Transferring personal data outside the EU/EEA triggers GDPR Chapter V rules. Organizations often rely on a small set of principles and mechanisms to keep cross-border flows lawful and auditable.

Related guides:

Key takeaways

Transfers require the processing itself to be lawful under GDPR, plus a valid Chapter V mechanism.
Adequacy decisions are the simplest path when the destination country is approved.
Most SaaS stacks use SCCs with Transfer Impact Assessments (TIAs) after Schrems II.
Document every recipient country in RoPA and vendor registers.

This guide covers:

Three guiding principles for international transfers
Comparison of adequacy, SCCs, BCRs, and derogations
TIAs and vendor due diligence
Practical checklist for engineering and legal teams

When legal asks where customer data actually lives

GIF via GIPHY

Three general principles for transfers

1. Lawfulness and transparency of the underlying processing

Before transferring, ensure you have a valid Article 6 basis, meet Article 13–14 notice requirements, and respect data minimization. A transfer mechanism does not fix unlawful collection.

2. Adequate protection in the destination

GDPR presumes protection travels with the data. You must ensure the level of protection is essentially equivalent to the EU—via:

Adequacy decision for the destination country/territory, or
Appropriate safeguards (SCCs, BCRs, approved codes/certifications), or
Derogations for specific situations (narrow, not a default for systematic transfers)

3. Accountability and enforceable rights

Controllers remain responsible for vendor chains. Contracts must allow data subjects to enforce rights, and you must be able to demonstrate assessments (including TIAs) and supplementary measures where needed.

Transfer mechanisms compared

Mechanism	Best for	Notes
Adequacy (Art. 45)	Transfers to countries like UK, Switzerland (check current list)	No extra contract required beyond processing terms
SCCs (Art. 46)	Cloud, SaaS, offshore support	EU Commission SCC modules (controller-processor, etc.)
BCRs (Art. 47)	Multinational intragroup transfers	Long approval process; strong for enterprises
Derogations (Art. 49)	One-off, explicit consent, contract necessity	Not for routine bulk transfers

After Schrems II, supplement SCCs with TIAs evaluating local laws and technical measures (encryption, access controls).

Transfer impact assessments and vendors

A TIA documents:

Destination country and recipient role
Nature of data and individuals affected
Local laws and government access risk
Supplementary measures (encryption in transit/at rest, pseudonymization, access logging)
Residual risk conclusion

Maintain TIAs per vendor or per transfer cluster. Update when vendors change regions, subprocessors, or encryption posture.

Operational transfer checklist

Map all storage/processing locations (including backups and ML training).
Classify flows: adequacy vs SCC vs other.
Execute DPA + SCC modules with processors.
Complete TIAs and store with vendor records.
Disclose transfers in privacy notices and customer DPAs.
Monitor regulatory changes (adequacy reviews, new SCC versions).

Get audit-ready with SecureSlate

SecureSlate tracks vendor locations, DPAs, sub-processors, and control evidence so transfer compliance stays current as your stack evolves.

Start free trial

FAQ

Can we store EU data only in the EU?

You can adopt EU residency as a policy, but many global SaaS products still transfer with SCCs and TIAs. Residency alone is not always sufficient without contractual safeguards.

Do UK transfers need SCCs post-Brexit?

The EU has granted the UK an adequacy decision (verify current status). Monitor renewals and UK GDPR parallel obligations.

When are derogations enough?

Derogations are limited exceptions—e.g., explicit consent for a one-off transfer—not a basis for daily database replication to the US.

Disclaimer (legal note)

General information only—not legal advice. Transfer rules evolve with case law and supervisory authority guidance.

How to transfer data under the GDPR: 3 general principles