International Transfers of Enriched Data: What Every B2B Team Needs to Know in 2026

You use a US-based enrichment tool to fill in your prospect lists. You sync your data with a CRM hosted in the United States. You share enriched contact files with a partner agency outside the European Union.

In each of these cases, you’re carrying out an international transfer of enriched data — and you’re subject to specific legal obligations under the GDPR. In 2025, fines related to non-compliant data transfers surpassed €1 billion across Europe, including €530 million issued to TikTok and €325 million to Google by data protection authorities. EU supervisory authorities also recorded a 107% increase in sanctions between 2023 and 2024.

This is no longer a topic reserved for legal teams. It’s an operational issue for every sales, growth, or ops team that enriches B2B data.

This guide explains what international transfers of enriched data actually are, why they’re a risk in standard B2B workflows, and how to get compliant without grinding your prospecting to a halt.

Enrich your prospects without leaving Google Sheets

Find emails and phone numbers for your leads directly in your spreadsheet — no data routed through non-compliant third-party platforms.

Try for free →

What Is an International Transfer of Enriched Data?

Let’s start with a clear definition, because many B2B teams don’t realize they’re doing this.

Under GDPR (Article 44 and Chapter V), an international data transfer covers any communication, copy, or movement of personal data that is intended to be processed in a country outside the European Union or the European Economic Area (EEA — which includes Norway, Iceland, and Liechtenstein).

In a B2B context, enriched data refers to personal data that has been completed or generated through an enrichment process: professional email address, phone number, job title, company size, tech stack, and so on. These data points remain personal data under the GDPR — even when they relate to someone in their professional capacity.

An international transfer of enriched data happens whenever:

• Your enrichment tool (Apollo, Clearbit, ZoomInfo, etc.) processes data on servers located outside the EU
• You export an enriched list to a partner, agency, or subsidiary based in the US, India, or any non-EEA country
• Your CRM (HubSpot, Salesforce) stores your enriched data on US servers without appropriate safeguards in place
• You use an automation tool (Zapier, Make) that routes your data through non-European servers

What most teams miss: even temporary processing of your data in a third country counts as a transfer — no physical file export required.

Why Enriched Data Transfers Put B2B Teams at Risk

B2B teams are disproportionately exposed for one simple reason: their tech stack is overwhelmingly American.

A 2025 study by Scalability found that 32% of sales reps’ time is lost contacting bad prospects due to inaccurate or incomplete data. To solve this, teams turn to enrichment tools — most of which are US-based and store their data on American servers.

The problem is structural: every time your prospecting data passes through these tools, it’s subject to an international transfer. Without the right legal mechanism in place, that transfer is non-compliant with GDPR — regardless of how good the data quality is or how well-intentioned your team is.

Three High-Risk Scenarios You Probably Recognize

1. The US enrichment tool without a signed DPA

Emma, Head of Growth at a London-based SaaS startup, uses a US enrichment tool to auto-complete her LinkedIn prospect lists. The tool processes data on AWS servers in Virginia. Emma has never signed a Data Processing Agreement with this vendor. Her company is exposed to a fine for transfers without a legal basis.

2. The unsecured CRM sync

Mike, Sales Manager at a mid-sized manufacturing firm, syncs enriched data from Google Sheets into Salesforce — whose instance is hosted in the United States. Without verifying that Salesforce is certified under the EU-US Data Privacy Framework and without a properly signed DPA, this data flow constitutes a non-compliant transfer.

3. Sharing enriched files with an overseas partner

Sarah, a Sales Ops lead at a lead gen agency, sends weekly enriched prospect lists to a client whose team is based in India. Even sent by email, this file contains personal data subject to GDPR as long as the contacts are EU residents.

All three situations are completely routine. They’re also uncovered international transfers, exposing those companies to fines of up to 4% of global annual turnover or €20 million — whichever is higher.

The Legal Framework in 2026: 3 Authorized Transfer Mechanisms

GDPR Chapter V sets out a precise architecture for governing international data transfers. Three main mechanisms apply to B2B situations.

Mechanism 1: Adequacy Decisions

This is the simplest route. The European Commission has recognized certain countries as providing a level of data protection “substantially equivalent” to EU standards. Data can flow to these countries without additional formalities.

As of January 2026, countries covered by a full adequacy decision include: Andorra, Argentina, Canada (private sector), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, and the United Kingdom.

For the United States, a partial adequacy decision was adopted in July 2023 under the EU-US Data Privacy Framework (DPF). It allows transfers to US companies that have self-certified under this framework. Important: DPF certification is voluntary and must be verified on the official DPF registry. If your US tool isn’t listed there, this legal basis doesn’t apply.

