SITTIG LAW Law Firm Blog

Data transfer GDPR-compliant

GDPR-compliant data transfers require a clear legal basis, transparent information obligations and tested protective measures, especially for third country transfers. According to Schrems II, companies must assess transfer risks, use DPAs and SCCs correctly and use technical measures such as encryption. Careful documentation and regular audits ensure compliance and strengthen the trust of customers and partners.
Contents

The most important facts at a glance

Why GDPR-compliant data transfer is business-critical

The transfer of personal data is part of the daily business of almost every company. Whether customer data to external service providers, employee data to payroll offices, or user data to cloud providers – data transfers are constantly taking place.

Data transfers to countries outside the European Union and the European Economic Area are particularly sensitive. Following the Schrems II ruling by the ECJ, the legal requirements for such third-country transfers have been significantly tightened.

GDPR-compliant data transfer is not purely a theoretical compliance issue, but has practical implications for business relationships, contract design, and IT infrastructure. Those who make mistakes here risk not only fines, but also reputational damage and loss of trust from customers and business partners.

Legal Basis: The GDPR Foundation for Data Transfers

Core Principles of the GDPR for Data Transfers

The General Data Protection Regulation is based on the principle that personal data may only be processed if there is a legal basis. This applies equally to the collection, storage, and transmission of such data.

For special categories of personal data – such as health data, information on sexual orientation, or biometric data – the stricter requirements of Article 9 GDPR apply. Processing is generally prohibited unless there is explicit consent or a legally regulated exception.

Adequacy decisions

The simplest form of a lawful third-country transfer is a transfer to countries for which the European Commission has adopted an adequacy decision pursuant to Art. 45 GDPR. Such a decision attests that the level of data protection in the country concerned is essentially equivalent to that of the EU.

An adequacy decision means that companies may transfer data to these countries without additional safeguards. Nevertheless, the general requirements of the GDPR must be met, in particular a legal basis pursuant to Art. 6 GDPR and compliance with the information obligations towards data subjects.

Standard Contractual Clauses as a Practical Alternative

For data transfers to countries without an adequacy decision, Standard Contractual Clauses are the most commonly used instrument. These contractual agreements oblige the data recipient to ensure an appropriate level of data protection.

Additional Instruments: BCR, Certifications and Exceptions

For multinational corporations, Binding Corporate Rules (BCRs) offer a way to establish a permanent legal basis for intra-group data transfers. These binding internal data protection regulations must be approved by the responsible data protection supervisory authority and require a high level of data protection organization.

Data transfer within the EU and EEA

Even though data transfers within the European Union and the European Economic Area involve significantly fewer legal hurdles than third-country transfers, fundamental requirements must be observed.

Legal basis required

Any transfer of personal data to another controller or processor within the EU requires a legal basis according to Art. 6 GDPR.

When data is passed on to external service providers who process data on behalf of the controller, this constitutes contract processing in accordance with Art. 28 GDPR. This absolutely requires a written contract processing agreement (AVV) that details the service provider's obligations and ensures that they only process the data according to the controller's instructions.

Observe information duties

Regardless of whether data is transferred within or outside the EU, the information obligations under Art. 13 and 14 GDPR must be fulfilled. Data subjects must be informed about to whom their data is shared and for what purposes. This transparency obligation is a core principle of GDPR and must be clearly communicated in the privacy policy.

Third-country transfer: The big challenge

The transfer of personal data to countries outside the EEA presents companies with particular legal challenges. The GDPR assumes that an equivalent level of data protection does not necessarily exist outside the EU.

The Schrems II ruling and its consequences

The ruling confirmed the general legality of standard contractual clauses, but made it clear that these alone are not sufficient. Companies must now examine each transfer to a third country to determine whether the legal situation in the destination country actually allows compliance with the contractual guarantees.

Cloud Services and International Corporate Structures

GDPR-compliant data transfer becomes particularly complex when using cloud services from international providers. Although many US cloud providers operate servers in Europe, they are subject to the Cloud Act, which grants US authorities access to data under certain circumstances – regardless of the server's location.

When choosing cloud services, companies should ensure that the provider offers clear contractual guarantees regarding data location and has demonstrably implemented technical measures that exclude or at least significantly hinder access by third countries.

Practical recommendations for businesses

Map and document data flows

The first step towards GDPR-compliant data transfer is the complete recording of all data transmissions within the company. Create a register listing all recipients of personal data, both within and outside the EU. Document which data categories are being transferred, for what purposes, and on what legal basis the transfer is based.

