- Transferring personal data to third countries outside the EEA is only permissible if an adequate level of protection is ensured. Chapter V of the GDPR governs the permissible transfer mechanisms.
- Adequacy decisions by the EU Commission are the simplest route: for countries with an adequacy decision, the same rules apply as for intra-EEA transfers.
- Standard Contractual Clauses (SCC) are the most common transfer mechanism in practice. Since 2021, the new modular SCC from the EU Commission apply.
- Following the Schrems II ruling by the CJEU, a Transfer Impact Assessment (TIA) is mandatory: you must assess whether the third country's law undermines the protection provided by the SCC.
- For transfers to the USA, the EU-US Data Privacy Framework has applied as an adequacy decision since July 2023, provided the US recipient is certified.
Why international data transfer is regulated
The GDPR aims to prevent the European data protection level from being circumvented through the back door. When an organization transfers personal data to a country with a lower level of protection, the best GDPR compliance is worthless if the data is processed there without comparable safeguards.
Chapter V of the GDPR (Art. 44 to 49) therefore governs the conditions under which personal data may leave the European Economic Area (EEA). The basic rule is simple: a transfer to a third country is only permissible if an adequate level of protection is ensured.
In practice, this affects virtually every organization. As soon as you use a US cloud service, send an email to a business partner in India, or process customer data in a CRM system whose servers are in Singapore, an international data transfer takes place.
The three tiers of the transfer mechanism
The GDPR provides for a hierarchical assessment:
Tier 1: Adequacy decision (Art. 45). Does an adequacy decision from the EU Commission exist for the destination country? If yes, the transfer is permissible without further measures.
Tier 2: Appropriate safeguards (Art. 46). If no adequacy decision exists, you can base the transfer on appropriate safeguards, particularly Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), or approved codes of conduct and certification mechanisms.
Tier 3: Derogations (Art. 49). If neither an adequacy decision nor appropriate safeguards are in place, the transfer is only permissible in narrowly defined exceptional cases — such as explicit consent of the data subject or when the transfer is necessary for contract performance.
Adequacy decisions: The easy route
An adequacy decision is a determination by the EU Commission that a specific third country offers a level of data protection that is "essentially equivalent" to the European level. For countries with an adequacy decision, the same rules apply as for intra-EEA transfers. You need no additional contracts or measures.
Countries with adequacy decisions (as of 2026)
The EU Commission has issued adequacy decisions for the following countries and territories:
- Andorra
- Argentina
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- Canada (for commercial processing under PIPEDA)
- New Zealand
- Republic of Korea (South Korea)
- Switzerland
- Uruguay
- United Kingdom (valid until June 2025, extension expected)
- USA (under the EU-US Data Privacy Framework, since July 2023)
Special case USA: EU-US Data Privacy Framework
The history of data transfers to the USA is a history of failed agreements. Safe Harbor was struck down in 2015 by the CJEU's Schrems I ruling. The Privacy Shield followed in 2020 with the Schrems II ruling. Since July 2023, the EU-US Data Privacy Framework (DPF) applies as the new adequacy decision.
The DPF functions as a self-certification mechanism: US companies that certify themselves with the US Department of Commerce are considered recipients with an adequate level of protection. Certification is publicly viewable on the Data Privacy Framework List (dataprivacyframework.gov).
Important for you: You must verify whether your specific US service provider is certified on the DPF list. Only then can you rely on the adequacy decision. If the provider is not certified, you need a different transfer mechanism (typically SCC).
Risk: Whether the DPF will endure permanently is uncertain. Max Schrems has already announced that he will challenge this agreement before the CJEU as well. It may be prudent to conclude SCC in parallel so that you are not left without a transfer basis if the agreement is struck down again.
Standard Contractual Clauses (SCC): The practical standard
Standard Contractual Clauses are pre-approved contractual clauses from the EU Commission that are agreed between the data exporter (you) and the data importer (your service provider in the third country). They contractually obligate the importer to maintain a data protection level equivalent to the European standard.
The new SCC from 2021
In June 2021, the EU Commission published new, modular SCC that replace the previous SCC from 2001/2004/2010. The new SCC consist of four modules:
| Module | Scenario | Example |
|---|---|---|
| Module 1 | Controller to controller | You transfer customer data to a business partner in Brazil |
| Module 2 | Controller to processor | You use a cloud service with servers in India |
| Module 3 | Processor to sub-processor | Your cloud service outsources to a subcontractor in the Philippines |
| Module 4 | Processor to controller | An EU processor transfers data back to a third-country controller |
You select the module that fits your specific transfer scenario and delete the non-applicable modules.
What to keep in mind with SCC
No substantive changes: The SCC must not be substantively altered. You may fill in annexes and add supplementary clauses (provided they do not conflict with the level of protection), but you must not reword the clauses themselves.
Fill in the annexes completely: The SCC contain annexes where you describe the specific processing: data categories, data subject groups, transfer purpose, retention period, technical and organizational measures of the importer. Empty annexes render the SCC worthless.
Use the docking clause: The new SCC contain a docking clause (Clause 7) that allows additional parties to be added later without re-drafting the entire agreement. This is practical when a new sub-processor is added.
Integrate SCC into the DPA: In practice, the SCC are often agreed as an annex to the data processing agreement (DPA). This is the cleanest solution because DPA and SCC complement each other, and you do not need to manage two separate contracts.
Transfer Impact Assessment: The Schrems II obligation
The Schrems II ruling of the CJEU (C-311/18, 2020) fundamentally changed the rules for international data transfers. The CJEU found that Standard Contractual Clauses alone are not sufficient if the legal order of the third country prevents the importer from complying with the SCC — for example, through government surveillance powers that are not subject to effective judicial review. What this specifically means for your ISMS and what role the Cloud Act and Schrems II play for compliance data hosting deserves separate consideration.
