Cross-Border DPIA Scenarios

Real-world situations requiring specialist cross-border data protection impact assessment. Each scenario involves multiple jurisdictions, divergent legal frameworks and international data transfers.

Cross-Border AI

Artificial intelligence systems with training, processing and deployment across multiple jurisdictions.

Description

Large language models (LLMs), generative AI systems and data processing for distributed training across global data centres. Includes processing centres in the US, EU, Asia and CPLP.

Typical Jurisdictions

USA, EU, UK, Singapore, Brazil, Canada, Australia.

Relevant Legal Instruments

Art. 27 AI Act (FRIA for high-risk cross-border AI)
Art. 35 GDPR (mandatory DPIA)
Sectoral regulation (healthcare, finance, education)
Data transfer laws (Schrems II, SCCs, BCRs)

Specific Risks

Training on personal data without adequate cross-jurisdictional consent
Algorithmic bias with differentiated regional impact
Lack of transparency in multinational processing
Conflict between data retention requirements (GDPR vs. local law)
Real-time AI Act compliance during deployment

Mitigation Measures

Integrated DPIA with FRIA (Art. 27 AI Act)
Complete mapping of data flows and processing
Data Privacy by Design in global architecture
Multinational governance with clear jurisdiction responsibilities
Periodic technical audit of cross-border models

Request Cross-Border AI DPIA →

Cloud Computing & Data Centres

Multi-region infrastructure, distributed deployment and hyperscalers (AWS, Azure, GCP).

Description

Personal data stored and processed across data centres spanning continents. Includes automatic replication, cross-site backup and dynamic traffic routing. Hyperscalers like AWS, Microsoft Azure, Google Cloud with global presence.

Typical Jurisdictions

USA (Virginia, N. California), EU (Frankfurt, Dublin, Amsterdam), Asia (Singapore, Tokyo), Brazil.

Relevant Legal Instruments

Schrems II (2020) — invalidated Privacy Shield; SCCs under scrutiny
Art. 44-49 GDPR (international transfers)
LGPD Brazil — restrictions on third-country transfers
UK GDPR adequacy decisions post-Brexit

Specific Risks

EU personal data stored in surveillance zones (USA, China)
Insufficient technical safeguards post-Schrems II
Impossibility of locating data precisely ("data somewhereness")
Access by local authorities without notification mechanisms
SLAs that don't guarantee processing jurisdiction or residency

Mitigation Measures

Rigorous SCC assessment with technical addenda (encryption, segregation)
Supplementary Measures (SMPs) — end-to-end encryption, keys held in EU
Data residency requirements in contracts (e.g., PT data never leaves Frankfurt)
Technical audit of data centre (ISO 27001, SOC 2 Type II)
Clear documented exit strategy and data portability

Request Cloud & Schrems II DPIA →

Intragroup Transfers

Consolidation of data between entities of the same multinational group in different countries.

Description

Transfer of personal data (HR, customers, financial) between subsidiaries, branches and Shared Service Centres (SSCs) of a multinational group. Includes HR consolidation, global CRM, unified financial systems.

Typical Jurisdictions

EU (multiple countries), USA, Brazil, Singapore, Australia, Japan.

Relevant Legal Instruments

BCRs — Binding Corporate Rules (Art. 46(2)(b) GDPR)
SCCs — Standard Contractual Clauses (Art. 46(2)(c) GDPR)
LGPD Brazil — contracts between controllers explicitly required
UK GDPR and Singapore PDPA — own transfer regimes

Specific Risks

Inadequate legal basis for transfer (e.g., expired consent)
Outdated or insufficient BCRs for new use cases (AI, analytics)
Lack of cross-border access rights mechanisms
Secondary processing in destination jurisdiction without consent
Conflict between retention policies and local obligations

Mitigation Measures

Audit existing BCRs vs. new use cases (AI, profiling)
Update SCCs with technical and organisational addenda
Clear Data Processing Agreements with roles and responsibilities
Centralised governance with local compliance
Facilitated access rights mechanisms (e.g., centralised portal)

Request Intragroup Transfer DPIA →

Global HR Systems

Centralised platforms for human resources management across multiple international branches.

