International Data Transfer Policy

Home

Last Updated: 21 Oct 2025

Effective Date: 18 september 2023

Issued by: Neobank Capital

Applies to: All employees, subsidiaries, contractors, vendors, and affiliates of Neobank Capital that process personal data across national borders.

1. Purpose

The purpose of this policy is to ensure that all international transfers of personal data carried out by Neobank Capital comply with applicable data protection laws, including but not limited to:

  1. The EU General Data Protection Regulation (GDPR)
  2. The UK GDPR and Data Protection Act 2018
  3. The Swiss Federal Data Protection Act (FADP)
  4. Relevant U.S. federal and state privacy frameworks
  5. Local data protection laws in countries where Neobank Capital operates or stores data

This policy ensures that personal data is protected regardless of where it is transferred, stored, or processed.

2. Scope

This policy applies to:

  1. All personal data processed by Neobank Capital that is transferred outside of the country or region of collection.
  2. Transfers made by employees, contractors, partners, vendors, or affiliates acting on behalf of Neobank Capital.
  3. Transfers via cloud storage, APIs, blockchain-based processing nodes, customer platforms, or any digital service infrastructure.

3. Policy Statement

Neobank Capital is committed to ensuring that all cross-border data transfers maintain an equivalent level of protection to that required by the GDPR and other relevant regulations.

All international transfers must be:

  1. Lawful — based on a valid legal mechanism recognized under the applicable law.
  2. Secure — protected with adequate technical and organizational safeguards.
  3. Transparent — fully documented within the company’s Records of Processing Activities (ROPA).
  4. Limited — conducted only when necessary for legitimate business or compliance purposes.

4. Definitions

  1. Personal Data: Any information relating to an identified or identifiable natural person.
  2. Data Transfer: Any movement, copying, or remote access of personal data to a jurisdiction outside the one where it was originally collected.
  3. Adequacy Decision: A European Commission determination that a country ensures an adequate level of data protection.
  4. Transfer Mechanism: A legal basis or contractual instrument used to legitimize a cross-border transfer (e.g., Standard Contractual Clauses).

5. Legal Transfer Mechanisms

Neobank Capital ensures all international transfers are conducted under one of the following approved legal frameworks:

5.1 Adequacy Decisions

Transfers to countries officially recognized by the European Commission (or UK ICO/Swiss FDPIC) as providing adequate data protection are permitted without additional authorization.

5.2 Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy status (e.g., U.S., India, Singapore), Neobank Capital uses the European Commission’s SCCs (2021) or UK International Data Transfer Addendum.

All SCCs must be signed and monitored by the Data Protection Officer (DPO).

5.3 Binding Corporate Rules (BCRs)

Where applicable, intra-group data transfers between Neobank Capital entities may rely on approved Binding Corporate Rules that ensure a consistent, high level of data protection across jurisdictions.

5.4 Derogations under GDPR Article 49

Occasionally, data may be transferred without SCCs or adequacy, provided the transfer is:

  1. Necessary for contract performance;
  2. Based on explicit consent;
  3. Required for legal claims or regulatory reporting.
  4. Such cases must be exceptional and approved by the DPO.

5.5 U.S. Data Privacy Framework

For transfers to U.S.-based vendors, Neobank Capital prioritizes service providers certified under the EU–U.S. Data Privacy Framework (and UK/Swiss extensions).

6. Roles and Responsibilities

Role

Responsibility

Data Protection Officer (DPO)

Approves and documents all cross-border transfers, ensures compliance with GDPR and adequacy mechanisms.

Legal & Compliance Team

Drafts and maintains SCCs, DPAs, and relevant international transfer agreements.

IT & Security Department

Implements encryption, access control, and network segmentation to secure transfers.

Third-Party Vendors

Must comply with Neobank Capital’s Data Protection Addendum (DPA) and demonstrate lawful transfer mechanisms.

Employees

Must not initiate or authorize transfers without prior DPO approval.

7. Technical and Organizational Safeguards

Neobank Capital employs the following protection measures for all international transfers:

  1. End-to-end encryption (AES-256) during transmission and storage.
  2. Zero-trust access controls with MFA and least-privilege principles.
  3. Data localization and segmentation, ensuring personal data remains within compliant cloud regions whenever possible.
  4. Anonymization or pseudonymization for data analytics and AI processing.
  5. Continuous vendor risk assessments before onboarding any international service provider.
  6. Transfer Impact Assessments (TIAs) conducted for each non-adequate country.

8. Transfer Impact Assessments (TIAs)

Before any transfer to a third country without an adequacy decision, Neobank Capital performs a Transfer Impact Assessment that includes:

  1. The nature of the data being transferred.
  2. The legal environment of the recipient country.
  3. The technical and organizational controls in place.
  4. The likelihood of access by foreign authorities.
  5. Potential mitigation or supplementary measures.

TIAs are reviewed by the DPO and maintained in the compliance documentation system.

9. Data Subject Rights

Individuals whose personal data is transferred internationally retain all data protection rights, including:

  1. The right to be informed about transfers;
  2. The right to access, rectify, or erase their data;
  3. The right to withdraw consent (if applicable);
  4. The right to lodge complaints with their local data protection authority.

Neobank Capital ensures that these rights remain enforceable regardless of transfer location.

10. Recordkeeping and Documentation

All cross-border data transfers are logged in Neobank Capital’s Records of Processing Activities (ROPA) and include:

  1. Transfer purpose and destination country;
  2. Data categories and legal basis;
  3. Transfer mechanism (e.g., SCCs, adequacy, consent);
  4. Retention schedule and security measures.

Documentation must be updated promptly following any change in data flow or vendor relationship.

11. Data Breach Considerations

If a data breach involves information transferred internationally, Neobank Capital will:

  1. Immediately notify the DPO and relevant supervisory authorities;
  2. Evaluate cross-border legal implications;
  3. Cooperate with affected foreign regulators as required under applicable law.

12. Training and Awareness

All staff involved in international data handling receive annual data protection and transfer compliance training, covering GDPR, SCCs, and global privacy principles.

13. Non-Compliance and Enforcement

Failure to comply with this policy may result in disciplinary action, contract termination, or legal liability.

Neobank Capital reserves the right to suspend any international data flow that does not meet compliance standards.

14. Review and Updates

This policy will be reviewed annually or sooner if:

  1. Data transfer mechanisms are updated by regulatory authorities;
  2. New jurisdictions are added to Neobank Capital’s operations;
  3. New international vendors or technologies are adopted.

15. Contact Information

Data Protection Officer (DPO)

📧 privacy@neobank.capital

📍 Neobank Capital – Global Privacy Office

2355 116 74, Stockholm, Sweden

On this Page
Contents 1. Purpose 2. Scope 3. Policy Statement 4. Definitions 5. Legal Transfer Mechanisms 6. Roles and Responsibilities 7. Technical and Organizational Safeguards 8. Transfer Impact Assessments (TIAs) 9. Data Subject Rights 10. Recordkeeping and Documentation 11. Data Breach Considerations 12. Training and Awareness 13. Non-Compliance and Enforcement 14. Review and Updates 15. Contact Information

© 2025 Neobank Capital Legal Center | Privacy & Compliance Hub

Support
Marketing
...