Must be on DPF certification list

Verifying DPF Certification

How to Verify:

  1. Check DPF certification list: https://www.dataprivacyframework.gov/
  2. Search for vendor name
  3. Verify certification is current
  4. Review vendor's DPF certification

What to Check:

  • Vendor is on certification list
  • Certification is current (renewed annually)
  • Vendor's DPF privacy policy
  • Vendor's dispute resolution mechanism

DPF Checklist

Step 1: Check Vendor Certification
  • Search DPF certification list
  • Verify vendor is certified
  • Check certification is current
  • Review vendor's DPF privacy policy
Step 2: Document DPF Reliance
  • Document vendor is DPF-certified
  • Save certification verification
  • Update vendor records
  • Note DPF as transfer mechanism

Transfer Impact Assessments (TIAs)

What Is a TIA?

A Transfer Impact Assessment (TIA) evaluates whether the destination country's laws allow the vendor to comply with SCCs and protect EU data.

Purpose:

  • Assess destination country risks
  • Determine if supplementary measures needed
  • Document transfer risk assessment
  • Required by 2021 SCCs

TIA Process

Step 1: Assess Destination Country

Country Assessment
  • Research destination country data protection laws
  • Assess government surveillance laws
  • Evaluate data access by authorities
  • Review human rights record
  • Assess rule of law

Step 2: Assess Vendor Capabilities

Vendor Assessment
  • Can vendor resist government requests?
  • Does vendor have strong security?
  • Can vendor encrypt data?
  • Does vendor have good track record?
  • Can vendor comply with SCCs?

Step 3: Determine Supplementary Measures

Supplementary Measures
  • Are additional measures needed?
  • What encryption is used?
  • Can data be pseudonymized?
  • Are access controls adequate?
  • Document measures implemented

TIA Documentation

Required Information:

  • Destination country assessment
  • Vendor capabilities assessment
  • Risk assessment
  • Supplementary measures implemented
  • Conclusion and justification

Implementing SCCs with Vendors

Vendor SCC Implementation Process

Step 1: Identify Vendors Needing SCCs

Vendor Identification
  • List all vendors processing EU data
  • Identify vendors outside EEA
  • Check if vendors are DPF-certified
  • Identify vendors needing SCCs
  • Prioritize by risk level

Step 2: Prepare SCCs

SCC Preparation
  • Determine applicable module
  • Complete party information
  • Complete Annex I (data processing details)
  • Complete Annex II (security measures)
  • Complete Annex III (sub-processors, if applicable)

Step 3: Execute SCCs

SCC Execution
  • Send SCCs to vendor
  • Explain requirements
  • Address vendor questions
  • Negotiate if needed
  • Execute signed SCCs

Step 4: Conduct TIA

Transfer Impact Assessment
  • Assess destination country
  • Assess vendor capabilities
  • Determine supplementary measures
  • Document TIA
  • Implement measures

Common Vendor Scenarios

Scenario 1: US Cloud Provider (AWS, Google Cloud, Azure)

Solution:

  • Use Module 2 (Controller to Processor) SCCs
  • Vendor likely has standard SCCs
  • May need to use vendor's SCCs (if pre-completed)
  • Conduct TIA
  • Implement encryption

Scenario 2: US SaaS Provider (Salesforce, HubSpot)

Solution:

  • Use Module 2 SCCs
  • Vendor may have DPA with SCCs included
  • Verify SCCs are current (2021 version)
  • Conduct TIA
  • Document transfer mechanism

Scenario 3: US Analytics Provider (Google Analytics)

Solution:

  • Use Module 2 SCCs
  • Google provides SCCs through their DPA
  • Verify Google's SCC implementation
  • Conduct TIA
  • Consider IP anonymization

State Privacy Law Considerations

US State Privacy Laws

CCPA/CPRA:

  • Requires disclosure of data transfers
  • No specific transfer restrictions
  • Must disclose if data is sold/shared

State Privacy Laws:

  • Generally require disclosure
  • May restrict transfers to certain jurisdictions
  • Vary by state

State Law Requirements

Disclosure Requirements:

  • Must disclose data transfers in privacy policy
  • Must disclose geographic locations
  • Must disclose third-party locations

Transfer Restrictions:

  • Some states restrict transfers to certain countries
  • Check state-specific requirements
  • May require contracts for transfers

Common Scenarios and Solutions

Scenario 1: Using US-Based Cloud Provider

Situation: Storing EU customer data on AWS (US-based)

Solution:

  1. Use Module 2 SCCs (Controller to Processor)
  2. AWS provides SCCs through their DPA
  3. Conduct TIA
  4. Enable encryption
  5. Consider EU region option if available

Scenario 2: Using US-Based Email Marketing Platform

Situation: Using Mailchimp to send emails to EU subscribers

Solution:

  1. Use Module 2 SCCs
  2. Mailchimp includes SCCs in their DPA
  3. Conduct TIA
  4. Verify Mailchimp's security measures
  5. Document transfer mechanism

Scenario 3: Vendor Uses Sub-Processors in Other Countries

Situation: Your vendor uses sub-processors in various countries

Solution:

  1. Ensure vendor notifies you of sub-processors
  2. Use Module 3 SCCs for sub-processors
  3. Verify sub-processors have appropriate safeguards
  4. Conduct TIA for sub-processor locations
  5. Maintain sub-processor list

Implementation Checklist

Phase 1: Assess Current Transfers (Week 1-2)

Transfer Mapping
  • Map all data flows
  • Identify all transfers
  • Identify destination countries
  • Identify transfer mechanisms currently used
  • Document current state

Phase 2: Implement Safeguards (Week 3-8)

Safeguard Implementation
  • Identify vendors needing SCCs
  • Prepare SCCs for each vendor
  • Execute SCCs with vendors
  • Conduct Transfer Impact Assessments
  • Implement supplementary measures

Phase 3: Documentation and Monitoring (Ongoing)

Ongoing Management
  • Document all transfer mechanisms
  • Maintain SCC library
  • Monitor vendor certifications
  • Review transfers periodically
  • Update documentation as needed

Last Updated: 2025-01-17