Table of Contents

Who should read this?

Irish businesses using cloud software like Google Workspace or Slack, working with overseas suppliers, or having teams outside the EEA, especially SMEs handling personal data.

Readers will gain practical steps to map transfers, select mechanisms like SCCs and TIAs, avoid fines, and ensure GDPR compliance for international operations.

Key Takeaways

Cross-border transfers happen via cloud tools or overseas partners; require GDPR Chapter V mechanisms.
Use adequacy decisions for approved countries; SCCs plus TIA otherwise.
Conduct documented TIAs for non-adequate destinations, focusing on legal access risks.
Map data flows, build transfer register, review regularly to stay compliant.
Non-compliance risks huge DPC fines: Meta €1.2B, TikTok €530M; enforcement intensifying.

Cross-Border Data Transfers Under GDPR: A Guide for Irish Businesses

If your business uses cloud software, works with overseas suppliers, or has team members outside the EEA, you are almost certainly making cross-border data transfers. Under the GDPR, every one of those transfers needs a legal basis, and getting it wrong can result in fines running into hundreds of millions of euro.

This guide explains how cross-border data transfers work under the GDPR, what Irish businesses need to do to stay compliant, and which transfer mechanisms apply to common scenarios.

When is a data transfer "cross-border"?

A cross-border data transfer occurs any time personal data moves from the European Economic Area (EEA) to a country outside it. The EEA includes all EU member states plus Iceland, Liechtenstein, and Norway. Any country outside this group is classified as a "third country" under GDPR Chapter V.

Common scenarios that trigger cross-border transfers include using US-based SaaS tools like Google Workspace or Slack, outsourcing payroll to a provider in India, sharing customer records with a parent company in the UK, or storing backups on servers located outside the EEA.

In practice, this means: If you use any cloud-based tool where the provider processes data outside the EEA, you are making a cross-border data transfer, even if you never consciously "send" data anywhere.

The transfer rules apply whether you are a controller or a processor. If personal data leaves the EEA, you need a valid transfer mechanism in place.

What is an adequacy decision?

An adequacy decision is the simplest route for cross-border transfers. The European Commission assesses whether a third country provides a level of data protection "essentially equivalent" to the GDPR. If it does, data can flow freely without additional safeguards.

As of March 2026, countries with full EU adequacy decisions include Andorra, Argentina, Canada (commercial organisations), Israel, Japan, New Zealand, South Korea, Switzerland, the UK, and Uruguay, among others.

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy pathway for transfers to US organisations that have self-certified under the framework. If you rely on an adequacy decision, monitor its status regularly. Adequacy can be revoked, as happened in 2020 when the Court of Justice of the EU invalidated the EU–US Privacy Shield, immediately cutting off thousands of lawful transfer arrangements and forcing businesses to switch to alternative safeguards such as Standard Contractual Clauses.

With adequacy covering some destinations, the question becomes what to do when there is no adequacy decision in place.

What are Standard Contractual Clauses?

Standard Contractual Clauses (SCCs) are pre-approved contract terms issued by the European Commission. When there is no adequacy decision for the destination country, SCCs are the most widely used transfer mechanism.

The current SCCs were adopted in June 2021 and use a modular structure with four modules:

Module 1: Controller-to-controller transfers
Module 2: Controller-to-processor transfers
Module 3: Processor-to-processor transfers
Module 4: Processor-to-controller transfers

You select the module that matches your transfer scenario and incorporate it into your service agreement with the data importer. The annexes must be completed with specific details about each transfer, including the categories of data, the purposes of processing, and the security measures in place.

SCCs are not a "sign and forget" solution. You also need to carry out a Transfer Impact Assessment before relying on SCCs for transfers to countries without adequate protections.

When do you need a Transfer Impact Assessment?

A Transfer Impact Assessment (TIA) is required whenever you rely on SCCs to transfer data to a third country without an adequacy decision. The TIA evaluates whether the legal framework in the destination country provides effective protection for the transferred data.

The European Data Protection Board (EDPB) recommends a six-step process: map your data transfers, identify the transfer mechanism, assess the laws of the destination country, identify and adopt supplementary measures if needed, implement those measures, and re-evaluate at regular intervals.

The Irish Data Protection Commission (DPC) has made clear that a superficial TIA will not pass muster. In May 2025, TikTok was fined €530 million by the DPC partly because its Transfer Impact Assessment for data sent to China was found to be inadequate. Risk management of international flows is now a high priority for regulators.

