DAT-015 Data Transfer Controls
Description
Personal and sensitive data transferred outside the organisation (including to processors, sub-processors, and across international borders) is governed by documented transfer rules. Cross-border transfers to countries without an adequacy decision are only made using approved safeguards (e.g. Standard Contractual Clauses, Binding Corporate Rules). All data transfers are authorised and logged.
Rationale
Unauthorised international data transfers are a significant GDPR enforcement priority. SaaS products with multi-region architectures or sub-processors in non-adequate countries must have explicit transfer mechanisms in place.
Framework Mappings (7)
| DSP-10 | Sensitive Data Transfer | full |
| DSP-13 | Personal Data Sub-processing | partial |
| GDPR-Art.44 | General Principle for Transfers to Third Countries | full |
| GDPR-Art.45 | Transfers on the Basis of an Adequacy Decision | partial |
| GDPR-Art.46 | Transfers Subject to Appropriate Safeguards | partial |
| GDPR-Art.49 | Derogations for Specific Transfer Situations | informative |
| 5.14 | Information transfer | full |
Evidence (2)
Standard Contractual Clauses (SCCs) or other approved transfer mechanisms executed with all third parties receiving personal data in non-adequate countries.
Example: Executed EU SCCs (2021 EC SCCs, Module 1 or 2 as applicable) with key US or non-EEA sub-processors (e.g. AWS, Stripe, Salesforce) — signed copies filed in the contract repository, with transfer impact assessment (TIA) attached where required
Test: Request the executed SCCs or other transfer safeguards for all transfers to non-adequate countries. Verify: (1) SCCs are executed for every identified cross-border transfer to non-adequate countries, (2) SCCs use the current 2021 EC standard clauses (pre-2021 Schrems II-invalidated clauses are not in use), (3) a TIA is documented for any transfer to a country with broad government surveillance laws, (4) no transfer is relying solely on derogations (Art.49) for routine processing.
Data transfer log or authorised transfer register documenting approved cross-border and third-party data transfers with mechanism and approval status.
Example: Data Transfer Register (Confluence / OneTrust) — listing each authorised transfer with: destination country, recipient name, data categories transferred, transfer mechanism used (SCC / adequacy / BCR), date approved, and responsible owner
Test: Request the data transfer register. Verify: (1) all cross-border transfers identified in the RoPA are present, (2) each transfer has a documented mechanism, (3) no transfers are marked 'no mechanism' or 'TBC', (4) register has been reviewed within the last 12 months.
Questions (2)
Are all cross-border transfers of personal data to countries without an EU adequacy decision governed by an approved transfer mechanism such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)?
The 2021 EC SCCs must be used for transfers under the GDPR. Pre-2021 SCCs invalidated post-Schrems II are not acceptable. A Transfer Impact Assessment should accompany transfers to high-risk jurisdictions.
Which transfer mechanism(s) does your organisation rely upon for international transfers of personal data?
Most SaaS providers rely on 2021 SCCs for transfers to the US and other non-adequate countries. Sole reliance on Article 49 derogations for routine processing is not permitted under GDPR.