Glossary

Cross-border data transfer

The movement of personal data, including payroll, HR, tax, and banking information, from one country to another. For global payroll and EOR setups, every such movement must be legalised under a transfer mechanism (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or Article 49 derogation) and, since Schrems II, supported by a Transfer Impact Assessment for non-adequate destinations.

Updated May 2026 All glossary terms
Last reviewed: May 2026 · Based on EU GDPR Articles 44 to 50, Commission Implementing Decision 2021/914 (modernised SCCs), the ICO International Data Transfer Agreement, the Schrems II ruling (CJEU C-311/18), the EU-US Data Privacy Framework adequacy decision of 10 July 2023, China PIPL Article 38, and EDPB Recommendations 01/2020.

Cross-border data transfer is the movement of personal data, including payroll and HR records, from one country to another.

For global payroll teams, the practical question isn't whether the transfer can happen. It's which legal mechanism makes it lawful: an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or a narrow Article 49 derogation.

The EU has issued thirteen adequacy decisions covering destinations such as the UK, Switzerland, Japan, Canada (commercial sector), and South Korea. The EU-US Data Privacy Framework was added on 10 July 2023 after Schrems II invalidated its predecessor.

Every transfer to a non-adequate country also needs a Transfer Impact Assessment under EDPB Recommendations 01/2020. China, India, and Brazil each run their own outbound-transfer regimes, so a single multi-country payroll often layers three or four bodies of law on top of EU GDPR.

What makes payroll data the highest-risk category to transfer?

Payroll files carry the exact data categories regulators treat as most sensitive: government identifiers (NI number, SSN, codice fiscale), salary, bank details, tax residency, dependants, and increasingly health-related deductions.

The GDPR doesn't classify pay as "special category" data under Article 9, but national supervisors treat salary and bank details as high-risk for fraud and discrimination exposure. A breach of a 500-employee payroll file is a near-automatic Article 33 notification and, in most cases, a DPIA-triggering processing activity under Article 35.

The volume amplifies the risk. A monthly EU payroll cycle moves the same record set across the channel twelve times a year, then again to a tax authority, a pension provider, and a benefits broker. Each leg is its own transfer, and mobility cases that trigger tax equalisation calculations add another layer of cross-border data flow on top.

Four mechanisms that make a transfer lawful under GDPR

EU GDPR Articles 44 to 50 set the hierarchy. The mechanism you use depends on the destination country, the recipient relationship, and whether you operate as one corporate group or as separate controllers.

Mechanism Legal basis When it fits Payroll use case
Adequacy decisionGDPR Art 45Destination on EU adequacy listEU to UK, Japan, Switzerland, Canada
Standard Contractual Clauses (SCCs)GDPR Art 46(2)(c); Decision 2021/914Most controller-to-processor transfersEU client to US payroll vendor
UK IDTA + AddendumUK GDPR Art 46; ICO IDTA effective 21 March 2022Transfers out of the UKUK payroll outsourced to non-adequate destination
Binding Corporate Rules (BCRs)GDPR Art 47Intra-group transfers across many countriesMultinational running its own payroll engine
Article 49 derogationsGDPR Art 49Occasional, specific cases onlyOne-off mobility move with explicit consent

The 2021 modernised SCCs replaced the older 2010 and 2004 sets. Any contract signed before 27 September 2021 should have been re-papered by 27 December 2022.

BCRs are the right tool for a group running payroll across twenty countries on a single platform. They take twelve to eighteen months to get a lead supervisory authority to approve, which is why most organisations default to SCCs.

Country-by-country: where transfers are restricted, banned, or localised

Outside the EU/UK, three other regimes shape global payroll transfers. China and India tighten the controls; the US sits inside the EU framework via the Data Privacy Framework but only for self-certified recipients.

Country Regime Outbound rule Localisation?
ChinaPIPL Art 38Separate consent, CAC security assessment or standard contractYes for "important data" and CIIO categories
IndiaDPDP Act 2023Government-notified blacklist; transfers allowed elsewhereSector-specific (RBI for banking)
RussiaFederal Law 152-FZRestricted; Roskomnadzor notificationYes for personal data of Russian citizens
VietnamDecree 13/2023Transfer Impact Assessment filed with MPSYes for some sectors
IndonesiaPDP Law 27/2022Adequacy or contractual safeguardsYes for public-sector and financial
BrazilLGPD Art 33Adequacy, SCCs, BCRs, or consentNo general localisation
USState laws (CCPA/CPRA, VCDPA, etc.)No federal outbound ruleNo

Chinese payroll data for "critical information infrastructure operators" must stay onshore unless the Cyberspace Administration of China clears the transfer under a security assessment. The CAC threshold for triggering a full assessment is 100,000 personal-information subjects or 10,000 subjects of sensitive data.

For a UK or EU buyer running an Asia-Pacific footprint, the practical effect is that the China leg cannot share the same SCC paperwork as the rest of the region. It needs its own China-domestic processor and its own outbound transfer mechanism. The same logic applies inside the EU: the Germany country hub shows how a single-country payroll still layers BDSG works-council consultation rules on top of GDPR transfer paperwork.

