Cross-Border Data Transfer Rules

Compliance & Regulatory Data Protection & Privacy Last reviewed: 2025-10-20 Owner: Data Protection Office

1. Purpose

This policy (Ref: COMP-DP-004) establishes the Bank's rules for the transfer of personal data to countries outside the European Economic Area (EEA). It ensures that all international data transfers comply with Chapter V of the GDPR (Articles 44–49) and applicable national data protection legislation, maintaining an adequate level of protection for personal data regardless of its geographic location.

2. Scope

This policy applies to all transfers of personal data from the Bank's EEA entities to recipients located outside the EEA, including:

  • Transfers to the Bank's own branches, subsidiaries, and affiliates in non-EEA jurisdictions.
  • Transfers to third-party service providers, processors, and sub-processors.
  • Transfers to regulatory authorities, correspondent banks, and counterparties.
  • Remote access to EEA-held data from non-EEA locations.

3. General Prohibition

Personal data must not be transferred to a country or territory outside the EEA unless one of the approved transfer mechanisms described in Section 4 is in place. Any transfer without an approved mechanism constitutes a breach of this policy and may result in regulatory enforcement action and disciplinary proceedings.

4. Approved Transfer Mechanisms

4.1 Adequacy Decisions

The European Commission has determined that certain countries provide an adequate level of data protection. Transfers to these countries may proceed without additional safeguards. The current list of adequate countries is maintained by the Data Protection Office and includes, among others, the United Kingdom, Switzerland, Japan, Republic of Korea, and Canada (for private-sector organisations subject to PIPEDA).

4.2 Standard Contractual Clauses (SCCs)

Where no adequacy decision exists, the Bank's primary transfer mechanism is the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). SCCs must be executed between the data exporter (Bank EEA entity) and the data importer (non-EEA recipient) prior to the commencement of any data transfer. The appropriate module must be selected:

ModuleScenario
Module 1Controller to Controller
Module 2Controller to Processor
Module 3Processor to Processor
Module 4Processor to Controller

4.3 Binding Corporate Rules (BCRs)

For intra-group transfers, the Bank has obtained approval from its lead supervisory authority for Binding Corporate Rules. BCRs provide a legally binding framework for the transfer of personal data between the Bank's group entities worldwide. All group entities are bound by the BCRs and must comply with the data protection standards set out therein.

4.4 Derogations

In limited circumstances where no other mechanism is available, transfers may be made under the derogations in Article 49 of the GDPR, including:

  • Explicit consent of the data subject (after being informed of the risks).
  • Necessity for the performance of a contract with the data subject.
  • Important reasons of public interest.
  • Establishment, exercise, or defence of legal claims.

Derogations must be interpreted restrictively and may only be relied upon with prior approval from the DPO.

5. Transfer Impact Assessments (TIAs)

For all transfers relying on SCCs or BCRs, a Transfer Impact Assessment must be completed to evaluate whether the laws and practices of the destination country provide an essentially equivalent level of protection. The TIA must consider:

  • The legal framework of the destination country (surveillance laws, government access to data).
  • The nature and sensitivity of the data being transferred.
  • Supplementary measures that may be applied (encryption, pseudonymisation, contractual restrictions).

TIAs must be documented and reviewed at least annually or when there is a material change in the legal framework of the destination country.

6. Supplementary Measures

Where a TIA identifies risks, the following supplementary measures must be considered and, where appropriate, implemented:

  • Technical measures — Encryption in transit and at rest (AES-256 minimum), pseudonymisation, data minimisation prior to transfer.
  • Contractual measures — Enhanced audit rights, notification obligations for government access requests, data localisation commitments.
  • Organisational measures — Access controls, staff vetting, and security certifications (ISO 27001).

7. Responsibilities

  • Data Protection Office — Maintains the register of international transfers, reviews TIAs, and provides guidance.
  • Procurement and Vendor Management — Ensures SCCs are incorporated into vendor contracts.
  • Business Units — Must not initiate cross-border transfers without consulting the Data Protection Office.

8. Review

This policy is reviewed annually. Next review: Q2 2027.

Related Articles

Data Retention Policy

Establishes the Bank's data retention and disposal standards for all categories of personal and business data, including mandatory retention periods, secure destruction methods, and regulatory requirements.

Updated 2025-09-05

Data Subject Access Request (DSAR) Procedure

Step-by-step procedure for receiving, verifying, processing, and responding to Data Subject Access Requests under the GDPR, including timelines, exemptions, and escalation paths.

Updated 2025-07-10

GDPR Compliance Overview

Overview of the Bank's compliance framework for the EU General Data Protection Regulation (GDPR), covering data processing principles, lawful bases, data subject rights, and governance responsibilities.

Updated 2025-06-15