Part of our Compliance & Regulation series
Read the complete guideCross-Border Data Transfer Regulations: Navigating International Data Flows
85% of global businesses transfer personal data across borders, yet only 34% have documented transfer mechanisms in place. After Schrems II invalidated the EU-US Privacy Shield in 2020, cross-border data transfers became one of the most complex areas of data protection law. The EU-US Data Privacy Framework partially restored legal certainty for US transfers, but the broader landscape of global data transfer restrictions continues to expand.
This guide maps the current state of cross-border data transfer regulations and provides practical implementation guidance for businesses operating internationally.
Key Takeaways
- The EU recognizes only 15 countries as providing "adequate" data protection --- all other transfers need additional mechanisms
- Standard Contractual Clauses (SCCs) are the most common transfer mechanism but now require supplementary Transfer Impact Assessments
- Data localization requirements are growing: China, Russia, India, and Saudi Arabia restrict certain data from leaving the country
- The EU-US Data Privacy Framework provides a transfer mechanism for US companies that self-certify
Transfer Mechanism Hierarchy
Under GDPR, personal data can only leave the EEA using one of these mechanisms (in order of simplicity):
1. Adequacy Decisions
The European Commission has determined these countries provide adequate protection:
| Country/Territory | Adequacy Decision Date | Status |
|---|---|---|
| Andorra | 2010 | Active |
| Argentina | 2003 | Active |
| Canada (PIPEDA) | 2001 | Active (commercial sector only) |
| Faroe Islands | 2010 | Active |
| Guernsey | 2003 | Active |
| Israel | 2011 | Active |
| Isle of Man | 2004 | Active |
| Japan | 2019 | Active |
| Jersey | 2008 | Active |
| New Zealand | 2012 | Active |
| Republic of Korea | 2022 | Active |
| Switzerland | 2000 | Active |
| United Kingdom | 2021 | Active (until June 2025, expected renewal) |
| Uruguay | 2012 | Active |
| United States | 2023 (DPF) | Active (DPF participants only) |
If your data goes to an adequate country: No additional transfer mechanism is needed. Process it like an intra-EEA transfer.
If not on the list: You need one of the mechanisms below.
2. Standard Contractual Clauses (SCCs)
The most commonly used transfer mechanism. SCCs are pre-approved contract templates that bind the data importer to GDPR-equivalent protections.
Four modules (use the relevant one):
| Module | Parties | Scenario |
|---|---|---|
| Module 1 | Controller to Controller | Sharing customer data with a foreign partner |
| Module 2 | Controller to Processor | Using a foreign cloud provider or SaaS vendor |
| Module 3 | Processor to Processor | Your processor uses a foreign sub-processor |
| Module 4 | Processor to Controller | Foreign controller instructs EU-based processor |
Implementation steps:
- Identify all data transfers outside the EEA
- Select the appropriate SCC module for each transfer
- Complete the annexes (data categories, security measures, sub-processors)
- Conduct a Transfer Impact Assessment (TIA) for each receiving country
- Sign the SCCs with the data importer
- Implement any supplementary measures identified in the TIA
3. Binding Corporate Rules (BCRs)
For multinational companies transferring data between group entities. BCRs are approved by a lead supervisory authority and provide a framework for intra-group transfers globally.
Pros: Once approved, covers all group entities and all transfer scenarios Cons: 12-24 month approval process, significant cost ($100K+), only for group entities
4. EU-US Data Privacy Framework (DPF)
US companies can self-certify under the DPF, providing an adequacy-like transfer mechanism:
- Company registers with the US Department of Commerce
- Company publishes a DPF-compliant privacy policy
- Company commits to DPF principles (notice, choice, onward transfer, security, data integrity, access, recourse)
- Annual re-certification required
Limitation: Only covers transfers to DPF-certified companies. Check the DPF list before relying on this mechanism.
Transfer Impact Assessments (TIAs)
When Required
After Schrems II, TIAs are required for all SCC-based transfers to non-adequate countries. The TIA evaluates whether the receiving country's laws undermine the protections in the SCCs.
TIA Framework
| Assessment Element | Key Questions |
|---|---|
| Data characteristics | What data? How sensitive? Volume? |
| Receiving country laws | Government surveillance laws? Compelled access? |
| Legal protections | Independent judiciary? Data protection authority? |
| Practical experience | Has the importer received government access requests? |
| Supplementary measures | Can technical measures negate legal risks? |
TIA Outcome Decision Tree
Does the receiving country have an adequacy decision?
Yes --> No TIA needed
No --> Conduct TIA
|
Does the receiving country have laws enabling
disproportionate government access to personal data?
No --> SCCs sufficient
Yes --> Can supplementary measures effectively prevent access?
Yes --> Implement measures + proceed with SCCs
No --> Transfer cannot proceed
Supplementary Measures
| Measure | Effectiveness | Use Case |
|---|---|---|
| Encryption (customer-held keys) | High | Data at rest and in transit |
| Pseudonymization | High | Analytics, reporting |
| Split processing | Medium | Sensitive fields processed in EEA only |
| Contractual restrictions | Low-medium | Additional commitments from importer |
| Audit rights | Low | Verification, not prevention |
Data Localization Requirements
Countries with Data Localization Laws
| Country | Requirement | Scope | Penalty |
|---|---|---|---|
| China (PIPL + CSL) | Critical data and important data must be stored in China; security assessment for outbound transfers | Broad | Up to 5% revenue |
| Russia (Federal Law 242-FZ) | Initial processing and storage of Russian citizen data must occur in Russia | Russian citizen data | Blocking of services |
| India (DPDP Act) | Critical personal data must be processed in India (rules pending) | To be defined | Up to INR 250 crore |
| Saudi Arabia (PDPL) | Sensitive data may require local processing; transfer restrictions | Personal data | Up to SAR 5M |
| Vietnam (PDPD) | Important data to be stored domestically; TIA for cross-border transfers | Vietnamese citizen data | Administrative penalties |
| Indonesia (PDP Law) | Government sector data may require local processing | Government data | Administrative sanctions |
| Turkey (KVKK) | Transfer requires consent or specific legal basis + Board approval | Personal data | TRY 1.8M |
Impact on Cloud Architecture
Data localization affects cloud infrastructure decisions:
| Scenario | Architecture Implication |
|---|---|
| China localization | Separate cloud region in China (AWS China, Alibaba Cloud) |
| Russia localization | Local servers or local cloud provider |
| EU-only processing | Select EU cloud regions; ensure no data replication to non-EU regions |
| Multi-region with restrictions | Hub-and-spoke architecture with regional databases |
Practical Implementation for Common Scenarios
Scenario 1: EU Company Using US SaaS
Transfer mechanism: Check if vendor is DPF-certified first. If yes, DPF provides the basis. If not, implement SCCs (Module 2: Controller to Processor).
Scenario 2: Global Company with Centralized HR
Transfer mechanism: BCRs for intra-group transfers, or SCCs between each entity pair. Implement TIAs for transfers to high-risk countries.
Scenario 3: eCommerce Serving EU Customers from US Infrastructure
Transfer mechanism: SCCs between your EU entity (or EU representative) and your US infrastructure. Encrypt customer data with keys held in the EU.
Scenario 4: Odoo ERP for Multi-Country Operations
Transfer mechanism: If hosted in the EU, transfers occur when: (1) employees in non-EU countries access the system (remote access is a transfer), (2) data is replicated to non-EU backup locations, (3) support staff in non-EU countries access customer/employee data. Implement SCCs for each access point and use Odoo access groups to limit data visibility by geography.
Compliance Checklist
- Map all cross-border data transfers (what data, where, to whom, why)
- Verify adequacy status of each receiving country
- Implement appropriate transfer mechanism (SCCs, DPF, BCRs) for non-adequate countries
- Complete Transfer Impact Assessments for SCC-based transfers
- Implement supplementary measures where TIAs identify risks
- Update privacy policies to disclose international transfers
- Include transfer provisions in vendor DPAs
- Review transfer mechanisms annually or when receiving country laws change
- Maintain documentation of all transfer assessments and decisions
Frequently Asked Questions
Is the EU-US Data Privacy Framework safe to rely on?
