GDPR Scenario · Pressure Signal: Convenience
Just Send Me the Spreadsheet
A colleague in the San Diego office needs the EU customer file for a project — today. It’s right there in your inbox. It’s internal. It’s just a colleague. Attaching it would take ten seconds. Do you?
Quick Answer
Can you email EU personal data to a colleague in another country?
Not without checking first. Moving EU personal data outside the EU — including to a US colleague or a US-hosted tool — is a cross-border transfer that carries obligations regardless of who receives it. “It’s internal” doesn’t exempt it, and informal tools may lack transfer safeguards altogether. The right move is to use an approved system or transfer mechanism, or ask your DPO before you send. A five-minute check beats an unlawful transfer you can’t take back.
The Pressure Signal: Convenience
The fastest path is to attach and send. The obligation is invisible — there’s no border guard on an email, no warning when a file leaves the continent. It’s just a helpful favor for a colleague, done in seconds. Convenience wins precisely because the rule it’s breaking can’t be seen in the moment.
The Situation
Joost is an analyst at Velsenhoff Medical in the Netherlands. A colleague at the San Diego office pings him: they’re pulling together a project deck and need the EU customer dataset — names, contacts, account details — by the end of the day. “Just send me the spreadsheet, whatever’s easiest.”
The file is sitting in Joost’s inbox. He could attach it and reply in under a minute. It’s the same company. It’s a trusted colleague. It’s for an internal project, not the public. The thought “is there a process for this?” flickers — and gets crowded out by the deadline and the sheer ease of just hitting reply.
Three Ways People Respond
1. Just send it.
It’s internal, it’s a colleague, it’s faster. Why it fails: sending EU personal data to the US is a cross-border transfer with real obligations — regardless of the recipient. “Internal” doesn’t exempt it, and an ad hoc email may lack the safeguards a lawful transfer requires.
2. Strip the names and send a “clean” version.
Delete the obvious identifiers first. Why it fails: removing names usually isn’t true anonymization — if the data can still be tied back to people, it’s still personal data, and a rushed scrub is a false comfort that can leave plenty re-identifiable.
3. Pause and use the approved route.
Check whether the transfer is covered — approved system, sanctioned tool, valid mechanism — or ask the DPO before sending. Why it works: see below.
The Right Call
Recognize that sending personal data across a border is a regulated act, and route it the approved way: use the sanctioned system or transfer mechanism the company already has, share only what the project actually needs, and if you’re unsure whether the transfer is covered, ask the DPO before you send. The deadline can usually absorb a five-minute check; it can’t absorb an unlawful transfer that’s already gone.
A helpful reply to the colleague: “Happy to get you this — let me send it through the approved channel, so we’re clean on the EU-to-US transfer. Five minutes.” Same outcome, no exposure.
Why It’s Harder Than It Looks
It genuinely is just a colleague. The deadline is now. The rule feels abstract and far away, while the favor is concrete and immediate. And everyone shares files like this all day — nothing about attaching a spreadsheet feels like “exporting regulated data across an international border.” But that’s exactly what it is. The transfer obligation doesn’t announce itself, which is why the lawful habit has to be built in advance: pause before personal data leaves the region.
“I’d never illegally export people’s data.”
Of course not — but nobody thinks of replying to a colleague with an attachment as “exporting data across a border.” That’s precisely why it happens. The unlawful transfer doesn’t look like a transfer. It looks like being helpful and fast.
How to Run This With Your Team
Take 10–15 minutes. Read the situation, then ask: “A trusted colleague needs the file today — do you just send it?” Most people’s honest first answer is yes, because it’s so ordinary. That’s the lesson. Then make the invisible rule visible: this is a cross-border transfer, and there’s an approved way to do it.
Close on the habit: pause before personal data leaves the region; use the approved channel; ask the DPO when unsure. Available as a manager-led Decision Brief™.
Related
Go deeper with GDPR compliance training, browse the full GDPR scenario library, or see the US-side companion in the Data Privacy & CCPA scenarios. (GDPR governs EU personal data; CCPA/CPRA governs California residents’ data.)
Frequently Asked Questions
Is sending data to a colleague abroad really a “transfer”?
Yes. Moving EU personal data outside the EU is a cross-border transfer with its own requirements — even if the recipient is a colleague in the same company and it’s for internal use.
Does uploading to a US-based cloud or AI tool count?
It can. If EU personal data ends up stored or processed on infrastructure outside the EU, the transfer rules can apply — and informal tools often lack the safeguards a lawful transfer needs. Use only approved systems.
Can I just remove the names to be safe?
Usually not enough. If the data can still be linked back to individuals, it’s still personal data. Rushed de-identification is a common false comfort — check with your DPO rather than assuming a file is anonymous.
Build people who pause before data leaves the region
Run this scenario with your team as a 15-minute Decision Brief™, or explore the full Xcelus approach.
© 2005–2026 Xcelus LLC. All rights reserved. For training and discussion only; not legal advice — route specific questions to your DPO or counsel.
© 2005–2026 Xcelus LLC. All rights reserved. This content is for training and discussion only and is not legal advice; consult qualified counsel about your organization’s specific obligations.