What constitutes a 'cross-border data transfer' under GDPR?

Any movement of personal data outside the European Economic Area (EEA)

When are Standard Contractual Clauses (SCCs) required for a data transfer?

For transfers to countries outside the EEA that do not have an adequacy decision

What is an 'adequacy decision' under GDPR?

A European Commission determination that a country provides adequate data protection, allowing transfers without additional safeguards

Cross-Border Data Transfers

Learn why a backup server in Virginia or a support team in Mumbai can trigger complex compliance requirements, how Standard Contractual Clauses (SCCs) protect data in transit to non-adequate countries, and what an adequacy decision actually means for your data flows. Master the Data Flow Diagram tool to visualize, trace, and document every cross-border transfer in your organization.

What You'll Learn

Recognize common cybersecurity threats
Respond appropriately to security incidents
Protect sensitive information
Follow security best practices
Report suspicious activities

Training Steps

Introduction

Welcome to InnovateTech Solutions, a growing SaaS company with customers across Europe. You are Alice, the Data Protection Officer responsible for ensuring GDPR compliance across all data processing activities.
The Audit Request

The DPA audit request is specific - they want to see documentation for all transfers of personal data outside the European Economic Area (EEA). This includes identifying: Which data flows cross EEA borders What transfer mechanisms are in place (SCCs, adequacy decisions, etc.) Whether appropriate safeguards exist for each transfer You will need to use the Data Flow Diagram tool to trace and document all cross-border transfers.
Opening the Data Flow Diagram

To properly document your cross-border transfers, you need to access the Data Flow Diagram tool through the compliance portal. This application provides a visual representation of how personal data moves through your organization's systems - from collection points to storage, processing, and any third-party transfers. The diagram will help you identify which data flows stay within the EEA and which cross international borders.
Understanding the Diagram

The Data Flow Diagram displays all entities that process InnovateTech's customer data. Each node represents a different entity - data subjects (customers), controllers (InnovateTech), processors (third-party vendors), and storage systems. Nodes are color-coded by location - green nodes are within the EEA, while orange nodes are outside the EEA and represent potential cross-border transfer points. The lines between nodes show how data flows through your systems.
Identifying EU Data Collection

First, you need to understand where customer data originates. InnovateTech collects personal data from EU customers through its website and mobile app. This data includes names, email addresses, payment information, and usage analytics. Select the EU Customer node to view details about what personal data is collected and how it enters your systems.
Tracing Data to Internal Systems

Now trace how customer data flows from collection to your internal processing systems. The EU Customer data first arrives at InnovateTech's EU Server, which serves as the primary controller system located in Dublin, Ireland. This initial flow stays entirely within the EEA - no special transfer mechanisms are required for data moving between EU member states.
Discovering US Cloud Storage

Continuing your analysis, you discover that customer data is replicated to AWS US-East for disaster recovery purposes. This is a cross-border transfer - data is leaving the EEA and going to the United States. The US does not have an adequacy decision from the European Commission, which means additional safeguards are required for this transfer.
Identifying the US Transfer

This transfer to AWS US-East requires careful documentation. The flow carries customer PII including names, emails, and account data to servers in Virginia, USA. Since the US lacks an adequacy decision, InnovateTech must rely on Standard Contractual Clauses (SCCs) to provide appropriate safeguards for this transfer. You need to formally identify this as a cross-border transfer requiring compliance documentation.
Discovering India Support Team

Your analysis reveals another cross-border transfer - customer data is accessible to InnovateTech's support team in Bangalore, India. Support agents access customer records to resolve tickets and provide technical assistance. India also lacks an adequacy decision, meaning this transfer requires the same SCCs framework as the US transfer.
Identifying the India Transfer

The support team in India acts as a processor - they access customer data on behalf of InnovateTech to provide support services. This requires a Data Processing Agreement (DPA) with SCCs incorporated. This transfer involves different data categories than the US storage - primarily customer contact information and support ticket details. You need to document this as a separate cross-border transfer.

Knowledge Check Questions

This training includes a 6-question quiz to test your understanding of Security Awareness threats and defenses.

What constitutes a 'cross-border data transfer' under GDPR?
When are Standard Contractual Clauses (SCCs) required for a data transfer?
What is an 'adequacy decision' under GDPR?
In the InnovateTech scenario, which transfers required SCCs? (Select all that apply)
What documentation is typically required for cross-border data transfers to non-adequate countries?