Skip to content

Data Processing and International Transfers

International transfers are among the hardest compliance topics in web analytics. After Schrems II, the bar for cross-border data protection rose sharply.

Data Processing Agreement (DPA)

A DPA is a binding agreement between controller and processor. It defines roles, duties, and safeguards.

Mandatory GDPR Elements

Subject and Duration

The DPA must define:

  • Personal data types
  • Categories of subjects
  • Processing purposes
  • Storage and deletion periods

Processor Obligations

  • Process only on documented controller instructions
  • Ensure personnel confidentiality
  • Apply technical and organizational safeguards
  • Engage sub-processors only with written permission

Typical Structure

DPA Sections

  1. Definitions and Interpretation
  2. Party Roles and Responsibilities
  3. Processing Instructions
  4. Data Security
  5. Sub-processors
  6. Data Subject Rights
  7. Incident Notification
  8. Audit and Compliance
  9. International Transfers
  10. Liability and Compensation
  11. Termination and Data Deletion

DPAs often reference:

  • Standard Contractual Clauses (SCC)
  • Binding Corporate Rules (BCR)
  • Jurisdiction-specific frameworks (CCPA, LGPD)

Standard Contractual Clauses

On June 4, 2021, the European Commission adopted new SCCs reflecting GDPR and Schrems II.

Modular Structure

Module 1: Controller to Controller

EU controller to third-country controller.

Module 2: Controller to Processor

Includes Article 28 GDPR requirements.

Module 3: Processor to Processor

Sub-processing.

Module 4: Processor to Controller

Rare reverse scenario.

Key Innovations

AspectChange
FlexibilityModular for different scenarios
Docking clauseAdd new parties
Schrems IIBuilt-in third-country law assessment
TransparencyExtended obligations
Subject rightsDetailed implementation

Implementation Flow

graph TD
    A[Select appropriate module] --> B[Complete annexes]
    B --> C[Conduct TIA]
    C --> D{Adequate protection level?}
    D -->|Yes| E[Sign SCCs]
    D -->|No| F[Additional measures]
    F --> G{Sufficient?}
    G -->|Yes| E
    G -->|No| H[Transfer prohibited]

Annexes

Annex I: Parties and Transfer Description

  • Identify exporter and importer
  • Roles (controller/processor)
  • Data categories
  • Processing purposes
  • Retention periods

Annex II: Technical and Organizational Measures

  • Physical security
  • Access controls
  • Encryption and pseudonymization
  • Backup procedures
  • Monitoring and audit

Annex III: Sub-processor List

  • Names and locations
  • Processing description
  • Applicable safeguards

Binding Corporate Rules

BCRs are internal data protection rules binding on every group company, wherever located.

Advantages

Single Mechanism

BCRs cover all intra-group transfers without separate agreements.

Operational Flexibility

Easier intra-group processes and reorganizations.

Reputation

Signal of high data protection commitment.

Article 47 GDPR Requirements

Mandatory BCR Elements

  • Legally binding
  • Apply to all employees
  • Third-party beneficiary rights for subjects
  • Data protection principles
  • Subject rights and mechanisms
  • Staff training
  • Audit procedures
  • Complaint mechanisms
  • Cooperation with supervisory authorities

Approval Process

  • Develop policies and procedures
  • Internal readiness audit
  • Pick Lead Supervisory Authority
  • Prepare application
  • Submit to Lead DPA
  • Engage with concerned DPAs
  • Answer questions
  • Adjust as needed
  • EDPB consistency mechanism
  • Final approval
  • Group rollout
  • Ongoing compliance

Transfer Impact Assessment

TIA became mandatory after Schrems II for transfers based on SCCs, BCRs, and other Article 46 GDPR mechanisms.