Author's tip: Your TIA does not need to be a 50-page report. Focus on the specific legal powers in the destination country that could compel access to the data you are transferring, and whether your supplementary measures effectively address those risks.

What about Binding Corporate Rules and other mechanisms?

Binding Corporate Rules (BCRs) are an alternative to SCCs designed for multinational groups that regularly transfer personal data between entities. BCRs must be approved by a lead supervisory authority and provide a comprehensive internal governance framework. They are resource-intensive and typically only practical for larger organisations.

Other mechanisms exist but are narrower in scope. Codes of conduct and certification mechanisms under Article 46 can serve as transfer safeguards, although, in our experience, adoption has been limited in practice. Article 49 derogations, such as explicit consent or contractual necessity, are available but must be treated as a last resort. The EDPB has emphasised that derogations cannot be used for systematic or large-scale transfers.

For most Irish SMEs, SCCs paired with a thorough TIA will be the most practical route. Once you know which mechanism applies, the next step is putting it all into practice.

How to get your transfers in order

Getting compliant starts with knowing where your data goes. We recommend that you map every international data flow in your organisation, covering SaaS tools, cloud hosting, third-party processors, and group company transfers.

For each transfer, identify the legal mechanism you rely on: adequacy decision, SCCs, BCRs, or derogation. If you are using SCCs, check that you have the 2021 version with the correct module selected and the annexes fully completed.

Carry out a TIA for every SCC-based transfer to a non-adequate country. Document your assessment and any supplementary measures you have adopted.

Build a transfer register. This does not need to be complex: a spreadsheet listing each transfer, the recipient, the destination country, the mechanism used, and the date of your last review is a solid starting point. Review it at least annually, or whenever a significant change occurs, such as a new vendor or a shift in adequacy status.

Get your data transfers mapped and compliant

Open Forest can help you audit your international data flows, implement the right transfer mechanisms, and build a register that keeps you on the right side of the GDPR.

Get in touch to find out more

What happens if you get it wrong?

The DPC has shown it will impose substantial fines for transfer violations. Meta was fined €1.2 billion in 2023 for transferring EU user data to the US without adequate safeguards under Schrems II. In 2025, TikTok received a €530 million GDPR fine for failing to put adequate safeguards in place for transfers of personal data to China. Ireland's DPC has levied over €4.5 billion in GDPR fines in total, with international data transfers remaining a top enforcement priority.

Beyond fines, the DPC can order you to suspend transfers entirely, which could disrupt operations if you depend on non-EEA services. New EU procedural rules adopted in 2025-2026 aim to speed up cross-border enforcement, and the regulatory direction is clear, that corporate compliance scrutiny is intensifying, not easing.

Where this leaves you

Cross-border data transfers are routine in modern business, but the GDPR requires a valid legal basis for every one of them. The core steps are straightforward: map your data flows, choose the right transfer mechanism, carry out a TIA where needed, and review regularly.

If your business relies on US-based tools or works with partners outside the EEA, now is a good time to check that your transfer documentation is current. In our experience, the enforcement landscape is not slowing down, and the cost of non-compliance keeps rising.

If you need help getting your international data flows in order, Open Forest can guide you through it.

‍

About the Author:

Connect:

Laura Ryan is a practising Barrister at the Bar of Ireland. She graduated from the Honourable Society of King’s Inns in 2024, having previously qualified and practised as a Chartered Accountant in a big four accounting firm.

Legal

April 2026

Cross-Border Data Transfers Under GDPR

Key Takeaways

Cookie Consent for Irish Websites

Statutory Sick Pay in the UK: Rates, Eligibility & Obligations

Grievance Procedures for Small Irish Employers

ROPA: What Irish Businesses Must Document Under GDPR

Annual Leave and Public Holidays in Ireland

Subject Access Requests: How Irish Businesses Must Respond

GDPR Vendor Compliance for Irish Startups

Right to Erasure for Irish Businesses

Cap Table Management for Irish Founders

Subscription Agreements for Irish Founders

Frequently Asked Questions

What is a cross-border data transfer under GDPR?

What is an adequacy decision?

What are Standard Contractual Clauses (SCCs)?

When is a Transfer Impact Assessment (TIA) required?

How can businesses ensure compliance with data transfers?

Explore our other topics

How to force a shareholder to sell in Ireland (explained)

Share Transfer Process Ireland: Complete Step-by-Step Guide

AI for UK Startups: Automation to Boost Growth