International data transfers

Read more about international data transfers as part of the GDPR framework governing how personal data may be transferred outside the EU and EEA.

Glossary
International data transfers

Explained – what does International data transfers mean?

International data transfers refer to situations where personal data is transferred from the EU or EEA to a third country. Under the GDPR, this may only occur under specific conditions, for example via an adequacy decision or by using standard contractual clauses (sccs). Because the issue often involves complex legal assessments, it is common for a lawyer to support the organisation. The concept is particularly relevant in areas such as cloud services, outsourcing and international group structures and sits within the wider context of GDPR international transfers.

When do questions about International data transfers arise?

Questions about International data transfers arise when companies or public bodies use services, suppliers or partners located outside the EU or EEA. They also arise when a corporate group transfers data between subsidiaries in different countries. For example, organisations often need to assess transfers when using US IT vendors, during global HR administration, or when sharing customer data across markets as part of GDPR international transfers.

Illustration of international data transfers showing EU cloud data flows and cross-border data movement, representing GDPR compliance, data transfer mechanisms, and international data protection rules.

Points to consider for International data transfers

When organisations plan or carry out international data transfers, they should pay particular attention to the following:

Map which personal data is transferred and to which country, and identify the transfer mechanism.
Ensure the transfer has a lawful basis under the GDPR and an adequate level of protection at destination.
Use standard contractual clauses (sccs) or other approved safeguards where required (sometimes referred to as standard contract clauses gdpr).
Undertake a transfer impact assessment (TIA) of the recipient country’s laws and protections and document any supplementary measures.
Record all decisions and considerations to meet the accountability principle.
Inform data subjects if their personal data may be transferred internationally.

By following these steps, organisations can strengthen compliance and build trust with customers and employees while managing cross border data transfers responsibly.

International data transfers

Why are international data transfers important?

International data transfers matter because they affect the protection of individuals’ rights when data leaves the EU or EEA. The GDPR is clear that the protection level must not be undermined, even if the data is processed in a third country. Each organisation must therefore ensure appropriate safeguards are in place for any transfer of personal data outside EU.

For many companies, international data transfers are essential to operations. Cloud services, digital platforms and global supply chains often entail cross-border flows of personal data. By understanding and applying the rules—such as the use of sccs, conducting a transfer impact assessment, and confirming whether an adequacy decision exists—organisations can avoid sanctions and implement sustainable data protection solutions.

Ultimately, it is not only about formal compliance but also about respecting individuals’ privacy. A structured approach fosters lasting confidence among both customers and business partners.

An international data transfer means personal data is transferred from the EU or EEA to a country outside those areas.

They are used when personal data is transferred to a country without an adequacy decision, or as an alternative transfer mechanism if such a decision ceases to apply. Standard contractual clauses (sccs) are a legal tool to ensure GDPR requirements are met, often complemented by supplementary measures based on a transfer impact assessment.

The Court of Justice of the EU (Schrems II) invalidated the EU–US Privacy Shield. Organisations transferring data to the US therefore had to rely on other mechanisms and assess the recipient country’s protection level. Privacy Shield has been replaced by the eu us data privacy framework (dpf). There is ongoing debate about future challenges, sometimes referred to as “Schrems III”.

The controller holds primary responsibility, even where processors or vendors are involved.

An adequacy decision is adopted by the European Commission (often described as an EU Commission adequacy decision) and confirms that the recipient country ensures an adequate level of protection. If no such decision exists, standard contractual clauses can be used.

Adequacy decision: decision by the European Commission.
Standard contractual clauses: contracts between the parties that may require supplementary measures.
Both aim to safeguard personal data during transfers.

Establish clear procedures for risk assessment and selecting the transfer mechanism before any transfer occurs. Involve the data protection officer early and train staff handling personal data on the specific requirements for transfers outside the EU and EEA.

Define the transfer purpose and the personal data in scope.
Identify the destination country and applicable safeguards (e.g., sccs under the GDPR international transfers regime).
Document the entire process to demonstrate the accountability principle.
Ensure suppliers or partners meet GDPR standards; where relevant, consider the eu us data privacy framework and outcomes of any transfer impact assessment.