Transferring personal data from the European Union or United Kingdom to countries lacking adequacy decisions, such as the United States, India, or China, is strictly regulated. Organisations must rely on standard contractual clauses, which are predefined legal agreements approved by regulators, as the primary mechanism for ensuring such data exports meet stringent privacy and protection requirements. These contracts, though instrumental, only establish a legal baseline and do not alone guarantee compliance.
The Schrems II ruling by the Court of Justice of the European Union dramatically reshaped how these standard contractual clauses are implemented. Organisations must now go beyond simply signing these contracts. A comprehensive transfer risk assessment is mandatory for every international data transfer to gauge whether the destination country’s surveillance and legal environment could subvert the protections stipulated by the contract. Where risks are present, supplementary measures—ranging from technical solutions like encryption to organisational controls such as documented data minimisation—must be adopted. Documentation and evidence of these steps are essential in case of regulatory scrutiny.
Regulatory divergence after Brexit has added complexity, requiring businesses to use either the European Union standard contractual clauses or the UK’s International Data Transfer Agreement—or a special addendum—depending on the data’s origin. The European Union’s clauses, updated in 2021, employ a modular design to accommodate various transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. In contrast, the UK system allows for either its standalone agreement or adaptation of the European Union’s clauses via addendum. Specific scenarios, such as UK businesses using US cloud providers or EU companies outsourcing services to India, illustrate both the ubiquity of these transfers and the diligence required in compliance, especially as new rules continue to emerge in global jurisdictions including China.
Compliance now goes beyond contracts: organisations must regularly review transfer impact assessments, update legal documents, and implement new controls to address the evolving international regulatory landscape. Existing contracts based on outdated clauses signed before late 2021 are no longer valid and expose businesses to immediate compliance risks. As the regulatory framework matures, maintaining thorough, up-to-date records and adapting to new rules is crucial for safeguarding personal data. Expert consultants like GDPRLocal offer support in mapping global data workflows, conducting risk assessments, managing documentation, and designing supplementary safeguards for complex, multi-jurisdictional operations.
