Part of our Compliance & Regulation series
Read the complete guideCross-Border Data Transfer Regulations: Navigating International Data Flows
85% of global businesses transfer personal data across borders, yet only 34% have documented transfer mechanisms in place. After Schrems II invalidated the EU-US Privacy Shield in 2020, cross-border data transfers became one of the most complex areas of data protection law. The EU-US Data Privacy Framework partially restored legal certainty for US transfers, but the broader landscape of global data transfer restrictions continues to expand.
This guide maps the current state of cross-border data transfer regulations and provides practical implementation guidance for businesses operating internationally.
Key Takeaways
- The EU recognizes only 15 countries as providing "adequate" data protection --- all other transfers need additional mechanisms
- Standard Contractual Clauses (SCCs) are the most common transfer mechanism but now require supplementary Transfer Impact Assessments
- Data localization requirements are growing: China, Russia, India, and Saudi Arabia restrict certain data from leaving the country
- The EU-US Data Privacy Framework provides a transfer mechanism for US companies that self-certify
Transfer Mechanism Hierarchy
Under GDPR, personal data can only leave the EEA using one of these mechanisms (in order of simplicity):
1. Adequacy Decisions
The European Commission has determined these countries provide adequate protection:
| Country/Territory | Adequacy Decision Date | Status |
|---|---|---|
| Andorra | 2010 | Active |
| Argentina | 2003 | Active |
| Canada (PIPEDA) | 2001 | Active (commercial sector only) |
| Faroe Islands | 2010 | Active |
| Guernsey | 2003 | Active |
| Israel | 2011 | Active |
| Isle of Man | 2004 | Active |
| Japan | 2019 | Active |
| Jersey | 2008 | Active |
| New Zealand | 2012 | Active |
| Republic of Korea | 2022 | Active |
| Switzerland | 2000 | Active |
| United Kingdom | 2021 | Active (until June 2025, expected renewal) |
| Uruguay | 2012 | Active |
| United States | 2023 (DPF) | Active (DPF participants only) |
If your data goes to an adequate country: No additional transfer mechanism is needed. Process it like an intra-EEA transfer.
If not on the list: You need one of the mechanisms below.
2. Standard Contractual Clauses (SCCs)
The most commonly used transfer mechanism. SCCs are pre-approved contract templates that bind the data importer to GDPR-equivalent protections.
Four modules (use the relevant one):
| Module | Parties | Scenario |
|---|---|---|
| Module 1 | Controller to Controller | Sharing customer data with a foreign partner |
| Module 2 | Controller to Processor | Using a foreign cloud provider or SaaS vendor |
| Module 3 | Processor to Processor | Your processor uses a foreign sub-processor |
| Module 4 | Processor to Controller | Foreign controller instructs EU-based processor |
Implementation steps:
- Identify all data transfers outside the EEA
- Select the appropriate SCC module for each transfer
- Complete the annexes (data categories, security measures, sub-processors)
- Conduct a Transfer Impact Assessment (TIA) for each receiving country
- Sign the SCCs with the data importer
- Implement any supplementary measures identified in the TIA
3. Binding Corporate Rules (BCRs)
For multinational companies transferring data between group entities. BCRs are approved by a lead supervisory authority and provide a framework for intra-group transfers globally.
Pros: Once approved, covers all group entities and all transfer scenarios Cons: 12-24 month approval process, significant cost ($100K+), only for group entities
4. EU-US Data Privacy Framework (DPF)
US companies can self-certify under the DPF, providing an adequacy-like transfer mechanism:
- Company registers with the US Department of Commerce
- Company publishes a DPF-compliant privacy policy
- Company commits to DPF principles (notice, choice, onward transfer, security, data integrity, access, recourse)
- Annual re-certification required
Limitation: Only covers transfers to DPF-certified companies. Check the DPF list before relying on this mechanism.
Transfer Impact Assessments (TIAs)
When Required
After Schrems II, TIAs are required for all SCC-based transfers to non-adequate countries. The TIA evaluates whether the receiving country's laws undermine the protections in the SCCs.
