GDPR Cross-Border Data Transfers: SCCs, Adequacy Decisions and What Businesses Need to Know

Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, onboarding and regulated client operations.

Reviewed byHubSecure Security & Compliance Review

Reviewed for security positioning, workflow accuracy and implementation clarity.

Last updatedMay 7, 2026

Checked against the current HubSecure marketing site and product positioning.

A cross-border data transfer occurs whenever personal data is sent to, or accessed from, a country outside the European Economic Area (EEA). This includes sending a client file to a US colleague, using cloud storage hosted in the US, or giving a non-EEA support team access to your CRM. The restriction is not about borders per se — it is about ensuring the protection GDPR provides travels with the data.

Related HubSecure buying path

Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo

Related security, privacy and governance resources

Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.

Related use case

This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.

Why the restriction exists

GDPR's transfer restrictions exist because not all countries offer data protection standards equivalent to the EU. When personal data leaves the EEA, the data subject's rights and the controller's obligations must continue to apply. The transfer mechanisms are the legal tools that make this possible.

Adequacy decisions

An adequacy decision is a determination by the European Commission that a non-EEA country provides an essentially equivalent level of data protection. Countries with adequacy decisions include the UK (post-Brexit), Japan, New Zealand, Canada (commercial organisations), Switzerland, South Korea, and Israel. Transfers to adequate countries can proceed without additional safeguards.

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a new adequacy mechanism for transfers to US companies that have self-certified under the DPF. Before using a US provider, check whether they are DPF-certified at the US DPF website.

Standard Contractual Clauses (SCCs)

SCCs are model contract clauses approved by the European Commission that impose GDPR-equivalent obligations on the parties to the transfer. They are the most widely used transfer mechanism for organisations without an adequacy decision. The 2021 SCCs replaced the old 2010 clauses and cover four transfer scenarios:

• Controller to controller (e.g., sharing client data with a partner firm in the US)
• Controller to processor (e.g., using a US cloud service to store EU client data)
• Processor to processor (e.g., your processor engaging a US sub-processor)
• Processor to controller (e.g., a processor returning data to the controller)

SCCs must be incorporated into the underlying contract without modification to the core clauses. You must also conduct a Transfer Impact Assessment (TIA) to assess whether the legal protections in the destination country undermine the SCCs' effectiveness.

Binding Corporate Rules (BCRs)

BCRs are internal data protection policies approved by an EU supervisory authority that allow multinational groups to transfer personal data within the group to non-EEA entities. BCRs are time-consuming and expensive to obtain and are primarily used by large multinationals. For most SMEs, SCCs are more practical.

Practical steps for regulated businesses

1. Audit your technology stack — identify every vendor that processes or could access EU personal data, and where their servers are
2. Check DPAs — does the vendor's DPA include SCCs or reference DPF certification?
3. Conduct TIAs — for transfers to the US and other countries with broad government access laws
4. Document everything — your RoPA must record all transfers and the safeguards in place
5. Prefer Singapore-hosted providers — where equivalent products exist, Singapore-hosted services eliminate the transfer issue

Does remote access by non-EEA employees count as a transfer?

Yes. If a non-EEA employee can remotely access personal data held in the EEA, that is a transfer even if the data itself does not physically leave the EEA. The same transfer mechanisms apply.

What is a Transfer Impact Assessment?

A TIA assesses whether the law and practice in the recipient country prevents the SCCs from functioning effectively — for example, if the country's intelligence agencies have broad powers to access data. If the TIA identifies problems, you must implement supplementary measures (additional encryption, data minimisation, contractual protections) or stop the transfer.

Official sources and further reading

Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.

• GDPR legal text
• EDPB guidelines
• ICO data protection guidance

Credibility notes

This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.

Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary

Reviewed for regulated teams

Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.

Authors · Reviewers · Editorial policy