The International Transfers sub-module in Venvera enables your organization to document, manage, and monitor all transfers of personal data to third countries (countries outside the European Economic Area) or international organizations, as regulated by Chapter V (Articles 44–49) of the GDPR. Any transfer of personal data to a third country may only take place if the conditions laid down in Chapter V are complied with. This article covers every field, transfer mechanism, compliance requirement, and management feature in the International Transfers register.

What Constitutes an International Transfer?

Any transmission or access to personal data by a recipient outside the EEA (27 EU states plus Iceland, Liechtenstein, Norway). Includes cloud providers with non-EEA servers, remote access from third countries, and intra-group transfers to entities in third countries.

Accessing International Transfers

Step 1: Navigate to International Transfers

From the sidebar, expand GDPR and click International Transfers. The main view displays a table listing all transfer records with columns for Destination Country, Recipient Name, Transfer Mechanism, TIA Completed status, and Review Date.

Step 2: Review the Transfer Register

Active transfers are shown prominently. Transfers without a completed TIA (Transfer Impact Assessment) are flagged with a warning indicator. Transfers approaching their review date are highlighted in amber. You can filter by destination country, transfer mechanism, or TIA status.

Step 3: Register a New Transfer

Click Add Transfer in the top-right corner. Populate all required fields, select the appropriate transfer mechanism, and document the safeguards in place. Save the record to add it to the register.

Step 4: Conduct Transfer Impact Assessments

For transfers relying on Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other Art. 46 safeguards, complete a Transfer Impact Assessment to evaluate whether the legal framework in the destination country provides adequate protection. Document the TIA outcome in the transfer record.

International Transfer Form Fields

FieldTypeStatusDescription
Destination Country Country Dropdown Required The destination country outside the EEA. The system indicates whether the country has an EU adequacy decision (Art. 45), simplifying transfer requirements. See the Adequacy Decisions table below for the current list.
Recipient Name Text Required Full legal name of the receiving entity. Should match the DPA Processor Name if applicable. For group companies, specify the legal entity (e.g., "Acme Corp US, LLC"). For cloud providers, identify the entity and data center location.
Data Categories Multi-select / Tags Required Personal data categories included in the transfer. Special category data (Art. 9) requires enhanced scrutiny. Should be consistent with ROPA and DPA records.
Transfer Mechanism Dropdown Required The legal basis for the international transfer. Select one of the following:
  • Adequacy Decision (Art. 45) — The Commission has determined adequate protection exists. No additional safeguards required, but monitor for revocations. For the U.S., applies only to EU-U.S. Data Privacy Framework certified organizations.
  • Standard Contractual Clauses (SCCs) (Art. 46(2)(c)) — Commission-adopted standard clauses providing appropriate safeguards. Post-Schrems II, a Transfer Impact Assessment (TIA) is required to verify the destination country's legal framework allows compliance. Use the current (June 2021) SCCs with four modules: C2C, C2P, P2P, P2C. Supplementary measures may be needed.
  • Binding Corporate Rules (BCRs) (Art. 47) — Supervisory authority-approved internal rules for intra-group transfers in multinational groups. Must contain all Art. 47(2) elements. A TIA should verify practical compliance in the destination country.
  • Derogation (Art. 49) — Specific situational derogations: explicit consent (after risk disclosure), contract necessity, public interest, legal claims, vital interests, or public register. Must be interpreted restrictively; intended for occasional, non-repetitive transfers only.
  • Other (Art. 46) — Approved codes of conduct (Art. 46(2)(e)), certification mechanisms (Art. 46(2)(f)), or supervisory authority-authorized contractual clauses (Art. 46(3)(a)). Specify details in Safeguard Details.
Safeguard Details Rich Text Area Required Detailed safeguard documentation, varying by mechanism:
  • Adequacy Decisions: Commission decision reference, date, conditions. For DPF: recipient certification details.
  • SCCs: Module used (1-4), execution date, completed annexes (I: Transfer Description, II: TOMs, III: Sub-Processors), TIA outcome, supplementary measures.
  • BCRs: Approval decision, approving authority, date, scope, and limitations.
  • Derogations: Specific derogation relied upon, legal basis, and why safeguards could not be provided.
  • Other: Specific mechanism, approval status, and how it provides appropriate safeguards.
Linked Processing Activity Dropdown (from ROPA) Optional Link to the ROPA processing activity involving this transfer, creating cross-reference traceability. The processing activity's International Transfers toggle should be Yes. Multiple transfers can link to the same activity.
TIA Completed Toggle (Yes/No) Required Whether a Transfer Impact Assessment has been completed. Required for SCCs, BCRs, or other Art. 46 safeguards (per Schrems II, Case C-311/18). Not required for adequacy decisions. The TIA evaluates: destination country laws affecting safeguard compliance (especially surveillance/government access), practical enforceability of contractual safeguards, and the need for supplementary measures. A warning is displayed if set to No for SCC/BCR/Other transfers.
Review Date Date Picker Optional Date for periodic review (at least annually) or when destination country laws, recipient practices, or supervisory guidance change. Approaching review dates are highlighted in amber in the list view and dashboard.

