As economies become increasingly interconnected, personal data routinely flows across borders in daily business operations, raising important privacy and security concerns. To address these risks, regulations like the GDPR have introduced strict measures to ensure data moves safely during international transfers.

‍

While these safeguards are invaluable for protecting data subject rights, they introduce a layer of complexity for organizations that must implement them. However, alignment is mandatory, and failing to achieve it can result in severe financial penalties or corrective action.

‍

In this article, we’ll explain how data transfers under the GDPR work, particularly focusing on:

‍

• The legal bases for transferring data under the GDPR
• Potential challenges of GDPR-aligned data transfers

‍

What are cross-border data transfers under the GDPR?

Cross-border data transfers under the GDPR refers to the sharing of the personal data of individuals in the EU between organizations in different countries. If the recipient is an international organization or based outside the EEA, you’ll need to comply with the requirements outlined in Chapter 5 of the GDPR, along with other core principles such as data minimization and establishing a lawful basis.

‍

If you’re transferring data to a processor, you must also have a data-processing agreement (DPA) in place. 

‍

The GDPR specifies three primary legal bases for cross-border data transfers:

‍

‍

1. Adequacy decisions
2. Appropriate safeguards
3. Special-case transfers

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

I. Data transfers based on adequacy decisions (Article 45)

An adequacy decision means that the European Commission has determined that the level of data protection in a non-EEA country or organization meets GDPR standards. This decision goes beyond technical safeguards and also considers legal and administrative factors such as:

‍

• Rule of law
• Respect for human rights
• Enforceability of data subject rights
• The existence and effectiveness of a data protection authority
• International commitments

‍

Once an adequacy decision is in place, you can transfer information to the relevant country or organization without additional authorizations or safeguards. However, be mindful of the scope of these decisions: while they can cover an entire country, they can also apply only to certain regions or even specific types of data transfers.

‍

The EU currently has 16 adequacy decisions in force. The covered countries include:

‍

• Andorra 
• Argentina
• Japan
• Isle of Man
• New Zealand
• Switzerland
• United States (for organizations participating in the Data Privacy Framework)

‍

If your organization is exporting sensitive information, it’s your responsibility to monitor the status of adequacy decisions relevant to your transfers and ensure you have sufficient legal grounds if they get updated or withdrawn.

‍

“

Adequacy decisions are one of the most reliable and straightforward mechanisms for cross-border transfers of data. This is due to the legal effect they carry, the broad coverage they provide for controllers and processors, and the administrative simplicity they offer by avoiding contractual negotiations and disputes.”

‍

Connor Snyder

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

II. Data transfers based on appropriate safeguards (Article 46)

Even without an adequacy decision, you can transfer sensitive information across borders if you can guarantee that appropriate safeguards are in place. These ensure that the rights of data subjects remain enforceable after the data leaves the EU.

‍

The European Data Protection Board (EDPB) lists various safeguards, but the three most relevant are:

‍

1. Standard contractual clauses (SCCs)
2. Binding corporate rules (BCRs)
3. Codes of conduct 

‍

Note that organizations can use more than one mechanism to ensure appropriate safeguards when transferring data. They can select the most appropriate method and document the justification while strengthening it with supplementary measures where needed. The best option depends on factors like the nature, frequency, scale, risk, and feasibility of the transfers.

‍

1. Standard contractual clauses (SCCs)

SCCs are standardized contracts that provide organizations with a legally recognized way to demonstrate they have implemented appropriate safeguards. They’re designed to address several types of transfer scenarios, such as:

‍

• Controller to controller
• Controller to processor
• Processor to processor
• Processor to controller

‍

While most of the safeguard-related provisions in an SCC are standardized, you can adjust some aspects of the contract. The changes must not negatively impact the level of protection guaranteed by the SCC. 

‍

Key elements of an SCC include:

‍

• The number of parties signing the SCC
• The requirement to carry out a “transfer impact assessment” that documents the risks, relevant laws in the destination country, and additional safeguards
• Rules on liability if data subject rights are violated
• Obligations in case of access by public authorities, such as informing the exporter and challenging unlawful requests

‍

{{cta_withimage11="/cta-blocks"}} | The US data privacy checklist

‍

2. Binding corporate rules (BCRs)

BCRs are binding policies related to data transfers within multinational groups of organizations. If an organization is part of a larger group that has a BCR in place, it must align with it regardless of where it operates.

‍

Just like SCCs, BCRs must ensure an adequate level of protection for sensitive information. The GDPR has strict guidelines on what provisions a BCR must include, such as:

‍

• Clear identification and contact information for the group of undertakings or enterprises in the joint activity
• The scope and description of data processing activities
• Data subject rights and the means to exercise them
• Internal audit and remediation guidelines

‍

Once a BCR is drafted, it must be reviewed and approved by a relevant DPA before it can be used as a legal basis for data transfer.

‍

If you’re using a BCR as your basis for data transfers, understanding your organization’s role in data processing is essential, as BCRs have different requirements for controllers and processors.

