Library / Glossary

Cross-Border Transfer

Movement of personal data from a jurisdiction with strict protection (e.g. EEA) to one without — permitted only via specific legal mechanisms.

Also: International transfer · Third-country transfer

A cross-border transfer under GDPR Chapter V is any movement of personal data from the EEA to a third country (a country outside the EEA) or to an international organisation. The transfer is lawful only if one of three conditions is met:

  1. Adequacy decision under Article 45 — the destination country provides essentially equivalent protection.
  2. Appropriate safeguards under Article 46 — SCCs, BCRs, approved codes of conduct, certification.
  3. Specific derogations under Article 49 — explicit consent, necessity for a contract, important reasons of public interest, establishment of legal claims, vital interests. Most of these are narrow and not suitable for systematic processing.

What "transfer" actually means

The European Data Protection Board's Guidelines 05/2021 clarifies the definition. A transfer occurs when:

  • An exporter (controller or processor in the EEA) makes the data available
  • To an importer (controller or processor outside the EEA)
  • Where both are different controllers / processors / joint controllers, or the same legal entity but different establishments.

Putting data on a server in a third country is a transfer. Granting access to an EEA-hosted database from a third country is also a transfer (the remote access case made explicit in the EDPB's guidelines).

This is the source of most of the surprise: a company that hosts data in Frankfurt but has a US-based engineering team with production access has been making cross-border transfers all along, and needs the appropriate safeguards in place.

Transfers and vendor monitoring

Every vendor relationship creates at least one transfer scenario:

  • Storage transfer. Where does the vendor host the data?
  • Operational transfer. Where are the vendor's support, engineering, and operations teams located?
  • Subprocessor transfers. Where are the vendor's subprocessors located?

A change to any of these is a change to the transfer landscape and may require updating SCCs, refreshing the TIA, or notifying data subjects. Watching the subprocessor list is the most efficient way to catch most of these changes; watching the privacy policy and DPA catches the rest.

Related terms