Cross-border transfers via SCCs / adequacy
Demonstrate that all cross-border personal data transfers are protected by valid legal mechanisms (adequacy decisions or properly executed SCCs) and that supplementary measures are implemented where transfer risks exist.
Description
What this control does
This control ensures that personal data transferred outside the European Economic Area (EEA) or other jurisdictions with strict data protection laws is protected through legally recognized mechanisms. Organizations must rely on European Commission adequacy decisions (recognizing equivalent protection in destination countries) or implement Standard Contractual Clauses (SCCs) — legally binding contracts between data exporters and importers. When adequacy does not exist, SCCs impose specific obligations on recipients and grant enforceable rights to data subjects, ensuring GDPR-level protection persists across borders.
Control objective
What auditing this proves
Demonstrate that all cross-border personal data transfers are protected by valid legal mechanisms (adequacy decisions or properly executed SCCs) and that supplementary measures are implemented where transfer risks exist.
Associated risks
Risks this control addresses
- Unauthorized access to personal data by foreign governments lacking adequate legal protections or due process safeguards
- Legal liability and regulatory fines (up to 4% of global revenue under GDPR Article 44) for unlawful cross-border data transfers
- Data subjects unable to enforce rights or obtain remedies when their data is transferred to jurisdictions without enforceable protections
- Transfer of data to processors or sub-processors in non-adequate countries without contractual safeguards, creating accountability gaps
- Invalidation of transfer mechanisms (as occurred with Privacy Shield in Schrems II) without detection or remediation, continuing unlawful transfers
- Inadequate supplementary measures (encryption, access controls) failing to mitigate risks identified in transfer impact assessments
- Reputational damage and loss of customer trust when cross-border data mishandling becomes public
Testing procedure
How an auditor verifies this control
- Obtain and review the data transfer inventory documenting all cross-border personal data flows, including source, destination country, data categories, recipients, and legal transfer mechanism claimed
- Verify that each destination country is either covered by a current European Commission adequacy decision or has SCCs or other appropriate safeguards in place
- Select a sample of 10-15 cross-border transfers and retrieve the executed SCC documents, verifying signatures, effective dates, correct SCC module selection (C2C, C2P, P2P, P2C), and inclusion of mandatory annexes
- Review transfer impact assessments (TIAs) for transfers to countries without adequacy, confirming documentation of local laws, government access risks, and supplementary measures implemented
- Examine evidence of supplementary technical and organizational measures applied to high-risk transfers, such as encryption in transit and at rest, access logging, data minimization, and contractual audit rights
- Validate that data processing agreements with third-party vendors explicitly address sub-processor locations and require prior notification or consent for new cross-border transfers
- Interview privacy or legal personnel to confirm monitoring processes for adequacy decision changes, SCC updates (e.g., transition from old to new SCCs), and geopolitical developments affecting transfer legality
- Test a sample data subject access request (DSAR) response to confirm transparent disclosure of cross-border transfer details, recipient countries, and safeguards as required by GDPR Article 13/14
Where this control is tested