Maintain AVV and SCC standardized

Develop standardized templates for Data Processing Agreements and Standard Contractual Clause Agreements that you can enter into with service providers. These templates should be reviewed by a specialized lawyer for IT law and contain all necessary provisions.

Train employees and establish processes

Data protection compliance is not a one-time task, but an ongoing process. Regularly train your employees on the GDPR requirements, especially on the specifics of data transfers. Establish clear processes for when and how new service providers must be reviewed for data protection compliance before they are engaged.

Assign clear responsibilities: Who is responsible for testing new tools? Who is responsible for closing contracts? Who is responsible for maintaining documentation? Clear role allocation prevents data protection requirements from being overlooked.

We support companies in implementing data protection compliant processes and also offer the function of an external data protection officer to ensure your long-term legal compliance.

Checklist: GDPR-Compliant Data Transfer

Check before each data transmission:

  • Is there a legal basis for the data transmission?
  • Were the affected individuals informed about the data transfer?
  • Is this an intra-EU transfer or a third-country transfer?

For intra-EU transfers:

  • Is a contract for order processing (AVV) concluded according to Art. 28 GDPR?
  • Were the technical and organizational measures of the recipient checked?
  • Is the transfer and the recipient documented in the processing directory?

For transfers to third countries, in addition:

  • Is an adequacy decision in place for the destination country?
  • If not: Were standard contractual clauses or other appropriate safeguards agreed upon?
  • Were additional technical security measures implemented (encryption, pseudonymization)?
  • Is the legal situation in the destination country documented and assessed?
  • Were the affected individuals informed about the third-country transfer and its associated risks?
  • Is the data transfer documented in the processing directory?

Ongoing obligations:

  • Are all data transmissions centrally documented?
  • Are AVVs and SCCs regularly checked for currentness?
  • Are Transfer Impact Assessments updated when changes are made?
  • Are employees regularly trained on data protection requirements?
  • Is there a fixed process for the data protection assessment of new service providers?

Data protection as a competitive advantage

At first glance, GDPR-compliant data transfer might seem like a legal hurdle that companies have to overcome. In reality, however, careful data protection compliance also offers opportunities. Companies that demonstrably handle personal data responsibly build trust with customers, business partners, and employees.

The legal requirements for data transfers are complex and constantly evolving. Third-country transfers, in particular, require careful legal review and continuous monitoring of the legal situation. Investing in a robust data protection organization pays off in the long run – not only by avoiding fines but also by strengthening the company's reputation.

Anyone unsure if their current data transmissions comply with GDPR requirements should consider a professional data protection review.

Frequently asked questions

A data processing agreement (DPA) pursuant to Article 28 GDPR governs the relationship between a controller and a processor, i.e., a service provider who processes data on behalf of the controller. Standard Contractual Clauses (SCCs), on the other hand, are a specific instrument for data transfers to third countries without an adequacy decision. In the case of a third-country transfer to a processor, both instruments are combined: the DPA regulates the order processing, and the SCCs create the legal basis for the third-country transfer.

Not necessarily. You can create a TIA for a specific service provider or a specific third country and use it for all similar transfers, as long as the framework conditions are identical. However, if you use different service providers in the same third country or transfer different categories of data, you should create separate TIAs, as the risk assessment may differ.

No. U.S. companies must actively certify themselves for the EU-U.S. Data Privacy Framework. The mere fact that a company is based in the U.S. does not automatically mean that data transfers are permissible without further review.

Illicit transfers to third countries may be subject to fines, depending on which amount is higher. In addition, data protection authorities may prohibit processing or issue remedial orders.

No, simply signing Standard Contractual Clauses is not enough. You must conduct your own Transfer Impact Assessment and verify whether the guarantees can actually be adhered to in practice. The responsibility for lawful data transfer lies with the data exporter, i.e., with you as the company.

End-to-end encryption, where only you possess the key, is the most effective measure. Crucially, the recipient in the third country must practically have no access to plaintext data.

Yes, the information obligations under Art. 13 and 14 GDPR require you to inform data subjects about all recipients and the intended purpose of the transfer.

The controller decides on the purposes and means of data processing. The processor processes data only on the instructions of the controller.

There is no fixed deadline, but regular review is advisable. You must update your documentation at the latest in the event of significant changes – new service providers, new processing purposes, changes in the legal situation in the third country, new technologies.

Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form