‍

3. Codes of conduct

Codes of conduct are sets of rules created by associations that represent an entire category of organizations. Unlike BCRs, which apply within an individual group of organizations, codes of conduct are intended to cover entire sectors or industries.

‍

The EDPB doesn’t monitor compliance with codes of conduct. Instead, adherence is overseen by a system of accredited bodies. The EDPB still plays a significant role by defining clear accreditation standards for those governing bodies and outlining the conditions for using a code of conduct. 

‍

Typical requirements a code of conduct must address include:

‍

• Scope of transfers, including the type of data and categories of data subjects
• Accountability measures guaranteed by the code
• Transparency protocols
• Complaint handling procedures

‍

III. Special case transfers (Article 49)

Even if you can’t rely on an adequacy decision or appropriate safeguards, you may still be able to transfer sensitive data under special conditions, or derogations. This isn’t a sustainable basis as the EDPB emphasizes that these types of transfers can only be conducted in specific, exceptional situations.

‍

Before using a derogation, you should also conduct a necessity test to confirm the transfer is strictly required for the situation at hand.

‍

Some of the conditions you need to meet for special case transfers include:

‍

• The data subject gives explicit consent
• The transfer is required to fulfill a contract
• The transfer is necessary for reasons of public interest
• The transfer is required to establish, exercise, or defend a legal claim
• The transfer is necessary to protect the data subject’s vital interests
• Occasional and nonrepetitive transfers based on legitimate interests

‍

There’s no room for interpretation if you’re relying on special case transfers as your basis, as you must meet the defined criteria.

‍

If a specific situation doesn’t meet the exception criteria, there’s still a very limited space for non-government organizations to execute the transfer. In exceptional cases affecting only a small number of individuals, a transfer may proceed if compelling legitimate interests clearly outweigh the individual’s privacy rights.

‍

Potential challenges of GDPR-aligned data transfers

Meeting the stringent requirements for data transfers is usually one of the most tedious aspects of GDPR compliance. Apart from establishing a legal basis, organizations are required to navigate additional obligations that depend on the transfer mechanism and the recipient country.

‍

The most notable challenges of achieving GDPR-compliant data transfers include:

‍

• Managing complex requirements across jurisdictions: Organizations must evaluate and adhere to local data laws along with the GDPR. Following the Schrems II ruling, this also includes conducting transfer impact assessments to check if local laws provide adequate protection.
• Establishing a legal basis and appropriate safeguards: It can be difficult to determine whether data transfers should rely on adequacy, appropriate safeguards, or special exceptions, before implementing the necessary measures.
• Maintaining documentation for accountability tracking: The GDPR requires organizations to keep elaborate records of data transfer impact assessments, contractual agreements, and safeguard mechanisms, which can be demanding for smaller teams.
• Monitoring ongoing compliance: Even after establishing a transfer mechanism, organizations must continue to monitor local laws and adequacy decisions, update SCCs, and evaluate risks as technologies and practices evolve.
• Ensuring third-party compliance: Reviewing if vendors meet GDPR requirements can be a complex process for cross-border transfers. This requires a robust vendor risk management process, including mapping and documenting data flows and roles, performing a transfer impact assessment, and verifying the recipients' attestations and certifications.

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

Manage GDPR compliance efficiently with Vanta

Vanta is a trust management platform that helps organizations efficiently achieve and maintain GDPR compliance by automating up to 50% of the regulation’s requirements. It also provides guidance on how to operationalize compliance requirements, cutting down research time and enabling you to expand into international markets without worrying about non-compliance.

‍

The platform offers a dedicated GDPR solution that comes with:

‍

• Materials for security awareness training
• Real-time control monitoring with instant reports
• Compliance management through a centralized dashboard
• Automated evidence collection powered by 400+ integrations
• Pre-built policy templates and a customization tool

‍

If you’ve already achieved or are pursuing alignment with other privacy-relevant frameworks, such as SOC 2 or ISO 27001, Vanta’s cross-mapping feature can map your existing controls to requirements, eliminating duplicative work and saving valuable resources.

‍

Schedule a custom demo to explore how Vanta streamlines GDPR compliance.

‍

{{cta_simple19="/cta-blocks"}} | GDPR product page

‍

Frequently asked questions

Can you transfer personal data to the US under GDPR?

Yes, organizations may transfer data to the US under the GDPR, either via adequacy decisions if the recipient is aligned with the Data Privacy Framework or other safeguards.

‍

What is the difference between SCCs and BCRs?

SCCs are standard clauses that organizations incorporate into their contracts to ensure appropriate safeguards for international transfers. BCRs are larger in scale and apply to internal data transfers within multinational groups of organizations and must be specifically approved by the relevant data protection authority.

‍

How does an adequacy decision affect cross-border data transfers?

If you’re transferring data from the EU to a country with an adequacy decision in place, you are not required to implement any additional safeguards.

‍

Do GDPR transfer rules apply to cloud services hosted outside the EU?

Yes. If your cloud provider is outside the EEA, GDPR’s international data transfer rules apply, meaning you need an adequacy decision or additional safeguards for the process.

‍

‍A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.