Part of our Compliance & Regulation series
Read the complete guide85% of global businesses transfer personal data across borders, yet only 34% have documented transfer mechanisms in place. After Schrems II invalidated the EU-US Privacy Shield in 2020, cross-border data transfers became one of the most complex areas of data protection law. The EU-US Data Privacy Framework partially restored legal certainty for US transfers, but the broader landscape of global data transfer restrictions continues to expand.
This guide maps the current state of cross-border data transfer regulations and provides practical implementation guidance for businesses operating internationally.
Key Takeaways
- The EU recognizes only 15 countries as providing "adequate" data protection --- all other transfers need additional mechanisms
- Standard Contractual Clauses (SCCs) are the most common transfer mechanism but now require supplementary Transfer Impact Assessments
- Data localization requirements are growing: China, Russia, India, and Saudi Arabia restrict certain data from leaving the country
- The EU-US Data Privacy Framework provides a transfer mechanism for US companies that self-certify
Transfer Mechanism Hierarchy
Under GDPR, personal data can only leave the EEA using one of these mechanisms (in order of simplicity):
1. Adequacy Decisions
The European Commission has determined these countries provide adequate protection:
| Country/Territory | Adequacy Decision Date | Status |
|---|---|---|
| Andorra | 2010 | Active |
| Argentina | 2003 | Active |
| Canada (PIPEDA) | 2001 | Active (commercial sector only) |
| Faroe Islands | 2010 | Active |
| Guernsey | 2003 | Active |
| Israel | 2011 | Active |
| Isle of Man | 2004 | Active |
| Japan | 2019 | Active |
| Jersey | 2008 | Active |
| New Zealand | 2012 | Active |
| Republic of Korea | 2022 | Active |
| Switzerland | 2000 | Active |
| United Kingdom | 2021 | Active (until June 2025, expected renewal) |
| Uruguay | 2012 | Active |
| United States | 2023 (DPF) | Active (DPF participants only) |
If your data goes to an adequate country: No additional transfer mechanism is needed. Process it like an intra-EEA transfer.
If not on the list: You need one of the mechanisms below.
2. Standard Contractual Clauses (SCCs)
The most commonly used transfer mechanism. SCCs are pre-approved contract templates that bind the data importer to GDPR-equivalent protections.
Four modules (use the relevant one):
| Module | Parties | Scenario |
|---|---|---|
| Module 1 | Controller to Controller | Sharing customer data with a foreign partner |
| Module 2 | Controller to Processor | Using a foreign cloud provider or SaaS vendor |
| Module 3 | Processor to Processor | Your processor uses a foreign sub-processor |
| Module 4 | Processor to Controller | Foreign controller instructs EU-based processor |
Implementation steps:
- Identify all data transfers outside the EEA
- Select the appropriate SCC module for each transfer
- Complete the annexes (data categories, security measures, sub-processors)
- Conduct a Transfer Impact Assessment (TIA) for each receiving country
- Sign the SCCs with the data importer
- Implement any supplementary measures identified in the TIA
3. Binding Corporate Rules (BCRs)
For multinational companies transferring data between group entities. BCRs are approved by a lead supervisory authority and provide a framework for intra-group transfers globally.
Pros: Once approved, covers all group entities and all transfer scenarios Cons: 12-24 month approval process, significant cost ($100K+), only for group entities
4. EU-US Data Privacy Framework (DPF)
US companies can self-certify under the DPF, providing an adequacy-like transfer mechanism:
- Company registers with the US Department of Commerce
- Company publishes a DPF-compliant privacy policy
- Company commits to DPF principles (notice, choice, onward transfer, security, data integrity, access, recourse)
- Annual re-certification required
Limitation: Only covers transfers to DPF-certified companies. Check the DPF list before relying on this mechanism.
Transfer Impact Assessments (TIAs)
When Required
After Schrems II, TIAs are required for all SCC-based transfers to non-adequate countries. The TIA evaluates whether the receiving country's laws undermine the protections in the SCCs.
TIA Framework
| Assessment Element | Key Questions |
|---|---|
| Data characteristics | What data? How sensitive? Volume? |
| Receiving country laws | Government surveillance laws? Compelled access? |
| Legal protections | Independent judiciary? Data protection authority? |
| Practical experience | Has the importer received government access requests? |
| Supplementary measures | Can technical measures negate legal risks? |
TIA Outcome Decision Tree
Does the receiving country have an adequacy decision?
