P6.6 SOC 2

SOC 2 P6.6: Privacy - Cross-Border Data Transfers

What This Control Requires

The entity provides data subjects with information about cross-border data transfers and obtains necessary authorizations for such transfers. Personal information is transferred across jurisdictions only in accordance with applicable laws and the entity's privacy commitments.

In Plain Language

The moment personal data crosses a national border - even if it is just landing on a cloud server in another country - different legal rules kick in. GDPR in particular restricts transfers outside the EEA to countries without adequate data protection, and the consequences of getting this wrong are significant (Schrems II demonstrated just how quickly the ground can shift).

You need to know where your personal data actually goes geographically, including cloud providers, subsidiaries, vendors, and backup sites. For each cross-border flow, you need a valid legal mechanism in place and you need to tell data subjects about it in your privacy notice.

Auditors check whether you have mapped your international data flows, whether each transfer has an appropriate legal basis, whether your privacy notice discloses these transfers, and whether you are monitoring for legal changes that could invalidate your current transfer mechanisms.

How to Implement

Map every cross-border personal data transfer. Think broadly: cloud providers hosted in other countries, international offices or subsidiaries, vendors and partners in other jurisdictions, remote employees accessing data from abroad, and backup or disaster recovery sites in other regions. If personal data touches another country, it needs to be on the map.

Determine the legal requirements for each transfer. Under GDPR, transfers outside the EEA require a valid transfer mechanism. Other jurisdictions have their own rules. Assess each transfer and document the legal basis.

Put the right transfer mechanisms in place. For GDPR-regulated transfers, your options include adequacy decisions (for countries the European Commission has approved), Standard Contractual Clauses (SCCs) for transfers to non-adequate countries, Binding Corporate Rules for intra-group transfers, and derogations for specific situations like explicit consent or contractual necessity. Execute and file the appropriate documentation for each.

Run transfer impact assessments for any transfer relying on SCCs. Evaluate whether the destination country's legal framework actually protects the data adequately. If you identify risks, layer on supplementary measures like encryption, pseudonymisation, or additional contractual restrictions.

Update your privacy notice to disclose cross-border transfers. Tell data subjects which countries their data may go to, why, and what safeguards protect it. Keep this clear and specific rather than burying it in legal boilerplate.

Stay on top of the legal landscape. New adequacy decisions, court rulings that invalidate transfer mechanisms, changes in destination country surveillance laws - any of these can affect your compliance overnight. Assign someone to monitor this and update your transfer mechanisms proactively.

Evidence Your Auditor Will Request

Cross-border data transfer mapping documenting all international data flows
Legal basis documentation for each cross-border transfer (SCCs, adequacy decisions, etc.)
Transfer impact assessments for transfers to non-adequate jurisdictions
Privacy notice disclosures about cross-border transfers and safeguards
Monitoring process for legal landscape changes affecting cross-border data transfers

Common Mistakes

Cross-border transfers are not mapped, leaving the organization unaware of international data flows
No legal transfer mechanisms are in place for transfers to non-adequate countries
Transfer impact assessments are not conducted for transfers relying on SCCs
Privacy notice does not disclose cross-border transfers or the safeguards used
Cloud provider hosting locations are not evaluated for cross-border transfer implications

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Partial overlap
ISO 27001	A.5.14	Related

Frequently Asked Questions

Does using US-based cloud providers create a cross-border transfer issue?

If you process personal data of EU residents and your cloud provider stores or processes that data in the US or other non-EEA countries, yes - it is a cross-border transfer and needs a valid legal mechanism. The EU-US Data Privacy Framework provides a pathway for transfers to certified US companies, but check your specific provider's certification status and make sure appropriate safeguards are in place. Do not assume your provider is covered without verifying.

What are Standard Contractual Clauses?

SCCs are pre-approved contractual terms issued by the European Commission. When signed by both the data exporter and importer, they provide the legal safeguards needed for cross-border transfers. The current version (adopted June 2021) includes modules for different scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. They are the most commonly used transfer mechanism for non-adequate countries, but remember that you also need a transfer impact assessment alongside them.

Do cross-border transfer rules apply to backups stored in another country?

Yes, absolutely. Backing up personal data to servers in another country is a cross-border transfer, full stop. It is subject to the same legal requirements as any other transfer. Check where your backup providers actually host data and put appropriate transfer mechanisms in place. Many cloud backup services now offer region-specific storage options, which can help you avoid unnecessary cross-border transfers altogether.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment