GDPR and International Trade Data: How to Transfer Customer and Supply Chain Data Across Borders Legally

Why International Trade Creates GDPR Data Transfer Issues#

GDPR applies to any processing of personal data of individuals in the EEA — regardless of where the processing organisation is located. In international trade, personal data appears throughout the supply chain: customer names and delivery addresses in cross-border e-commerce, consignee and consignor information on commercial invoices and packing lists, haulier driver details in transport documentation, buyer and supplier contact names in trade finance documents, and employee data shared across multinational corporate groups. When this data is transferred from the EEA to a country outside the EEA — including to the UK post-Brexit — GDPR requires a legal transfer mechanism to be in place. Without one, the transfer is unlawful even if the data is necessary for a legitimate business purpose.

The UK Adequacy Decision: What It Covers and Its Vulnerability#

In June 2021, the European Commission adopted an adequacy decision for the UK, recognising UK data protection law as providing essentially equivalent protection to GDPR. This allows personal data to flow from the EEA to the UK without additional transfer mechanisms — as if the UK were an EEA country. For UK businesses receiving customer data from EU operations, the adequacy decision is the primary legal basis for those data flows. However, the adequacy decision is not permanent: it was adopted for four years and was due for review in June 2025. The Commission can withdraw adequacy if it determines that UK law has diverged materially from GDPR standards. The UK's independent development of its own data protection framework — including the Data Protection and Digital Information Act — is a factor the Commission will assess. AskBiz monitors regulatory developments that could affect the UK's adequacy status.

Standard Contractual Clauses for Non-UK Third Countries#

For transfers to countries without an EU adequacy decision — which includes the US, China, India, and most of the world — Standard Contractual Clauses (SCCs) are the primary transfer mechanism used by trade businesses. SCCs are pre-approved contractual clauses adopted by the European Commission that create enforceable data protection obligations between the data exporter (in the EEA) and data importer (in the third country). Updated SCCs were adopted by the Commission in June 2021, and organisations using the old 2010 SCCs should have transitioned by December 2022. For trade logistics businesses sharing manifest data, tracking data, or delivery confirmation data with non-EEA logistics partners, SCCs need to be in place with each relevant data importer. A transfer impact assessment (TIA) is also required to verify that SCCs provide effective protection given the legal environment in the recipient country.

Binding Corporate Rules for Multinational Trade Groups#

For multinational corporate groups with operations in both EEA and non-EEA countries, Binding Corporate Rules (BCRs) provide a framework for intra-group personal data transfers. BCRs are internal codes of conduct approved by a lead EU data protection authority that bind all group entities to GDPR-equivalent data protection standards. BCRs are a significant undertaking — approval typically takes 18-36 months and requires detailed documentation of all intra-group data flows, processing activities, and governance arrangements. However, for large trade and logistics groups moving data across multiple non-EEA jurisdictions, BCRs can be more efficient than maintaining SCCs with each individual group entity. BCR approval is granted by the lead supervisory authority of the EEA group entity and is recognised across all EEA member states.

Practical Compliance for Traders and Supply Chain Businesses#

For most trade and supply chain businesses, the practical compliance priority is identifying which personal data flows cross EEA borders and ensuring a valid legal mechanism is in place for each. Start with a data mapping exercise covering customer data (e-commerce orders, delivery details), supplier data (contact names, purchase order information), logistics data (driver details, tracking data shared with carriers), and employee data (HR data for cross-border corporate groups). For each flow, identify the destination country, whether an adequacy decision exists, and if not, whether SCCs are in place with the data importer. Assess whether those SCCs are on the updated 2021 format. Log transfer impact assessments for high-risk transfers. This compliance record is what a supervisory authority will ask to see in any investigation. AskBiz helps trade businesses maintain an organised compliance record for their data transfer obligations.

• International trade generates substantial personal data flows — customer names and addresses, consignee details, supplier contact information, employee data across corporate groups.
• GDPR restricts transfers of this data outside the European Economic Area unless specific safeguards are in place.
• UK businesses transferring data between their UK and EU operations, or sharing logistics and supply chain data with non-EEA partners, face ongoing compliance obligations.