TIA Framework
| Assessment Element | Key Questions |
|---|---|
| Data characteristics | What data? How sensitive? Volume? |
| Receiving country laws | Government surveillance laws? Compelled access? |
| Legal protections | Independent judiciary? Data protection authority? |
| Practical experience | Has the importer received government access requests? |
| Supplementary measures | Can technical measures negate legal risks? |
TIA Outcome Decision Tree
Does the receiving country have an adequacy decision?
Yes --> No TIA needed
No --> Conduct TIA
|
Does the receiving country have laws enabling
disproportionate government access to personal data?
No --> SCCs sufficient
Yes --> Can supplementary measures effectively prevent access?
Yes --> Implement measures + proceed with SCCs
No --> Transfer cannot proceed
Supplementary Measures
| Measure | Effectiveness | Use Case |
|---|---|---|
| Encryption (customer-held keys) | High | Data at rest and in transit |
| Pseudonymization | High | Analytics, reporting |
| Split processing | Medium | Sensitive fields processed in EEA only |
| Contractual restrictions | Low-medium | Additional commitments from importer |
| Audit rights | Low | Verification, not prevention |
Data Localization Requirements
Countries with Data Localization Laws
| Country | Requirement | Scope | Penalty |
|---|---|---|---|
| China (PIPL + CSL) | Critical data and important data must be stored in China; security assessment for outbound transfers | Broad | Up to 5% revenue |
| Russia (Federal Law 242-FZ) | Initial processing and storage of Russian citizen data must occur in Russia | Russian citizen data | Blocking of services |
| India (DPDP Act) | Critical personal data must be processed in India (rules pending) | To be defined | Up to INR 250 crore |
| Saudi Arabia (PDPL) | Sensitive data may require local processing; transfer restrictions | Personal data | Up to SAR 5M |
| Vietnam (PDPD) | Important data to be stored domestically; TIA for cross-border transfers | Vietnamese citizen data | Administrative penalties |
| Indonesia (PDP Law) | Government sector data may require local processing | Government data | Administrative sanctions |
| Turkey (KVKK) | Transfer requires consent or specific legal basis + Board approval | Personal data | TRY 1.8M |
Impact on Cloud Architecture
Data localization affects cloud infrastructure decisions:
| Scenario | Architecture Implication |
|---|---|
| China localization | Separate cloud region in China (AWS China, Alibaba Cloud) |
| Russia localization | Local servers or local cloud provider |
| EU-only processing | Select EU cloud regions; ensure no data replication to non-EU regions |
| Multi-region with restrictions | Hub-and-spoke architecture with regional databases |
Practical Implementation for Common Scenarios
Scenario 1: EU Company Using US SaaS
Transfer mechanism: Check if vendor is DPF-certified first. If yes, DPF provides the basis. If not, implement SCCs (Module 2: Controller to Processor).
Scenario 2: Global Company with Centralized HR
Transfer mechanism: BCRs for intra-group transfers, or SCCs between each entity pair. Implement TIAs for transfers to high-risk countries.
Scenario 3: eCommerce Serving EU Customers from US Infrastructure
Transfer mechanism: SCCs between your EU entity (or EU representative) and your US infrastructure. Encrypt customer data with keys held in the EU.
Scenario 4: Odoo ERP for Multi-Country Operations
Transfer mechanism: If hosted in the EU, transfers occur when: (1) employees in non-EU countries access the system (remote access is a transfer), (2) data is replicated to non-EU backup locations, (3) support staff in non-EU countries access customer/employee data. Implement SCCs for each access point and use Odoo access groups to limit data visibility by geography.
Compliance Checklist
- Map all cross-border data transfers (what data, where, to whom, why)
- Verify adequacy status of each receiving country
- Implement appropriate transfer mechanism (SCCs, DPF, BCRs) for non-adequate countries
- Complete Transfer Impact Assessments for SCC-based transfers
- Implement supplementary measures where TIAs identify risks
- Update privacy policies to disclose international transfers
- Include transfer provisions in vendor DPAs
- Review transfer mechanisms annually or when receiving country laws change
- Maintain documentation of all transfer assessments and decisions
Frequently Asked Questions
Is the EU-US Data Privacy Framework safe to rely on?
