Glossary
Cross-border data transfer
The movement of personal data, including payroll, HR, tax, and banking information, from one country to another. For global payroll and EOR setups, every such movement must be legalised under a transfer mechanism (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or Article 49 derogation) and, since Schrems II, supported by a Transfer Impact Assessment for non-adequate destinations.
Cross-border data transfer is the movement of personal data, including payroll and HR records, from one country to another.
For global payroll teams, the practical question isn't whether the transfer can happen. It's which legal mechanism makes it lawful: an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or a narrow Article 49 derogation.
The EU has issued thirteen adequacy decisions covering destinations such as the UK, Switzerland, Japan, Canada (commercial sector), and South Korea. The EU-US Data Privacy Framework was added on 10 July 2023 after Schrems II invalidated its predecessor.
Every transfer to a non-adequate country also needs a Transfer Impact Assessment under EDPB Recommendations 01/2020. China, India, and Brazil each run their own outbound-transfer regimes, so a single multi-country payroll often layers three or four bodies of law on top of EU GDPR.
What makes payroll data the highest-risk category to transfer?
Payroll files carry the exact data categories regulators treat as most sensitive: government identifiers (NI number, SSN, codice fiscale), salary, bank details, tax residency, dependants, and increasingly health-related deductions.
The GDPR doesn't classify pay as "special category" data under Article 9, but national supervisors treat salary and bank details as high-risk for fraud and discrimination exposure. A breach of a 500-employee payroll file is a near-automatic Article 33 notification and, in most cases, a DPIA-triggering processing activity under Article 35.
The volume amplifies the risk. A monthly EU payroll cycle moves the same record set across the channel twelve times a year, then again to a tax authority, a pension provider, and a benefits broker. Each leg is its own transfer, and mobility cases that trigger tax equalisation calculations add another layer of cross-border data flow on top.
Four mechanisms that make a transfer lawful under GDPR
EU GDPR Articles 44 to 50 set the hierarchy. The mechanism you use depends on the destination country, the recipient relationship, and whether you operate as one corporate group or as separate controllers.
| Mechanism | Legal basis | When it fits | Payroll use case |
|---|---|---|---|
| Adequacy decision | GDPR Art 45 | Destination on EU adequacy list | EU to UK, Japan, Switzerland, Canada |
| Standard Contractual Clauses (SCCs) | GDPR Art 46(2)(c); Decision 2021/914 | Most controller-to-processor transfers | EU client to US payroll vendor |
| UK IDTA + Addendum | UK GDPR Art 46; ICO IDTA effective 21 March 2022 | Transfers out of the UK | UK payroll outsourced to non-adequate destination |
| Binding Corporate Rules (BCRs) | GDPR Art 47 | Intra-group transfers across many countries | Multinational running its own payroll engine |
| Article 49 derogations | GDPR Art 49 | Occasional, specific cases only | One-off mobility move with explicit consent |
The 2021 modernised SCCs replaced the older 2010 and 2004 sets. Any contract signed before 27 September 2021 should have been re-papered by 27 December 2022.
BCRs are the right tool for a group running payroll across twenty countries on a single platform. They take twelve to eighteen months to get a lead supervisory authority to approve, which is why most organisations default to SCCs.
Country-by-country: where transfers are restricted, banned, or localised
Outside the EU/UK, three other regimes shape global payroll transfers. China and India tighten the controls; the US sits inside the EU framework via the Data Privacy Framework but only for self-certified recipients.
| Country | Regime | Outbound rule | Localisation? |
|---|---|---|---|
| China | PIPL Art 38 | Separate consent, CAC security assessment or standard contract | Yes for "important data" and CIIO categories |
| India | DPDP Act 2023 | Government-notified blacklist; transfers allowed elsewhere | Sector-specific (RBI for banking) |
| Russia | Federal Law 152-FZ | Restricted; Roskomnadzor notification | Yes for personal data of Russian citizens |
| Vietnam | Decree 13/2023 | Transfer Impact Assessment filed with MPS | Yes for some sectors |
| Indonesia | PDP Law 27/2022 | Adequacy or contractual safeguards | Yes for public-sector and financial |
| Brazil | LGPD Art 33 | Adequacy, SCCs, BCRs, or consent | No general localisation |
| US | State laws (CCPA/CPRA, VCDPA, etc.) | No federal outbound rule | No |
Chinese payroll data for "critical information infrastructure operators" must stay onshore unless the Cyberspace Administration of China clears the transfer under a security assessment. The CAC threshold for triggering a full assessment is 100,000 personal-information subjects or 10,000 subjects of sensitive data.
For a UK or EU buyer running an Asia-Pacific footprint, the practical effect is that the China leg cannot share the same SCC paperwork as the rest of the region. It needs its own China-domestic processor and its own outbound transfer mechanism. The same logic applies inside the EU: the Germany country hub shows how a single-country payroll still layers BDSG works-council consultation rules on top of GDPR transfer paperwork.
What goes wrong: Schrems II, sub-processors, and the onward-transfer trap
Schrems II (CJEU C-311/18, judgment 16 July 2020) invalidated the EU-US Privacy Shield. It also raised the bar for SCCs by requiring a Transfer Impact Assessment on every transfer to a non-adequate country.