It follows: you must conduct a Transfer Impact Assessment (TIA) for every SCC-based transfer.
Transfer Impact Assessment process
Step 1: Assess the legal situation in the third country. What laws in the destination country concern government access to personal data? Are there mass surveillance programs? Are access powers subject to effective judicial review? Do data subjects have enforceable rights?
Step 2: Evaluate authority practices. Laws on paper are one thing, their application another. Are there reports of mass data requests? Are legal restrictions observed in practice?
Step 3: Identify supplementary measures. If the legal situation is problematic, you must assess whether supplementary measures can ensure the level of protection. The European Data Protection Board (EDPB) has defined three categories of supplementary measures in its Recommendations 01/2020:
Technical measures:
- Encryption with key management exclusively in the EEA (the importer has no access to decryption keys)
- Pseudonymization where the mapping table remains exclusively in the EEA
- Split processing where data is divided and processed at different locations
Organizational measures:
- Transparency reports from the importer on government data requests
- Internal policies of the importer on handling government data requests
- Audit rights for the exporter
Contractual measures:
- Obligation of the importer to inform the exporter about government data requests (to the extent legally permitted)
- Obligation of the importer to legally challenge government data requests
- Indemnification of the exporter
Step 4: Document the result. Record the TIA results in writing: which laws did you review, what conclusion did you reach, what supplementary measures did you define, and why are these measures sufficient (or not)?
Step 5: Stop the transfer if necessary. If you conclude that neither the SCC nor supplementary measures can ensure an adequate level of protection, you must not carry out the transfer (or must cease it if already underway).
TIA in practice: USA as an example
For transfers to the USA under the DPF, no TIA is required as long as the recipient is DPF-certified. For transfers to non-certified US recipients on the basis of SCC, the TIA remains mandatory.
The assessment of the US legal situation has improved through the DPF: Executive Order 14086 has restricted surveillance powers and created a redress mechanism (Data Protection Review Court). Whether these improvements are sufficient to justify SCC-based transfers without DPF certification is disputed among data protection experts.
Binding Corporate Rules: For corporate groups
Binding Corporate Rules (BCR) are internal company data protection rules that must be approved by the competent supervisory authority. They are the appropriate transfer mechanism for corporate groups that regularly transfer data between their entities in different countries.
The approval process is extensive (12 to 18 months, sometimes longer) and requires the involvement of multiple supervisory authorities. BCR are therefore primarily relevant for large, international corporations. For SMEs, SCC are usually the more practical route.
Derogations under Art. 49: Last resort
Art. 49 GDPR defines derogations that allow a transfer without an adequacy decision and without appropriate safeguards. These derogations must be interpreted narrowly and must not become the rule:
- Explicit consent: The data subject has explicitly consented after being informed about the risks. For systematic, repeated transfers, consent is unsuitable as a basis.
- Contract performance: The transfer is necessary for the performance of a contract with the data subject. Example: hotel booking in a third country.
- Important reasons of public interest.
- Establishment of legal claims.
- Vital interests.
These derogations are suitable for individual cases, not for systematic business operations. If you regularly transfer data to a third country without an adequacy decision, you need SCC or BCR.
Practical implementation for SMEs
Inventory of data transfers
Start by identifying all international data transfers in your organization. Go through your records of processing activities and check for each processing activity:
- Are data transferred to recipients outside the EEA?
- To which countries?
- On what basis (adequacy decision, SCC, other)?
- Is the basis current and fully documented?
Do not forget indirect transfers: if your cloud provider operates servers in the USA and replicates data there, that is a transfer — even if you have no direct contact with a US company.
Prioritization
Rank the identified transfers by risk:
High: Transfers to countries without an adequacy decision and with problematic surveillance legislation (China, Russia, some Middle Eastern states). Here you need SCC with a TIA and robust supplementary measures.
Medium: Transfers to the USA to non-DPF-certified recipients. SCC with TIA required, but the assessment is easier thanks to Executive Order 14086.
Low: Transfers to countries with an adequacy decision or to the USA to DPF-certified recipients. Documentation required, but no additional measures.
Concluding and maintaining SCC
For each transfer based on SCC:
- Select the correct module (1, 2, 3, or 4)
- Fill in the annexes completely
- Conduct a Transfer Impact Assessment
- Define supplementary measures if necessary
- Agree the SCC with the importer (mutual signature)
- Document everything centrally
- Regularly review whether the legal situation in the third country has changed
Documentation
In ISMS Lite, all data transfers can be documented with destination country, transfer mechanism, and TIA result, so you have everything at hand during a supervisory authority audit. Keep the following information ready for each international data transfer:
- Data exporter and data importer (name, address, contact)
- Destination country
- Transfer mechanism (adequacy decision, SCC, BCR, Art. 49)
- For SCC: module, date of signature, annexes
- For TIA: assessment result, supplementary measures
- Date of last review
Further reading
- Data processing: Reviewing DPAs and evaluating service providers
- Joint controllership under Art. 26: When it applies and what to regulate
- DPIA (Data Protection Impact Assessment): When required and how to conduct one
- Cloud security for SMEs: Responsibility, risks, and measures
- Supplier assessment and security questionnaires
International data transfer is not a topic you settle once and then forget. The legal landscape is dynamic, adequacy decisions can be struck down, and supervisory authority requirements continue to evolve. A systematic process that identifies, assesses, secures, and regularly reviews transfers is the only sustainable solution.