The DPF is currently valid and provides a legal basis for transfers to certified US companies. However, it faces a legal challenge (La Quadrature du Net) similar to those that invalidated Safe Harbor and Privacy Shield. Prudent organizations use the DPF but also have SCCs as a backup transfer mechanism. If the DPF is invalidated, you can fall back to SCCs without interrupting data flows.
What happens if we transfer data without a valid mechanism?
Unauthorized transfers are a direct GDPR violation, subject to fines of up to EUR 20 million or 4% of global annual turnover. Beyond fines, supervisory authorities can order the suspension of data transfers, which can disrupt business operations. Meta was fined EUR 1.2 billion in 2023 for unauthorized EU-US transfers --- the largest GDPR fine ever.
Do SCCs cover all types of data transfers?
SCCs cover most commercial data transfer scenarios through four modules. However, SCCs are not suitable for transfers by public authorities acting in the exercise of public powers. For those cases, international agreements or specific derogations under Article 49 may apply.
How do cross-border requirements affect our Odoo deployment?
If your Odoo instance is hosted in the EU and accessed by employees or partners outside the EU, each remote access point constitutes a data transfer. Implement Odoo access groups to ensure non-EU users can only see data they need. Use VPN connections for encrypted remote access. If hosting Odoo outside the EU, implement SCCs with the hosting provider and ensure database encryption. ECOSIRE's Odoo infrastructure services include compliance-aware deployment configurations.
What Comes Next
Cross-border transfer compliance is one piece of the data governance puzzle. Combine it with data governance fundamentals, vendor contract management for DPAs with international vendors, and employee data privacy for workforce data transfers.
Contact ECOSIRE for cross-border compliance consulting and international data flow mapping.
Published by ECOSIRE -- helping businesses move data across borders with confidence and compliance.
Written by
ECOSIRE Research and Development Team
Building enterprise-grade digital products at ECOSIRE. Sharing insights on Odoo integrations, e-commerce automation, and AI-powered business solutions.
Related Articles
Cookie Consent Implementation Guide: Legally Compliant Consent Management
Implement cookie consent that complies with GDPR, ePrivacy, CCPA, and global regulations. Covers consent banners, cookie categorization, and CMP integration.
Cross-Border eCommerce Logistics: Shipping, Customs, and Fulfillment Strategies
Cross-border eCommerce logistics guide. Covers international shipping, customs clearance, duties calculation, fulfillment networks, returns, and compliance.
Cybersecurity Regulatory Requirements by Region: A Compliance Map for Global Businesses
Navigate cybersecurity regulations across US, EU, UK, APAC, and Middle East. Covers NIS2, DORA, SEC rules, critical infrastructure requirements, and compliance timelines.
More from Compliance & Regulation
Audit Preparation Checklist: How Your ERP Makes Audits 60 Percent Faster
Complete audit preparation checklist using ERP systems. Reduce audit time by 60 percent with proper documentation, controls, and automated evidence gathering.
Cookie Consent Implementation Guide: Legally Compliant Consent Management
Implement cookie consent that complies with GDPR, ePrivacy, CCPA, and global regulations. Covers consent banners, cookie categorization, and CMP integration.
Cybersecurity Regulatory Requirements by Region: A Compliance Map for Global Businesses
Navigate cybersecurity regulations across US, EU, UK, APAC, and Middle East. Covers NIS2, DORA, SEC rules, critical infrastructure requirements, and compliance timelines.
Data Governance and Compliance: The Complete Guide for Technology Companies
Complete data governance guide covering compliance frameworks, data classification, retention policies, privacy regulations, and implementation roadmaps for tech companies.
Data Retention Policies and Automation: Keep What You Need, Delete What You Must
Build data retention policies with legal requirements, retention schedules, automated enforcement, and compliance verification for GDPR, SOX, and HIPAA.
Employee Data Privacy Management: Balancing HR Needs with Privacy Rights
Manage employee data privacy with GDPR requirements, HR data processing grounds, monitoring policies, cross-border transfers, and retention best practices.