GDPR

GDPR International Data Transfers: Rules & Requirements

International Data Transfers Under the GDPR

International data transfers are one of the most challenging and misunderstood areas of GDPR compliance. This topic affects nearly every modern organisation, from small businesses using email marketing tools to global enterprises operating across multiple jurisdictions.

When personal data leaves the European Economic Area (EEA), GDPR imposes strict rules to ensure individuals’ rights remain protected regardless of where the data goes. This page provides a comprehensive breakdown of the legal framework, transfer mechanisms, risk assessments, practical steps, and templates required for compliant international data transfers.

It includes:

  • Full explanation of GDPR Articles 44–50
  • Adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Transfer Impact Assessments (TIAs)
  • Data Privacy Framework (DPF)
  • Derogations
  • Third-country risk matrices
  • Decision-making flowchart
  • Real-world examples (AWS, Mailchimp, Google, HubSpot)
  • Internal compliance procedures

1. What Is an International Data Transfer?

A transfer occurs when:

  • Personal data is sent or made accessible
  • From the EEA
  • To a “third country” or international organisation
  • Where GDPR-level protections may not apply

“Transfer” includes:

  • Remote access from outside the EEA (e.g., support staff in India accessing EU systems)
  • Cloud hosting located outside the EEA
  • Outsourcing services
  • Cross-border internal group transfers
  • Use of non-EEA SaaS, CRM, analytics, or email platforms

GDPR rules do not care whether you “store” or merely “access” data any external access counts as a transfer.

Common Real-World Transfer Scenarios

Activity Example Transfer?
Using US-based email marketing tools Mailchimp, HubSpot Yes
Using cloud hosting outside EEA AWS US-East, Azure US Yes
Remote support Developers in India accessing EU CRM Yes
Travel with a company laptop Accessing customer database from Thailand Yes
Using tracking/analytics tools Google Analytics (GA4) Yes
Sending data to UK CRM hosted in London Yes (adequate)

2. Legal Framework (Articles 44–50 GDPR)

International transfers must comply with the following principles:

  • Article 44 – Transfers only allowed if GDPR protections travel with the data
  • Article 45 – Adequacy decisions
  • Article 46 – Appropriate safeguards (SCCs, BCRs, etc.)
  • Article 47 – Binding Corporate Rules
  • Article 49 – Derogations

Failure to comply can result in:

  • Fines up to €20 million or 4% of global turnover
  • Orders to stop using a service provider
  • Investigation of data-handling practices
  • Legal claims from individuals

3. The Three Legal Paths for International Transfers

Path 1: Adequacy Decisions (Safest + Easiest)

The European Commission can declare that a country ensures an “adequate” level of protection.

Countries with Full Adequacy

  • United Kingdom
  • Japan
  • Switzerland
  • Canada (commercial organisations)
  • Argentina
  • New Zealand
  • Israel
  • Uruguay
  • South Korea
  • USA (ONLY for Data Privacy Framework-certified companies)

If your provider is located in an adequate country, no SCCs or TIAs are needed.

Path 2: Appropriate Safeguards (Most Common)

Used when transferring to a non-adequate country.

1. Standard Contractual Clauses (SCCs)

The most widely used mechanism after the Schrems II ruling.

SCCs require:

  • Mandatory contractual clauses
  • Technical and organisational measures
  • Transfer Impact Assessment (TIA)
  • Ongoing monitoring of third-country laws
  • Sub-processor transparency

2. Binding Corporate Rules (BCRs)

Used for internal transfers within multinational companies.

3. Codes of Conduct / Certification

Rare, but legally valid.

Path 3: Derogations (Last Resort)

These are exceptions, not regular mechanisms.

  • Explicit consent
  • Contractual necessity
  • Public interest
  • Legal claims
  • Vital interests

Derogations cannot be used for ongoing or systematic transfers.

4. Transfer Impact Assessment (TIA)

A TIA is mandatory when using SCCs.

You must evaluate:

  • Nature of the data
  • Categories of individuals
  • Purpose of the transfer
  • Third-country laws
  • Likelihood of government access
  • Security measures
  • Ability to comply with SCCs
  • Need for supplementary measures

TIA Risk Levels (Simplified)

Risk Description Transfer Allowed?
Low Strong encryption, minimal data Yes
Medium No sensitive data, cloud-hosted Yes (with measures)
High Sensitive data + surveillance risks No
Critical Government access likely No

5. Supplementary Measures

Technical Measures

  • End-to-end encryption
  • Pseudonymisation
  • Split processing
  • Bring-your-own-key solutions
  • Local storage of sensitive fields

Contractual Measures

  • Audit rights
  • Transparency requirements
  • No backdoors
  • Strict access limitations

Organisational Measures

  • Staff training
  • Incident response plans
  • Vendor risk management
  • Clear transfer policies

6. Real-World Examples

Mailchimp / HubSpot

  • Hosted in the US
  • Requires SCCs
  • Requires TIA
  • EU alternatives exist

Google Analytics

  • Multiple EU DPAs found GA (even GA4) non-compliant without major measures
  • Alternatives: Matomo, Plausible, Fathom

AWS

  • EU hosting possible
  • US hosting requires SCCs + TIA

Remote Developers

Remote access from India, Pakistan, Philippines = transfer.

Requires SCCs, TIA, VPN, and audit logs.

7. High-Risk Third Countries

Countries with strong surveillance laws increase risk:

  • United States (non-DPF)
  • China
  • Russia
  • India
  • Turkey
  • UAE
  • Egypt

Third Country Risk Matrix

Country Surveillance Risk Data Access Laws Risk Level
USA (DPF-certified) Moderate Strong Medium
USA (non-certified) High Very strong High
India High Broad High
China Critical Full access Critical
UK Low Reasonable Low
Japan Low Adequate Low

8. International Transfer Decision Flowchart

          Is the recipient in the EEA?
                     │
                     ├── Yes → No transfer → GDPR applies normally
                     │
                     └── No
                          │
           Does the country have an adequacy decision?
                     │
         ┌───────────┴───────────┐
         │                       │
       Yes                     No
         │                       │
   Transfer allowed      Are you using SCCs/BCRs?
                               │
                     ┌─────────┴─────────┐
                     │                   │
                   Yes                  No
                     │                   │
          Conduct Transfer Impact      Cannot transfer
               Assessment (TIA)
                     │
                     │
         Are supplementary measures adequate?
                     │
            ┌────────┴────────┐
            │                 │
          Yes                No
            │                 │
   Transfer permitted    Transfer prohibited

9. Internal Compliance Requirements

  • Maintain a Register of International Transfers
  • Conduct TIAs before using vendors
  • Keep updated SCCs
  • Document all supplementary measures
  • Audit vendor compliance regularly
  • Ensure processors disclose sub-processors

10. Templates

International Transfer Register (Example)

Vendor Country Mechanism TIA Completed? Risk Status
Mailchimp USA SCCs Yes Medium Approved
AWS USA SCCs + EU region Yes Low Approved
Internal Dev Team India SCCs Yes High Restricted

11. When Transfers Are Prohibited

Transfers must be blocked when:

  • TIA shows high or critical risk
  • Supplementary measures cannot mitigate risks
  • Government access probability is high
  • Provider cannot comply with SCCs
  • Provider refuses transparency

If in doubt, the transfer must not proceed.

12. Key Takeaways

  • Most organisations rely on SCCs
  • TIAs are mandatory for SCC-based transfers
  • US-based tools require careful assessment
  • Adequacy is always the simplest mechanism
  • Derogations are for exceptional cases only
  • Documentation is essential to prove compliance