Yes --> No TIA needed
No --> Conduct TIA
|
Does the receiving country have laws enabling
disproportionate government access to personal data?
No --> SCCs sufficient
Yes --> Can supplementary measures effectively prevent access?
Yes --> Implement measures + proceed with SCCs
No --> Transfer cannot proceed
Supplementary Measures
| Measure | Effectiveness | Use Case |
|---|---|---|
| Encryption (customer-held keys) | High | Data at rest and in transit |
| Pseudonymization | High | Analytics, reporting |
| Split processing | Medium | Sensitive fields processed in EEA only |
| Contractual restrictions | Low-medium | Additional commitments from importer |
| Audit rights | Low | Verification, not prevention |
Data Localization Requirements
Countries with Data Localization Laws
| Country | Requirement | Scope | Penalty |
|---|---|---|---|
| China (PIPL + CSL) | Critical data and important data must be stored in China; security assessment for outbound transfers | Broad | Up to 5% revenue |
| Russia (Federal Law 242-FZ) | Initial processing and storage of Russian citizen data must occur in Russia | Russian citizen data | Blocking of services |
| India (DPDP Act) | Critical personal data must be processed in India (rules pending) | To be defined | Up to INR 250 crore |
| Saudi Arabia (PDPL) | Sensitive data may require local processing; transfer restrictions | Personal data | Up to SAR 5M |
| Vietnam (PDPD) | Important data to be stored domestically; TIA for cross-border transfers | Vietnamese citizen data | Administrative penalties |
| Indonesia (PDP Law) | Government sector data may require local processing | Government data | Administrative sanctions |
| Turkey (KVKK) | Transfer requires consent or specific legal basis + Board approval | Personal data | TRY 1.8M |
Impact on Cloud Architecture
Data localization affects cloud infrastructure decisions:
| Scenario | Architecture Implication |
|---|---|
| China localization | Separate cloud region in China (AWS China, Alibaba Cloud) |
| Russia localization | Local servers or local cloud provider |
| EU-only processing | Select EU cloud regions; ensure no data replication to non-EU regions |
| Multi-region with restrictions | Hub-and-spoke architecture with regional databases |
Practical Implementation for Common Scenarios
Scenario 1: EU Company Using US SaaS
Transfer mechanism: Check if vendor is DPF-certified first. If yes, DPF provides the basis. If not, implement SCCs (Module 2: Controller to Processor).
Scenario 2: Global Company with Centralized HR
Transfer mechanism: BCRs for intra-group transfers, or SCCs between each entity pair. Implement TIAs for transfers to high-risk countries.
Scenario 3: eCommerce Serving EU Customers from US Infrastructure
Transfer mechanism: SCCs between your EU entity (or EU representative) and your US infrastructure. Encrypt customer data with keys held in the EU.
Scenario 4: Odoo ERP for Multi-Country Operations
Transfer mechanism: If hosted in the EU, transfers occur when: (1) employees in non-EU countries access the system (remote access is a transfer), (2) data is replicated to non-EU backup locations, (3) support staff in non-EU countries access customer/employee data. Implement SCCs for each access point and use Odoo access groups to limit data visibility by geography.
Compliance Checklist
- Map all cross-border data transfers (what data, where, to whom, why)
- Verify adequacy status of each receiving country
- Implement appropriate transfer mechanism (SCCs, DPF, BCRs) for non-adequate countries
- Complete Transfer Impact Assessments for SCC-based transfers
- Implement supplementary measures where TIAs identify risks
- Update privacy policies to disclose international transfers
- Include transfer provisions in vendor DPAs
- Review transfer mechanisms annually or when receiving country laws change
- Maintain documentation of all transfer assessments and decisions
Frequently Asked Questions
Is the EU-US Data Privacy Framework safe to rely on?
The DPF is currently valid and provides a legal basis for transfers to certified US companies. However, it faces a legal challenge (La Quadrature du Net) similar to those that invalidated Safe Harbor and Privacy Shield. Prudent organizations use the DPF but also have SCCs as a backup transfer mechanism. If the DPF is invalidated, you can fall back to SCCs without interrupting data flows.