The DPF is currently valid and provides a legal basis for transfers to certified US companies. However, it faces a legal challenge (La Quadrature du Net) similar to those that invalidated Safe Harbor and Privacy Shield. Prudent organizations use the DPF but also have SCCs as a backup transfer mechanism. If the DPF is invalidated, you can fall back to SCCs without interrupting data flows.
What happens if we transfer data without a valid mechanism?
Unauthorized transfers are a direct GDPR violation, subject to fines of up to EUR 20 million or 4% of global annual turnover. Beyond fines, supervisory authorities can order the suspension of data transfers, which can disrupt business operations. Meta was fined EUR 1.2 billion in 2023 for unauthorized EU-US transfers --- the largest GDPR fine ever.
Do SCCs cover all types of data transfers?
SCCs cover most commercial data transfer scenarios through four modules. However, SCCs are not suitable for transfers by public authorities acting in the exercise of public powers. For those cases, international agreements or specific derogations under Article 49 may apply.
How do cross-border requirements affect our Odoo deployment?
If your Odoo instance is hosted in the EU and accessed by employees or partners outside the EU, each remote access point constitutes a data transfer. Implement Odoo access groups to ensure non-EU users can only see data they need. Use VPN connections for encrypted remote access. If hosting Odoo outside the EU, implement SCCs with the hosting provider and ensure database encryption. ECOSIRE's Odoo infrastructure services include compliance-aware deployment configurations.
What Comes Next
Cross-border transfer compliance is one piece of the data governance puzzle. Combine it with data governance fundamentals, vendor contract management for DPAs with international vendors, and employee data privacy for workforce data transfers.
Contact ECOSIRE for cross-border compliance consulting and international data flow mapping.
Published by ECOSIRE -- helping businesses move data across borders with confidence and compliance.
Written by
ECOSIRE TeamTechnical Writing
The ECOSIRE technical writing team covers Odoo ERP, Shopify eCommerce, AI agents, Power BI analytics, GoHighLevel automation, and enterprise software best practices. Our guides help businesses make informed technology decisions.
ECOSIRE
Grow Your Business with ECOSIRE
Enterprise solutions across ERP, eCommerce, AI, analytics, and automation.
Related Articles
Zoho to Odoo Migration: Step-by-Step Data Transfer Guide
Complete Zoho to Odoo migration guide covering CRM, Books, Inventory, and HR module mapping, API export, data transformation, and testing strategies.
Multi-Currency Accounting: Setup and Best Practices
Complete guide to multi-currency accounting setup, forex revaluation, translation vs transaction gains, and best practices for international businesses.
China PIPL Compliance: Cross-Border Data Transfer Guide
Complete guide to China's Personal Information Protection Law (PIPL) covering processing rules, cross-border transfer mechanisms, CAC enforcement, and compliance steps.
More from Compliance & Regulation
Cybersecurity for E-commerce: Protect Your Business in 2026
Complete ecommerce cybersecurity guide for 2026. PCI DSS 4.0, WAF setup, bot protection, payment fraud prevention, security headers, and incident response.
ERP for Chemical Industry: Safety, Compliance & Batch Processing
How ERP systems manage SDS documents, REACH and GHS compliance, batch processing, quality control, hazmat shipping, and formula management for chemical companies.
ERP for Import/Export Trading: Multi-Currency, Logistics & Compliance
How ERP systems handle letters of credit, customs documentation, incoterms, multi-currency P&L, container tracking, and duty calculation for trading companies.
Sustainability & ESG Reporting with ERP: Compliance Guide 2026
Navigate ESG reporting compliance in 2026 with ERP systems. Covers CSRD, GRI, SASB, Scope 1/2/3 emissions, carbon tracking, and Odoo sustainability.
Audit Preparation Checklist: Getting Your Books Ready
Complete audit preparation checklist covering financial statement readiness, supporting documentation, internal controls documentation, auditor PBC lists, and common audit findings.
Australian GST Guide for eCommerce Businesses
Complete Australian GST guide for eCommerce businesses covering ATO registration, the $75,000 threshold, low value imports, BAS lodgement, and GST for digital services.