International Data Transfers

Stop Losing Sleep Over Cross-Border Data Transfers

Updated 2026-05-17
Key Takeaways: Priverion is a Swiss-hosted platform that helps multi-entity organizations manage GDPR Standard Contractual Clauses, Transfer Impact Assessments, and supplementary measures in one place.

Standard Contractual Clauses under GDPR , explained in plain language. What they are, when they apply, why the 2021 update changed everything, and how to manage them across every entity in your group.

Book a 30-Minute Walkthrough

No commitment. See how Aircraft manufacturer manages SCCs across multiple subsidiaries.

Swiss-hosted platform

·

ISO 27001 aligned

·

Trusted by organizations managing 50+ entities

·

Used across 30+ jurisdictions

Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why SCCs Are So Hard to Get Right

Why Standard Contractual Clauses Confuse Even Experienced Privacy Professionals

SCCs sound simple in theory , just sign the EU-approved contract clauses. In practice, the operational complexity multiplies with every subsidiary, vendor, and jurisdiction you manage.

200+

Data transfer relationships requiring SCC coverage in a typical mid-market organization with 10+ entities

Module Selection Chaos

The 2021 SCCs introduced four modules . Controller-to-Controller, Controller-to-Processor, Processor-to-Processor, and Processor-to-Controller. For each data transfer relationship, you must determine who is the exporter, who is the importer, and which module applies. Across a multi-entity group, that means hundreds of individual assessments. Tracking them in spreadsheets is not just painful . it is a compliance risk that can surface during any supervisory authority audit.

Based on Priverion analysis of multi-entity privacy programs across 30+ jurisdictions

€2.1B+

GDPR fines issued by European DPAs in 2023 , international data transfers remain a top enforcement priority

Transfer Impact Assessments for Every Flow

After Schrems II, signing SCCs alone is not enough. You must conduct a Transfer Impact Assessment for each transfer to evaluate whether the recipient country's laws undermine the protections the SCCs provide. That means analyzing surveillance legislation, government access requests, and judicial remedies , per country, per transfer. Most DPOs we work with describe this as the single most time-consuming compliance obligation they face.

CJEU Schrems II ruling (Case C-311/18, July 2020); EDPB Recommendations 01/2020

60%

Compliance admin time Aircraft manufacturer spent on manual ROPA updates before adopting a structured privacy management approach

Supplementary Measures Nobody Documents

When a TIA reveals gaps in third-country protection, you need supplementary measures , encryption in transit and at rest, pseudonymization, contractual commitments to challenge government access requests. These must be documented, mapped to specific transfers, and reviewed whenever circumstances change. Across a group with dozens of entities, this creates an ongoing operational burden that spreadsheets simply cannot sustain.

Aircraft manufacturer case study, first 6 months with Priverion; EDPB Recommendations 01/2020 on supplementary measures

"Priverion helped us manage SCCs and vendor assessments across all our entities , what used to take weeks of chasing business units now happens automatically."

. DPO team, Aircraft manufacturer (achieved fully automated recertification within 6 months)

The confusion is understandable. The regulatory framework is genuinely complex. But the operational challenge , tracking every transfer, every module, every TIA, every supplementary measure across your entire group , is where most organizations break down. Let's cut through the noise.

200+

Hours saved on ISO 27001 preparation

Medtec , measured across documentation, evidence gathering, and audit prep workflows in their first engagement with Priverion

60%

Reduction in compliance admin time

Aircraft manufacturer , achieved within 6 months of deployment, replacing manual ROPA updates across multiple subsidiaries

100%

ROPA recertification rate, fully automated

AXA , automated recertification across all group entities, eliminating manual follow-ups with business unit owners

Results reported by named customers during their first year with Priverion. Individual outcomes vary based on organizational complexity and scope of deployment.

Priverion vs. OneTrust

Enterprise-Grade Compliance Without the Enterprise Headache

OneTrust was built for Fortune 500 companies with dedicated implementation teams and six-figure budgets. Priverion was built for the organizations actually doing multi-entity compliance work , where the DPO is also the project manager, the trainer, and the board presenter.

Priverion

Built for multi-entity privacy teams who need results, not a second job learning the tool

Swiss Data Sovereignty . By Design, Not Bolt-On

All data processed and hosted within Swiss infrastructure. In a post-Schrems II world, this eliminates the legal gymnastics required for US-hosted platforms. European data residency is our default, not an add-on tier.