The TIA tests whether the destination country's surveillance laws allow public authorities access to the data that would be incompatible with EU rights. For US transfers under the older SCCs, the answer was often yes, which forced supplementary measures (encryption with EU-held keys, pseudonymisation) or a route via Data Privacy Framework self-certification.
The sub-processor chain
Most payroll vendors run a four-deep processor chain: the payroll engine, the helpdesk system, the payslip-PDF generator, and the analytics pipeline. Each one is a separate Article 28 contract with its own transfer point.
Buyers commonly review only the top-level vendor's DPA. The sub-processor list is where US transfers hide. Ask for the Article 28 Annex II list and check each one's hosting region.
Onward transfers
SCCs include Clause 8.7 (onward transfer) requiring the importer to flow equivalent protections to its own sub-processors. The clause is routinely under-papered. If your processor's processor isn't bound by either SCCs or BCRs, the chain breaks at that link and the original transfer becomes unlawful.
How EORs and payroll providers handle data flows in practice
Every EOR runs cross-border transfers by design. The employee data sits in two regimes at once: the home country of the EOR client (the buyer) and the host country of employment.
| Provider | Primary EU hosting | Transfer mechanism | Notable sub-processors |
|---|---|---|---|
| Deel | AWS Frankfurt / Ireland | 2021 SCCs + Data Privacy Framework | US-based analytics and ticketing |
| Remote | EU region (multi-AZ) | 2021 SCCs + DPF | Mixed EU/US support tooling |
| Multiplier | Singapore primary; EU mirror | SCCs + buyer-side TIA | India support operations |
| Papaya Global | EU and US regions; client choice | SCCs + DPF | Local payroll partners by country |
Procurement questionnaires rarely surface the difference. The "EU data centre" answer applies to the primary database, but the helpdesk ticketing and the analytics layer often route through US infrastructure under separate SCC chains. Ask for the full Article 28 Annex II list before signing; the Deel review covers one vendor's published sub-processor regions in detail.
Whichapp view
The transfer paperwork that fails an ICO audit is rarely the headline SCC. It's the sub-processor chain three or four contracts down, where Annex II has gone stale and the onward-transfer clause was never papered. Re-run the TIA every time the vendor refreshes its sub-processor list, not annually.
For provider-by-provider comparison on data residency and SCC chains, see the best global payroll providers shortlist. The boundary on what the EOR controls versus what stays with the buyer is set out in the EOR vs staffing agency entry.
See our ranked shortlist of providers, scored across pricing transparency, country coverage, and contract flexibility. Updated for 2026.
View the shortlist →Cross-border data transfer FAQs
Is sending a payroll file from the EU to a US payroll vendor a cross-border data transfer?
Yes. The transfer falls under GDPR Chapter V the moment personal data leaves the EEA. From 10 July 2023, the EU-US Data Privacy Framework offers an adequacy basis if the US recipient is self-certified under the DPF programme.
If not, the transfer needs the 2021 Standard Contractual Clauses plus a Transfer Impact Assessment that documents whether US surveillance law could compromise EU data-subject rights. Encryption with EU-held keys is the most common supplementary measure.
What does Schrems II actually require for a global payroll setup?
Three things. First, a documented Transfer Impact Assessment for every transfer to a non-adequate country. Second, supplementary technical or contractual measures where the destination country's surveillance laws are incompatible with EU rights.
Third, a refresh of any pre-2021 SCC paperwork to the modernised 2021 SCCs. The ruling doesn't block US transfers; it requires the receiver and the buyer to evidence why the transfer remains lawful in practice. See the UK payroll compliance checklist for the audit-side view.
Can an EOR handle the data-transfer paperwork on the client's behalf?
Partly. The EOR signs the Article 28 DPA with the client and provides the SCCs or DPF basis for transfers it controls. The client remains the data controller and stays liable under Article 24 for the overall lawfulness of the chain, including for sub-processors.
Ask for the full Annex II sub-processor list, the most recent TIA, and evidence that the onward-transfer clause is flowed down. Anything missing is the client's exposure, not the EOR's. The EOR entry covers where the controller/processor boundary sits.
Does China require all payroll data to stay onshore?
Only for "critical information infrastructure operators" and where the data volume crosses the CAC thresholds (100,000 personal-information subjects or 10,000 sensitive-data subjects).
Below those thresholds, outbound transfer is allowed under PIPL Article 38 via separate consent and either a CAC security assessment, the CAC standard contract, or a personal information protection certification. Most foreign-owned employers running modest payrolls in China use the standard contract route.
What's the difference between the EU SCCs and the UK IDTA?
The 2021 EU SCCs cover transfers from the EEA. The ICO International Data Transfer Agreement (IDTA), effective 21 March 2022, covers transfers from the UK.
Most multinationals layer the UK Addendum on top of the EU SCCs rather than running both documents in parallel. The Addendum maps EU SCC clauses into UK GDPR equivalents and avoids a duplicate contract. Either route works; the choice is operational, not legal.