Description

Human Resources Information Systems (HRIS) such as Workday, SAP SuccessFactors, Oracle HCM with people analytics, talent management, background checks and performance monitoring. Data processed centrally (e.g., USA) with local entity access.

Typical Jurisdictions

EU (local HQ), USA (SaaS provider), Brazil (subsidiary), Asia (operations).

Relevant Legal Instruments

Art. 35 GDPR (mandatory DPIA for large-scale processing)
Art. 88 GDPR (processing in employment context)
LGPD Brazil — consent for background checks
National employment privacy laws (Germany, France, Italy)

Specific Risks

Transfer of sensitive HR data to USA without safeguards
People analytics (behavioural profiling) without adequate consent
Cross-border background checks without explicit authorisation
Productivity monitoring without respect for local labour rights
Lack of anonymisation in cross-border analytics reports

Mitigation Measures

DPIA specific to people analytics with country-disaggregated data
Explicit consent for each processing type per jurisdiction
Data residency or pseudo-anonymisation of sensitive data
Retention policies aligned with local labour rights
Technical audit of access and data segregation by entity

Request Global HR Systems DPIA →

CPLP Operations

Expansion of operations in CPLP countries with developing data protection regimes.

Description

Personal data processed and transferred in Angola, Mozambique, Timor-Leste, Guinea-Bissau, São Tomé and Príncipe with less mature regulatory requirements. Portugal as GDPR compliance gateway; Brazil under LGPD with comparable protection standards.

Typical Jurisdictions

Angola (Lei 22/11), Mozambique, Timor-Leste (no specific law yet), Guinea-Bissau, São Tomé and Príncipe, Brazil (LGPD), Portugal (GDPR).

Relevant Legal Instruments

Lei 22/11 Angola — Data Protection Law
LGPD Brazil — partial interoperability with GDPR recognised
CPLP Conventions — harmonisation agreement in development
Art. 44-49 GDPR — transfers to third countries (no adequacy)

Specific Risks

Absence of EU adequacy decisions for CPLP
Weak enforcement of local data protection laws
Supervisory authorities with limited resources
Intra-CPLP transfers (e.g., Angola → Brazil) with questionable legal basis
Conflicts between local law and GDPR/LGPD

Mitigation Measures

Mapping of CPLP requirements vs. EU/Brazil
SCCs for transfers with local addenda
Robust contractual clauses with local partners
Due diligence of local suppliers and processors
Dual governance (EU oversight + local compliance)

Explore CPLP Markets in Detail →

Global Marketing

Multinational campaigns with cross-border profiling and customer data consolidation.

Description

Global loyalty programmes, coordinated marketing campaigns across regions with customer profile consolidation, cross-border profiling and centralised consent management. Includes email marketing, targeted advertising and behavioural analytics.

Typical Jurisdictions

EU (GDPR), USA (CCPA/CPA), Brazil (LGPD), Singapore, Australia.

Relevant Legal Instruments

Art. 6 GDPR (legal basis for profiling and marketing)
Art. 21 GDPR (right to object to direct marketing)
CCPA/CPA — opt-out rights
LGPD Brazil — consent for behavioural profiling
ePrivacy Directive (email, SMS)

Specific Risks

Profile consolidation without explicit consent per jurisdiction
Propensity scoring without notice or consent
Discriminatory profiling with differentiated regional impact
Cross-border sharing with marketing partners without transparency
Inability to exercise rights (object, access) globally

Mitigation Measures

Granular, revisable consent per marketing type and jurisdiction
Central Consent Management Platform (CMP) with multi-jurisdiction support
Clear transparency in profiling (e.g., "Why see this ad?")
Data minimisation — only essential data for campaign
Facilitated global rights exercise (access, object)

Request Global Marketing DPIA →

Multinational CCTV

Networks of cameras and surveillance systems with facial recognition across multiple international facilities.

Description

Integrated CCTV systems across multiple countries with centralised storage, facial recognition, biometrics and analytics. Includes offices, shops, warehouses, critical facilities in EU, USA, Brazil and Asia.