When Required

Mandatory:

  • Transfer to country without adequacy decision
  • Use of SCCs or BCRs
  • Change in destination country law

Exceptions:

  • Adequacy-decision countries
  • Article 49 GDPR derogations

Six Steps (CNIL)

Step 1: Map Transfers

Document all international transfers:

  • Data types and sensitivity
  • Volumes and frequency
  • Recipients and locations
  • Sub-processing chains

Step 2: Identify Tools

Pick and document the legal basis:

  • SCCs (specify module)
  • BCRs
  • Other Article 46 mechanisms

Step 3: Assess Destination Law

graph LR
    A[Law analysis] --> B[Government access]
    B --> C[Judicial protection]
    C --> D[Application practice]
    D --> E[Risk assessment]

Step 4: Assess Tool Effectiveness

Can the chosen mechanism actually deliver protection?

  • Compatibility with third-country law
  • Ability to meet obligations
  • Availability of legal protection

Step 5: Additional Measures

Measure Types

Technical:

  • Strong encryption (keys stay in EU)
  • Pseudonymization
  • Split processing
  • Multiparty computation

Organizational:

  • Access minimization
  • Sub-processor controls
  • Transparency reporting
  • Staff training

Contractual:

  • Confidentiality guarantees
  • Notification obligations
  • Audit rights
  • Warrant canary clauses

Step 6: Reassess

  • Periodic TIA review
  • Track legislative changes
  • Update when circumstances shift

TIA Documentation

SectionContent
Executive SummaryConclusions and decision
ScopeTransfer and data
Legal AnalysisLegislation review
Risk AssessmentIdentified risks
SafeguardsApplied measures
Residual RiskRemaining risks
DecisionJustification

Data Residency

Data residency is a popular way to cut transfer risk.

Strategies

Full Localization

Storage and processing only in the collection jurisdiction.

Regional Localization

Data stays within a region (EU, for example).

Selective Localization

Only certain categories are localized.

Architectures

Architecture:

  • Separate instances per region
  • Isolated databases
  • Local processing

Pros:

  • Full compliance
  • Minimal latency
  • Simpler regulatory posture

Cons:

  • High infrastructure cost
  • Management complexity
  • Resource duplication

Architecture:

  • Edge node processing
  • Centralized aggregation
  • Minimal raw data transfer

Pros:

  • Less data movement
  • Fast processing
  • Privacy by design

Cons:

  • Limited edge resources
  • Sync complexity
  • Edge infrastructure needs

Architecture:

  • Sensitive data local
  • Aggregates central
  • Selective replication

Pros:

  • Balance of compliance and efficiency
  • Configuration flexibility
  • Cost optimization

Cons:

  • Classification complexity
  • Multiple control points
  • Misclassification risk

Challenges for Analytics

Fragmentation

Splitting datasets makes global analytics and benchmarking harder.

Cost

Multiple infrastructures cost more.

Complexity

Sync, backup, disaster recovery scale with locations.

Recommendations for Web Analytics

Picking a Strategy

graph TD
    A[Requirements assessment] --> B{International transfer volume}
    B -->|Minimal| C[Data residency]
    B -->|Medium| D[SCCs + additional measures]
    B -->|Large| E{Corporate group?}
    E -->|Yes| F[BCRs]
    E -->|No| G[Combined approach]

Compliance Checklist

  • Map all transfers
  • Identify applicable jurisdictions
  • Pick appropriate safeguards
  • Run TIA per transfer
  • Implement additional measures where needed
  • Sign or update DPAs
  • Document every process
  • Set up change monitoring
  • Train staff
  • Prepare response procedures

Risk Reduction

Privacy-Enhancing Technologies

  • Differential privacy for statistical reports
  • Homomorphic encryption for encrypted compute
  • Secure multi-party computation
  • Federated learning for distributed analytics

Organizational

  • Minimize transferred volume
  • Shorten retention
  • Tighten access control
  • Audit regularly

International transfers in web analytics demand careful architecture. Statable is built with these constraints in mind: flexible deployment, data residency options, built-in support for standard transfer mechanisms, and tools to run and document TIAs. Compliance without sacrificing analytical value.

About AI participation in writing articles

This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.

Ready to ensure lawful international data transfers?

Sign up for free testing and gain access to an analytics platform with built-in protection mechanisms for international data transfers.

Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.