Operational in Weeks, Not Quarters

No six-month implementation project. No dedicated consultant required. Aircraft manufacturer was running automated ROPA recertification across all subsidiaries within their first six months , including onboarding and configuration.

Based on Aircraft manufacturer deployment, 2023

Predictable Pricing That Doesn't Punish Growth

Pricing based on number of entities and organizational size , not per-user seats or per-module licensing. Add a new subsidiary? Your bill doesn't double. Onboard your entire legal team? No per-seat surcharge.

All-in-One Privacy Platform

ROPA, DPIA/TIA, vendor assessments, DSR handling, incident management, SCC tracking, and AI Act compliance , in a single platform. No separate modules to purchase. No integration tax between your own compliance tools.

AI That Assists, Never Decides

AI-assisted DPIA drafting, risk scoring, and regulatory mapping , with every output reviewed before it becomes a compliance record. No customer data used for model training. Full transparency on what AI does and doesn't touch.

Deep Integrations Where They Matter

Purpose-built connectors for HR, procurement, and IT asset management systems , the workflows that actually generate privacy obligations. Not 200 shallow integrations that create maintenance overhead.

Typical Enterprise Platform

Built for the Fortune 500 , and priced accordingly

US-Hosted Infrastructure

Data processed primarily in the United States. European hosting available as a premium option, but underlying corporate jurisdiction remains subject to US surveillance law , creating ongoing legal exposure under Schrems II.

3–6 Month Implementation Cycles

Complex deployments requiring dedicated project managers and external consultants. Many mid-market teams report the implementation project becoming a compliance burden in itself.

Per-User, Per-Module Pricing

Costs scale with every user added and every module activated. Budgets become unpredictable as programs mature and more stakeholders need access , exactly when you can least afford a pricing surprise.

Modular Architecture

Separate purchases for privacy, GRC, ethics, cookie consent, ESG , many of which mid-market teams don't need. The modules you do need often require separate integration work to talk to each other.

AI With Less Transparency

AI features marketed as automation, often without clear documentation on data handling, model training practices, or where human review fits in the workflow. For compliance records, opacity is risk.

200+ Integrations

Impressive on a features page. In practice, many are surface-level connectors that require custom configuration and ongoing maintenance , creating IT overhead for privacy teams that just need their HR and procurement data flowing correctly.

"We evaluated OneTrust and two other platforms before choosing Priverion. The difference was immediate , we had full ROPA recertification running across all entities within weeks, not months. Our DPO now spends time on strategic privacy work instead of chasing spreadsheets."

Compliance Lead, Aircraft manufacturer

60% reduction in compliance admin time within first 6 months

An honest note on what we don't do

We don't cover ESG reporting, ethics hotlines, or cookie consent management. We're not built for single-entity companies with simple compliance needs. And we have 30 deep integrations, not 200 shallow ones.

If you're managing privacy compliance across multiple subsidiaries and jurisdictions, and you need a platform your team will actually use , that's exactly what we built.

Book a 30-Min Walkthrough

See how organizations like Aircraft manufacturer and Zurzach Care manage group-wide compliance with Priverion

Stop Managing Privacy Compliance in Spreadsheets

See how Priverion gives your DPO team automated ROPA recertification, audit-ready evidence packages, and group-wide visibility across every subsidiary , hosted entirely in Switzerland.

60%

Less compliance admin time

Aircraft manufacturer, first 6 months

200+

Hours saved on ISO 27001 prep

Medtec

100%

ROPA recertification rate

AXA, fully automated

Book a 30-Minute Platform Walkthrough

No sales pitch. A Priverion privacy consultant walks you through the platform with your use case. Operational in weeks, not months.

Swiss-built and Swiss-hosted

No per-user pricing

AI-assisted, human-decided

About this page — references, definitions, and FAQs

Key Takeaways — Standard Contractual Clauses Under GDPR

Standard Contractual Clauses (SCCs) are the most widely used legal mechanism for transferring personal data from the EEA to third countries under GDPR. The 2021 modular SCCs replaced all prior versions as of 27 December 2022. After the CJEU Schrems II ruling, SCCs alone are insufficient — organizations must also conduct Transfer Impact Assessments and implement supplementary measures where needed. Multi-entity groups face particular complexity because each data transfer relationship requires individual module selection, TIA documentation, and ongoing review.