Typical Jurisdictions

EU (GDPR), USA (no federal law), Brazil (LGPD), China (heavily regulated surveillance), Singapore.

Relevant Legal Instruments

Art. 35 GDPR (mandatory DPIA for facial recognition CCTV)
Art. 9 GDPR (biometric data — restricted legal bases)
EDPB Guidelines 3/2019 — videovigilance
National CCTV laws (e.g., Lei 1/2005 Portugal)
LGPD Brazil — consent for biometric data

Specific Risks

Facial recognition without consent or adequate legal basis
Centralised storage in different jurisdiction from capture
Cross-matching with other databases (police, immigration)
Biased algorithms (e.g., less accurate for minorities)
Lack of access and correction mechanisms for biometric data

Mitigation Measures

DPIA specific to facial recognition per jurisdiction
Explicit legal basis (legitimate interest, consent, law)
Segregation of biometric data (encryption, restricted access)
Visible transparency on-site (signage, privacy notice)
Short retention; anonymisation or deletion after period
Periodic algorithm audit for bias

Request Multinational CCTV DPIA →

International Fintech

Financial services with open banking, credit scoring and AML/KYC compliance across multiple jurisdictions.

Description

Fintech platforms with bank account access (open banking), automated credit scoring, customer due diligence (KYC) and anti-money laundering (AML) compliance. Data processed across multiple regions with complex regulatory compliance.

Typical Jurisdictions

EU (GDPR, PSD2, MiFID II), USA (GLBA), Brazil (LGPD, Central Bank), Singapore, Australia.

Relevant Legal Instruments

Art. 35 GDPR (mandatory DPIA for credit scoring)
PSD2 — open banking compliance
FATF Recommendations — international KYC/AML
LGPD Brazil — consent for credit scoring
National banking guidelines (e.g., Banco de Portugal)

Specific Risks

Credit scoring without decision explanation
Bank data sharing without adequate consent
AML/KYC compliance conflicting with GDPR (limited access rights)
Financial data transfers to third countries without adequacy
Algorithmic bias in credit decisions by demographics/region

Mitigation Measures

DPIA integrated with regulatory compliance (AML/KYC)
Explainability of automated decisions (Art. 22 GDPR)
Granular consent for bank data sharing
Data minimisation in KYC (only necessary data)
Audit credit scoring algorithms for bias
Robust SCCs for international transfers with encryption

Request International Fintech DPIA →

Comparative Table: Cross-Border DPIA Scenarios

Scenario	Primary Risk	GDPR Legal Basis	DPIA Priority
Cross-Border AI	Training without consent; algorithmic bias	Art. 27 AI Act + Art. 35 GDPR	Critical
Cloud Computing	Storage in surveillance jurisdiction	Art. 44-49 GDPR (Schrems II)	Critical
Intragroup Transfers	Outdated BCRs; weak legal basis	Art. 46(2)(b) GDPR (BCRs)	High
Global HR Systems	People analytics without consent	Art. 35 + Art. 88 GDPR	High
CPLP Operations	Weak enforcement; no EU adequacy	Art. 44-49 GDPR (SCCs)	High
Global Marketing	Cross-border profiling; weak consent	Art. 6 + Art. 21 GDPR	Medium
Multinational CCTV	Facial recognition without consent	Art. 35 + Art. 9 GDPR	Critical
International Fintech	Credit scoring without explanation; AML/GDPR conflict	Art. 22 + Art. 35 GDPR	High

Next Step: Complete DPIA

Each of these scenarios requires a specialist DPIA. Identify your scenario and contact us for a focused assessment.

Request DPIA for Your Scenario →

Cross-Border DPIA Scenarios

Cross-Border AI

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

Cloud Computing & Data Centres

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

Intragroup Transfers

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

Global HR Systems

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

CPLP Operations

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

Global Marketing

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

Multinational CCTV

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

International Fintech

Description

Typical Jurisdictions

Relevant Legal Instruments

Specific Risks

Mitigation Measures

Comparative Table: Cross-Border DPIA Scenarios

Next Step: Complete DPIA

Cross-Border Scenario? Contact Us