Mechanism 2: Standard Contractual Clauses (SCCs)

Where no adequacy decision exists — or your vendor isn’t DPF-certified — the most widely used solution is Standard Contractual Clauses updated by the European Commission in June 2021. SCCs are a standardized contract between the data exporter (you) and the data importer (your non-EU vendor), legally committing the importer to maintain GDPR-equivalent protections.

Most major US vendors (AWS, Google Cloud, Microsoft Azure, HubSpot, Salesforce) include SCCs in their Data Processing Agreements. You need to sign them — and document that signature in your records of processing activities.

Mechanism 3: Binding Corporate Rules (BCRs)

BCRs primarily apply to multinational groups transferring data internally between entities in different countries. They require prior approval from the competent supervisory authority. This mechanism is more complex to set up but provides global coverage for multi-entity groups.

For most B2B teams — startups, SMEs, agencies — SCCs embedded in a DPA are the pragmatic solution.

Practical Scenarios: When Your Enrichment Workflow Triggers a Transfer

Now that the framework is clear, here’s how these rules play out in real B2B situations.

Scenario 1: Using a US-Based Enrichment Tool

Situation: you use a tool with US-based servers to enrich your lists (professional email, phone, company data).

What to check:

1. Is the tool registered under the DPF? (Verify on the official registry)
2. Have you signed a DPA including SCCs with this vendor?
3. Does the tool provide a list of its sub-processors?

What to do: Sign the DPA available in the vendor’s legal documentation, and document this legal basis in your records of processing activities (mandatory for companies with 250+ employees, recommended for smaller ones).

Scenario 2: Sharing Enriched Data with an Overseas Partner

Situation: you send enriched contact lists to a commercial partner based in the UK, India, or the US.

What to check:

• UK: adequacy decision in place since 2021 (maintained as of January 2026) — a DPA is sufficient
• US: verify whether your partner is DPF-certified; if not, SCCs are required
• India: no adequacy decision — SCCs are mandatory

What to do: never transfer enriched lists to a third party without a contract that includes the appropriate safeguards.

Scenario 3: Automating Workflows via Zapier or Make

Situation: your enriched data flows through an automation platform (Zapier, Make) that routes it to your CRM or email sequences.

Automation platforms are themselves sub-processors under GDPR. They can introduce additional international transfers if they use US servers or rely on non-EEA sub-processors.

What to do: review each automation tool’s data processing terms, ensure a DPA is in place, and check their list of sub-processors (typically available in their compliance documentation).

For more on best practices around contact data management and enrichment workflows, check out our guide on B2B database enrichment.

How to Make Your Enriched Data Transfers Compliant: Step-by-Step

Here’s a structured method to audit and secure your international transfers without disrupting your operations.

Step 1: Map Your Enriched Data Flows

List every tool that receives, processes, or transmits your enriched prospecting data. For each tool, note:

• The vendor name and the country where servers are hosted
• The types of data processed (email, phone, company data)
• Whether a signed DPA is in place

Expected output: a clear map of your data flows, identifying all existing international transfers.

Step 2: Identify the Legal Basis for Each Transfer

For each transfer identified, apply the following framework:

• Does the destination country have an adequacy decision? → Transfer covered
• Is the US vendor DPF-certified? → Transfer covered
• Neither? → SCCs required, to be included in the DPA

Step 3: Sign (or Request) a DPA from Each Vendor

A Data Processing Agreement is mandatory whenever a service provider processes personal data on your behalf. For transfers outside the EU, this DPA must incorporate appropriate safeguards (SCCs or DPF reference).

Most reputable vendors offer a DPA online. If your vendor doesn’t, that’s a red flag.

Step 4: Run a Transfer Impact Assessment (TIA) Where Needed

A Transfer Impact Assessment is recommended by the EDPB to evaluate whether contractual safeguards (SCCs) are actually sufficient, given the laws of the destination country — particularly where that country grants its authorities broad data access rights.

In practice, a TIA is needed when transferring data to countries whose surveillance legislation is deemed incompatible with EU standards (China, Russia, and potentially the US for certain sensitive processing activities).

Step 5: Document Everything and Keep Records Updated

Your compliance effort is only as solid as its documentation. Your records of processing activities should note, for each treatment involving an international transfer:

• The legal basis for the transfer
• The mechanism used (adequacy decision, SCCs, DPF)
• The contact details of the data controller in the destination country
• The reference to the signed DPA

For best practices on email list verification and data hygiene, see our guide on email list verification and cleaning.