What are Standard Contractual Clauses (SCCs)?

Standard Contractual Clauses (SCCs) are standardized, pre-approved contractual terms adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 that provide appropriate data protection safeguards for international transfers of personal data pursuant to GDPR Article 46(2)(c). They are binding on both the data exporter and the data importer.

What are the four SCC modules introduced in 2021?

The 2021 SCCs use a modular structure with four distinct modules:

  • Module 1: Controller-to-Controller transfers
  • Module 2: Controller-to-Processor transfers
  • Module 3: Processor-to-Processor (sub-processor) transfers
  • Module 4: Processor-to-Controller transfers

Each module contains tailored obligations reflecting the specific roles and responsibilities of the parties. Organizations must assess each transfer relationship individually to select the correct module. Source: Commission Implementing Decision (EU) 2021/914.

What is a Transfer Impact Assessment (TIA) and why is it required?

A Transfer Impact Assessment (TIA) is a documented evaluation of whether the legal framework of the data importer's country provides protection that is "essentially equivalent" to that within the EEA. The requirement stems from the CJEU's Schrems II judgment (Case C-311/18, 16 July 2020). The EDPB Recommendations 01/2020 outline a six-step process: (1) map your transfers, (2) identify the transfer tool, (3) assess third-country law, (4) adopt supplementary measures if needed, (5) implement procedural steps, and (6) re-evaluate at appropriate intervals.

What supplementary measures may be required alongside SCCs?

When a TIA reveals that the destination country's laws may undermine SCC protections, organizations must implement supplementary measures. According to the EDPB Recommendations 01/2020, these may include:

  • Technical measures: end-to-end encryption, pseudonymization, split processing
  • Contractual measures: commitments to challenge government access requests, transparency obligations
  • Organizational measures: internal policies on handling access requests, staff training, audit rights

When did the old SCCs expire?

The European Commission's Implementing Decision (EU) 2021/914 set a transition deadline of 27 December 2022. After that date, all transfers relying on SCCs must use the new modular clauses. Contracts still referencing the 2001 or 2010 decisions are no longer valid transfer mechanisms.

How widespread is the use of SCCs for international data transfers?

According to the IAPP-EY 2023 Annual Privacy Governance Report, SCCs remain the most commonly used transfer mechanism, relied upon by approximately 88% of organizations conducting international data transfers from the EEA. The same report found that 70% of privacy professionals consider cross-border data transfers among their top three compliance challenges.

What enforcement actions have targeted international data transfers?

European Data Protection Authorities have increasingly prioritized international transfer compliance. According to EDPB enforcement data, cumulative GDPR fines exceeded €4.5 billion by early 2024, with several landmark penalties directly linked to inadequate transfer safeguards — including the €1.2 billion fine issued to Meta by the Irish DPC in May 2023 for transfers to the United States without adequate supplementary measures.

How does the EU-US Data Privacy Framework relate to SCCs?

The EU-US Data Privacy Framework (DPF), adopted via Commission adequacy decision on 10 July 2023, provides an alternative transfer mechanism for transfers to US organizations that have self-certified under the DPF. However, SCCs remain necessary for transfers to non-DPF-certified US companies and to all other third countries without an adequacy decision. Organizations should not assume the DPF eliminates the need for SCCs across their entire vendor portfolio.

SCC Module Selection — Comparison Table

ModuleData Exporter RoleData Importer RoleTypical Use Case
Module 1ControllerControllerSharing customer data between group companies for joint purposes
Module 2ControllerProcessorEngaging a cloud provider or SaaS vendor outside the EEA
Module 3ProcessorSub-processorPrimary processor engaging a sub-processor in a third country
Module 4ProcessorControllerEU-based processor returning data to a non-EEA controller

Statistics and Sources

According to the IAPP-EY 2023 Annual Privacy Governance Report, 88% of organizations use SCCs as their primary international transfer mechanism. The EDPB Recommendations 01/2020 remain the authoritative guidance for conducting Transfer Impact Assessments. The current SCCs were adopted on 4 June 2021 under Implementing Decision (EU) 2021/914, with a mandatory transition deadline of 27 December 2022. As noted by GDPR Article 46(2)(c), SCCs adopted by the Commission constitute one of the "appropriate safeguards" for lawful international data transfers.

Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].