Adequacy Decisions

An adequacy decision is a determination by the European Commission, pursuant to Art. 45(3), that a third country, a territory, or one or more specified sectors within a third country, or an international organization ensures an adequate level of data protection. When an adequacy decision is in place, personal data can flow freely from the EEA to that country without the need for additional safeguards.

Countries/territories with adequacy decisions include: Andorra, Argentina, Canada (PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom (with sunset clause), United States (DPF-certified organizations only), and Uruguay.

Adequacy Decisions Can Be Revoked

Adequacy decisions are not permanent. The European Commission monitors the legal framework in third countries with adequacy decisions and can amend, suspend, or repeal them if the level of protection is no longer adequate. The most notable example is the invalidation of the EU-U.S. Privacy Shield in the Schrems II judgment (July 2020). Monitor adequacy decision status and be prepared to implement alternative safeguards if an adequacy decision is revoked.

Schrems II Implications

The Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18, "Schrems II", July 16, 2020) had profound implications for international data transfers:

  1. Invalidation of Privacy Shield — Invalidated due to U.S. surveillance concerns; replaced in 2023 by the EU-U.S. Data Privacy Framework following Executive Order 14086.
  2. SCCs require case-by-case assessment — SCCs remain valid but exporters must verify via a TIA that the destination country's legal framework allows compliance.
  3. Supplementary measures may be required — If the TIA reveals inadequate protection, supplementary measures (technical, contractual, organizational) must bridge the gap. If none are effective, the transfer must be suspended.
  4. Supervisory authority enforcement — Authorities must suspend or prohibit non-compliant transfers where no effective supplementary measures exist.

Supplementary Measures

When a TIA identifies gaps in the protection provided by the destination country's legal framework, supplementary measures must be implemented. The EDPB (in its Recommendations 01/2020) categorizes supplementary measures into three types:

Technical Measures

  • Encryption — at rest and in transit with keys held solely by the data exporter within the EEA
  • Pseudonymization — re-identification information held solely by the data exporter
  • Split processing — data split among jurisdictions so no single party has the complete dataset

Contractual Measures

  • Obligations to challenge government access requests using all available legal mechanisms
  • Transparency obligations for public authority access requests
  • Enhanced audit rights including unannounced inspections
  • Data localization commitments and onward transfer restrictions

Organizational Measures

  • Internal policies with clear transfer responsibilities
  • Security certifications (ISO 27001, SOC 2) at the data importer
  • Regular compliance assessments and staff training on government access handling
Tip: Document Supplementary Measures Thoroughly

When implementing supplementary measures, document them comprehensively in the Safeguard Details field of the transfer record. Supervisory authorities increasingly expect data exporters to demonstrate that they have conducted a meaningful TIA and implemented effective supplementary measures — not just ticked a box. Be specific about what technical encryption is used, who holds the keys, what contractual provisions have been added, and what organizational controls are in place.

Transfer Impact Assessment (TIA) Process

Step 1: Know Your Transfer

Map the data flows: what data, from where to where, for what purpose, to which recipient, under which transfer mechanism.

Step 2: Identify the Transfer Tool

Confirm the Art. 46 safeguard (SCCs, BCRs, or other), verify the correct version is in use, and ensure all required annexes/modules are completed.

Step 3: Assess the Legal Framework

Evaluate destination country laws and practices affecting safeguard effectiveness: surveillance laws, law enforcement access, data localization, data protection legislation, and rule of law. Use EDPB guidance, supervisory authority assessments, and qualified legal opinions.

Step 4: Evaluate Effectiveness

Determine if safeguards can be complied with in practice. Identify necessary supplementary measures. If no effective measures exist, the transfer must be suspended.

Step 5: Document and Implement

Record TIA findings, supplementary measures, and rationale in the Safeguard Details field. Set TIA Completed to Yes and establish a Review Date for reassessment.

Exporting the Transfer Register

The International Transfers register can be exported in CSV or PDF format. The export includes all fields for each transfer record, including the TIA completion status and safeguard details. This export serves as compliance documentation demonstrating that your organization has assessed and safeguarded all international transfers of personal data, fulfilling the accountability principle under Art. 5(2) and the specific requirements of Chapter V.