Data Transfer: GDPR Enforcement and Compliance Priority

28. January 2022

The GDPR fines and data breach survey: January 2022 by multinational law firm DLA Piper predicted that “data transfer will continue to be an enforcement priority for regulators and a compliance priority for regulated organizations” [1]. Considering the announcement of Schrems II in 2020, the intensified attention on data transfer is not surprising. However, the stricter regulations require businesses to pay extra attention to data transfer, and take measures to stay GDPR compliant. 

Data Transfer Under The GDPR

Under the GDPR, data transfer refers to the “transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization”. Transfer of personal data can only take place if it is “subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization” [2].

In July 2020, the EU-US Data Protection Shield was ruled invalid by the Court of Justice of the European Union (CJEU). This case is also known as Schrems II (after Maximillian Schrems, an Austrian activist and lawyer who started data protection complaints against Facebook in 2003) [3]. Before Schrems II, companies in the EU and US could transfer data freely. After Schrems II came into force, organizations were expected to complete transfer impact assessments and potentially need additional organizational and technical measures [4].

Though no fine has been issued under the reason of breaching regulations regarding data transfer, it has become “an enforcement priority for regulators and a compliance priority for regulated organizations”[5]. Besides, one month after the CJEU ruled the Schrems II case, Maximilian Schrems’ organization, “My Privacy is None of Your Business” (NOYB) filed 101 complaints targeting the EU data exporters who continued transferring personal data to Facebook and Google in the US after Schrems II came into action. Therefore, businesses are responsible for paying extra attention to the data transfer procedure and staying GDPR compliant.

How to Be GDPR-Compliant in Data Transfer 

If one of the parties in data transfer involves a region outside the EU, the transfer can be carried out if it satisfies one of the following conditions.

  • Adequacy decision by the EU Commission

The EU Commission can issue the adequacy decision announcing data transfers from the EU (and Norway, Liechtenstein, Iceland) to a third country can be carried out without any barriers, and data protection requirements are no longer necessary.

The following options apply to countries that do not meet the EU data protection standards [6].

  • Transfers subject to appropriate safeguards
    • Standard Contractual Clauses

Data transfer can happen under four sets of standard contractual clauses:

      • Controller to which the GDPR applies (data exporter) – other controller in the third country (data importer).
      • Controller to which the GDPR applies (data exporter) – processor in the third country (data importer)
      • Processor in the EU (data exporter) – sub-processor in the third country (data importer)
      • Processor in the EU (data exporter) – principal (controller) in the third country (data importer) [7].
      • Binding Corporate Rules (BCRs)

The BCRs apply to “members of a group of undertakings or group of enterprises engaged in a joint economic activity and their employees, including those located outside of EU territory”. After being approved by the Data Protection Authorities, data transfer inside the group can be carried out without extra barriers.

  • Two other alternatives: 

Data transfer can also occur if the transfer meets the requirements of either an approved code of conduct pursuant to Article 40, or an approved certification mechanism pursuant to Article 42.

The articles in the GDPR related to data transfer aim to protect personal data from misconduct. In order to stay GDPR compliant, businesses need to take necessary measures to meet the requirements. brighter AI’s anonymization solution is the world’s most advanced automated redaction software for images and videos. Our solution redacts the personal identifiable information (PII) in the chosen medium, ensuring GDPR compliant cross-border data transfer outside the EU. If you’d like to learn more about our anonymization solution, check out our collaboration with CSI, or contact us.


[1] DLA Piper GDPR fines and data breach survey: January 2022; DLA Piper

[2] Art. 44, GDPR

[3] Europe’s top court strikes down flagship EU-US data transfer mechanism; Lomas, N; 2020

[4] DLA Piper GDPR fines and data breach survey: January 2022; DLA Piper

[5] DLA Piper GDPR fines and data breach survey: January 2022; DLA Piper

[6] Guide to the cross-border transfer of personal data in the GDPR; Deloitte

[7] After Schrems II: New EU Standard Contractual Clauses (SCC) come into force; Deloitte

Caspar Miller
Head of Regulatory