Mistakes to Avoid — and Their Real Impact

Mistake 1: Assuming B2B Data Isn’t Personal Data

Impact: many teams believe that professional emails (firstname.lastname@company.com) or job titles fall outside GDPR scope. They don’t. Any data that directly or indirectly identifies a living individual is personal data under GDPR — including in a business context.

Fix: treat every B2B contact data point as personal data and apply compliance rules accordingly.

Mistake 2: Not Verifying DPF Registration

Impact: many teams assume their US vendors are compliant because they display “GDPR compliant” on their website. DPF registration is voluntary and can be revoked. If your tool is no longer listed, the legal basis for your transfer disappears.

Fix: periodically verify on dataprivacyframework.gov that your US vendors remain registered.

Mistake 3: Forgetting Sub-Processors

Impact: your enrichment tool may itself rely on sub-processors located outside the EU for certain operations (storage, analytics, AI processing). These second-level flows are also international transfers that need to be covered in your contractual chain.

Fix: require your vendors to provide a full list of sub-processors, and verify that each is covered by appropriate safeguards.

Mistake 4: Treating Compliance as a One-Time Project

Impact: the legal framework evolves constantly — adequacy decisions are reviewed, the EDPB issues new guidance, enforcement intensifies. Compliance built in 2023 may no longer be sufficient in 2026.

Fix: build an annual review of your international data transfers into your data governance processes, and monitor updates from the ICO and EDPB to stay ahead of regulatory changes.

Key Takeaways

• Any transfer of enriched personal data to a country outside the EU/EEA must rest on a legal mechanism: adequacy decision, EU-US DPF, or Standard Contractual Clauses.
• A signed DPA with every vendor processing your data is mandatory — whether they’re based in Europe or not.
• Professional emails, phone numbers, and B2B contact data are personal data subject to GDPR.
• EU data protection authorities recorded a 107% increase in sanctions between 2023 and 2024 — the enforcement risk is real, even for startups and SMEs.
• Mapping your enriched data flows is the essential starting point for any compliance effort.
• Regularly verify that your US vendors remain registered under the Data Privacy Framework.

For a broader look at B2B data compliance and GDPR-compliant prospecting practices, our GDPR compliance glossary page covers the key concepts.

You can also explore the full list of enrichment workflows available through the Derrick data enrichment hub.

Conclusion: Compliance and Performance Aren’t Mutually Exclusive

International transfers of enriched data aren’t a concern reserved for enterprise legal teams. They apply to every startup, SME, and B2B agency that enriches data using tools whose servers aren’t located in Europe.

The good news: getting compliant doesn’t mean abandoning your tools or slowing down your prospecting. It means identifying which flows are at risk, signing missing DPAs, and documenting your legal bases. A few days of work that protects you durably.

And if you want to keep full control over your enriched data by working directly in an environment you own, Derrick enriches your B2B lists — emails, phone numbers, LinkedIn data — without ever leaving Google Sheets.

Enrich your B2B data and stay in control

Derrick enriches your prospects directly in Google Sheets: verified emails, phone numbers, company data. No third-party platforms to worry about.

Try for free →

FAQ

What counts as an international transfer of enriched data? Any movement of personal data — including B2B contact information like professional emails, phone numbers, or job titles — to a country outside the EU and EEA, where that data will be processed. Using an enrichment tool whose servers are based in the US qualifies as an international transfer under GDPR.

Is my US enrichment tool GDPR-compliant? Check two things: is the tool registered under the EU-US Data Privacy Framework (verify at dataprivacyframework.gov)? Does it offer a Data Processing Agreement with Standard Contractual Clauses? If both answers are yes, the transfer has a legal basis. If not, you’re exposed to compliance risk.

Do I need a DPA even with a European vendor? Yes. A Data Processing Agreement is mandatory whenever a service provider processes personal data on your behalf, regardless of their location. It defines each party’s responsibilities and is required under Article 28 of the GDPR.

Does GDPR apply to professional contact data? Yes. Any data that directly or indirectly identifies a natural person is personal data under GDPR — including in a B2B context. A professional email address, a direct phone number, or a LinkedIn profile URL are all personal data covered by the regulation.

What fines can non-compliant transfers lead to? Data protection authorities can issue fines of up to €20 million or 4% of global annual turnover, whichever is higher. In 2025, TikTok was fined €530 million — partly for transferring data to China without sufficient legal basis.