What happens if we transfer data without a valid mechanism?
Unauthorized transfers are a direct GDPR violation, subject to fines of up to EUR 20 million or 4% of global annual turnover. Beyond fines, supervisory authorities can order the suspension of data transfers, which can disrupt business operations. Meta was fined EUR 1.2 billion in 2023 for unauthorized EU-US transfers --- the largest GDPR fine ever.
Do SCCs cover all types of data transfers?
SCCs cover most commercial data transfer scenarios through four modules. However, SCCs are not suitable for transfers by public authorities acting in the exercise of public powers. For those cases, international agreements or specific derogations under Article 49 may apply.
How do cross-border requirements affect our Odoo deployment?
If your Odoo instance is hosted in the EU and accessed by employees or partners outside the EU, each remote access point constitutes a data transfer. Implement Odoo access groups to ensure non-EU users can only see data they need. Use VPN connections for encrypted remote access. If hosting Odoo outside the EU, implement SCCs with the hosting provider and ensure database encryption. ECOSIRE's Odoo infrastructure services include compliance-aware deployment configurations.
What Comes Next
Cross-border transfer compliance is one piece of the data governance puzzle. Combine it with data governance fundamentals, vendor contract management for DPAs with international vendors, and employee data privacy for workforce data transfers.
Contact ECOSIRE for cross-border compliance consulting and international data flow mapping.
Published by ECOSIRE -- helping businesses move data across borders with confidence and compliance.
Written by
ECOSIRE TeamTechnical Writing
The ECOSIRE technical writing team covers Odoo ERP, Shopify eCommerce, AI agents, Power BI analytics, GoHighLevel automation, and enterprise software best practices. Our guides help businesses make informed technology decisions.
ECOSIRE
Grow Your Business with ECOSIRE
Enterprise solutions across ERP, eCommerce, AI, analytics, and automation.
Related Articles
Shopify Markets 2026: International Pricing, Tax, Currency Setup
Configure Shopify Markets for global expansion: per-country pricing, automatic tax, multi-currency, geolocation, domain strategy, and Markets Pro tradeoffs.
Shopify Payment Gateways by Country 2026: US, EU, India, MENA, LATAM
Complete guide to Shopify payment gateways by country: Shopify Payments, Stripe, Razorpay, Mercado Pago, Tap, PayMob, fees, eligibility, payout timelines.
Zoho to Odoo Migration: Step-by-Step Data Transfer Guide
Complete Zoho to Odoo migration guide covering CRM, Books, Inventory, and HR module mapping, API export, data transformation, and testing strategies.
More from Compliance & Regulation
BMF Programmablaufplan Lohnsteuer 2026: Implementing Germany's Official Wage-Tax Calculation (XML, API, Odoo)
Developer guide to the BMF Programmablaufplan Lohnsteuer 2026: what the PAP is, the XML pseudocode format, official test service, and mapping to Odoo payroll.
ERP for Clothing & Fashion Brands: Size-Color Matrix, Seasonal Planning, and Compliance (2026 Guide)
How fashion and clothing brands choose an ERP in 2026: size-color matrix variants, seasonal planning, GoBD and DATEV compliance, vendor comparison, and costs.
ERPNext HR & Payroll in 2026: Setup, Salary Structures, and Multi-Country Compliance
Step-by-step ERPNext HR and payroll setup for 2026: HRMS app install, salary structures, payroll entry runs, income tax slabs, multi-country compliance.
GoHighLevel A2P 10DLC Compliance in 2026: Registration, Fees, and Fixing Blocked SMS
Complete GoHighLevel A2P 10DLC guide for 2026: brand and campaign registration steps, carrier fees, common rejection reasons, and how to fix filtered SMS.
GxP Validation for ERP Systems: What Your 2026 Validation RFP Must Require (CSV, IQ/OQ/PQ, Audit Trails)
What a GxP ERP validation RFP must require in 2026: CSV and CSA scope, 21 CFR Part 11, EU Annex 11, IQ/OQ/PQ deliverables, audit trails, and GAMP 5 risk.
OpenClaw Security Model, Data Residency, SOC 2 and ISO 27001
OpenClaw security architecture: tenant isolation, encryption, secret management, audit logs, data residency, SOC 2, ISO 27001, GDPR, HIPAA fitness.