What goes wrong: Schrems II, sub-processors, and the onward-transfer trap

Schrems II (CJEU C-311/18, judgment 16 July 2020) invalidated the EU-US Privacy Shield. It also raised the bar for SCCs by requiring a Transfer Impact Assessment on every transfer to a non-adequate country.

The TIA tests whether the destination country's surveillance laws allow public authorities access to the data that would be incompatible with EU rights. For US transfers under the older SCCs, the answer was often yes, which forced supplementary measures (encryption with EU-held keys, pseudonymisation) or a route via Data Privacy Framework self-certification.

The sub-processor chain

Most payroll vendors run a four-deep processor chain: the payroll engine, the helpdesk system, the payslip-PDF generator, and the analytics pipeline. Each one is a separate Article 28 contract with its own transfer point.

Buyers commonly review only the top-level vendor's DPA. The sub-processor list is where US transfers hide. Ask for the Article 28 Annex II list and check each one's hosting region.

Onward transfers

SCCs include Clause 8.7 (onward transfer) requiring the importer to flow equivalent protections to its own sub-processors. The clause is routinely under-papered. If your processor's processor isn't bound by either SCCs or BCRs, the chain breaks at that link and the original transfer becomes unlawful.

How EORs and payroll providers handle data flows in practice

Every EOR runs cross-border transfers by design. The employee data sits in two regimes at once: the home country of the EOR client (the buyer) and the host country of employment.

Provider Primary EU hosting Transfer mechanism Notable sub-processors
DeelAWS Frankfurt / Ireland2021 SCCs + Data Privacy FrameworkUS-based analytics and ticketing
RemoteEU region (multi-AZ)2021 SCCs + DPFMixed EU/US support tooling
MultiplierSingapore primary; EU mirrorSCCs + buyer-side TIAIndia support operations
Papaya GlobalEU and US regions; client choiceSCCs + DPFLocal payroll partners by country

Procurement questionnaires rarely surface the difference. The "EU data centre" answer applies to the primary database, but the helpdesk ticketing and the analytics layer often route through US infrastructure under separate SCC chains. Ask for the full Article 28 Annex II list before signing; the Deel review covers one vendor's published sub-processor regions in detail.

Whichapp view

The transfer paperwork that fails an ICO audit is rarely the headline SCC. It's the sub-processor chain three or four contracts down, where Annex II has gone stale and the onward-transfer clause was never papered. Re-run the TIA every time the vendor refreshes its sub-processor list, not annually.

For provider-by-provider comparison on data residency and SCC chains, see the best global payroll providers shortlist. The boundary on what the EOR controls versus what stays with the buyer is set out in the EOR vs staffing agency entry.

Compare the leading employer-of-record providers

See our ranked shortlist of providers, scored across pricing transparency, country coverage, and contract flexibility. Updated for 2026.

View the shortlist →

Cross-border data transfer FAQs

Is sending a payroll file from the EU to a US payroll vendor a cross-border data transfer?

Yes. The transfer falls under GDPR Chapter V the moment personal data leaves the EEA. From 10 July 2023, the EU-US Data Privacy Framework offers an adequacy basis if the US recipient is self-certified under the DPF programme.

If not, the transfer needs the 2021 Standard Contractual Clauses plus a Transfer Impact Assessment that documents whether US surveillance law could compromise EU data-subject rights. Encryption with EU-held keys is the most common supplementary measure.

What does Schrems II actually require for a global payroll setup?

Three things. First, a documented Transfer Impact Assessment for every transfer to a non-adequate country. Second, supplementary technical or contractual measures where the destination country's surveillance laws are incompatible with EU rights.

Third, a refresh of any pre-2021 SCC paperwork to the modernised 2021 SCCs. The ruling doesn't block US transfers; it requires the receiver and the buyer to evidence why the transfer remains lawful in practice. See the UK payroll compliance checklist for the audit-side view.

Can an EOR handle the data-transfer paperwork on the client's behalf?

Partly. The EOR signs the Article 28 DPA with the client and provides the SCCs or DPF basis for transfers it controls. The client remains the data controller and stays liable under Article 24 for the overall lawfulness of the chain, including for sub-processors.

Ask for the full Annex II sub-processor list, the most recent TIA, and evidence that the onward-transfer clause is flowed down. Anything missing is the client's exposure, not the EOR's. The EOR entry covers where the controller/processor boundary sits.

Does China require all payroll data to stay onshore?

Only for "critical information infrastructure operators" and where the data volume crosses the CAC thresholds (100,000 personal-information subjects or 10,000 sensitive-data subjects).

Below those thresholds, outbound transfer is allowed under PIPL Article 38 via separate consent and either a CAC security assessment, the CAC standard contract, or a personal information protection certification. Most foreign-owned employers running modest payrolls in China use the standard contract route.

What's the difference between the EU SCCs and the UK IDTA?

The 2021 EU SCCs cover transfers from the EEA. The ICO International Data Transfer Agreement (IDTA), effective 21 March 2022, covers transfers from the UK.

Most multinationals layer the UK Addendum on top of the EU SCCs rather than running both documents in parallel. The Addendum maps EU SCC clauses into UK GDPR equivalents and avoids a duplicate contract. Either route works; the choice is operational, not legal.