When personal data is transferred outside the European Economic Area (EEA), GDPR Chapter V requires organizations to ensure an adequate level of protection is maintained — through an approved transfer mechanism such as Standard Contractual Clauses (SCCs), an adequacy decision, or Binding Corporate Rules. Following the Schrems II ruling, organizations must also conduct Transfer Impact Assessments (TIAs) before transferring data to countries without an adequacy decision. Your Secure Privacy DPO maps all international transfers, identifies the correct mechanism for each, and keeps your transfer framework compliant as laws and adequacy decisions evolve.
Who Is This For?
Data Protection Officers and privacy managers responsible for GDPR Chapter V international transfer compliance
Legal and compliance teams reviewing vendor contracts involving personal data transfers outside the EEA
IT and procurement teams engaging cloud providers or software vendors based in third countries
Multinational organizations managing cross-border data flows within corporate groups or with international partners
Understanding GDPR Cross-Border Data Transfer Requirements
GDPR Chapter V restricts the transfer of personal data to countries outside the EEA unless the transfer is covered by an approved mechanism or a specific derogation applies. The core principle is that personal data transferred internationally must receive the same level of protection as it would within the EEA — regardless of where the data physically moves. Organizations that transfer personal data to third countries without an appropriate transfer mechanism in place are in direct violation of GDPR and face significant enforcement risk.
GDPR International Data Transfer Mechanisms
GDPR provides six lawful mechanisms for international data transfers. Your DPO identifies and implements the correct mechanism for each transfer activity:
Mechanism |
GDPR Article |
Description |
|---|---|---|
Adequacy Decision |
Article 45 |
Transfer to countries the European Commission has formally determined provide an adequate level of data protection — no additional safeguards required |
Standard Contractual Clauses (SCCs) |
Article 46(2)(c) |
Pre-approved contractual terms between the data exporter and importer, updated by the European Commission in 2021 following Schrems II |
Binding Corporate Rules (BCRs) |
Article 47 |
Approved internal data protection rules governing transfers within a multinational corporate group — requires supervisory authority approval |
Codes of Conduct |
Article 46(2)(e) |
Approved industry codes of conduct with binding commitments from the controller or processor in the third country |
Certification Mechanisms |
Article 46(2)(f) |
Approved certification schemes with binding and enforceable commitments applied by the data importer |
Derogations |
Article 49 |
Limited, case-by-case exceptions for specific situations such as explicit consent, contract performance, or important public interest — not suitable for systematic or repeated transfers |
Transfer Impact Assessments After Schrems II
Following the Court of Justice of the EU's Schrems II ruling (C-311/18), organizations must conduct a Transfer Impact Assessment (TIA) before transferring personal data to any country that does not benefit from an adequacy decision. The TIA evaluates whether the legal framework of the recipient country undermines the protections provided by the chosen transfer mechanism — and whether supplementary measures are needed to fill any gaps. Your DPO manages the TIA process end-to-end:
Map all international data transfers: Identify every flow of personal data leaving the EEA, including transfers to cloud providers, software vendors, and group entities.
Identify the transfer mechanism for each flow: Confirm which GDPR Chapter V mechanism is in place — or identify transfers that currently lack a lawful basis.
Assess the legal framework of the recipient country: Evaluate the destination country's surveillance laws, data access rights, and rule of law — the core Schrems II assessment.
Evaluate whether supplementary measures are needed: Determine whether the transfer mechanism alone provides effective protection, or whether additional technical, contractual, or organizational measures are required.
Document the assessment and conclusions: Produce a written TIA record that demonstrates the organization's due diligence — essential for accountability under GDPR Article 5(2).
Implement supplementary measures where required: Apply the identified measures before the transfer proceeds or continues.
Schrems II Supplementary Measures for International Transfers
Where a TIA reveals that a transfer mechanism alone does not provide sufficient protection, supplementary measures must be applied. Your DPO advises on the appropriate combination of measures for each transfer:
Technical measures
End-to-end encryption of data before transfer, pseudonymization to reduce re-identification risk, and split or distributed processing architectures that prevent any single importer from accessing complete personal data sets.
Contractual measures
Additional contractual obligations on the data importer — beyond the standard SCC provisions — including enhanced transparency requirements, notification obligations for government access requests, and restrictions on onward transfers to subprocessors.
Organizational measures
Internal access control policies limiting which personnel in the third country can access personal data, regular transparency reporting by the data importer on government access requests, and documented audit rights for the data exporter.
Ongoing Monitoring of International Transfer Compliance
The international transfer landscape changes frequently — adequacy decisions are adopted and challenged, SCCs are updated, and court rulings alter the risk profile of transfers to specific countries. Your DPO maintains continuous oversight of your organization's transfer framework, including:
Tracking new and revised adequacy decisions issued by the European Commission
Monitoring SCC updates and ensuring existing contracts are updated within required timeframes
Following relevant court decisions and EDPB guidance that affect the validity of transfer mechanisms
Reviewing TIAs when recipient country laws change in a way that may affect the adequacy of protections
Updating your transfer register in the ROPA to reflect any changes to transfer mechanisms or recipients
Frequently Asked Questions
What is the difference between an adequacy decision and Standard Contractual Clauses?
An adequacy decision is a formal determination by the European Commission that a specific country provides an equivalent level of data protection to the EEA — no additional contractual safeguards are required for transfers to that country. Standard Contractual Clauses are pre-approved contractual terms that must be signed between the data exporter and importer when no adequacy decision covers the destination country. SCCs require a Transfer Impact Assessment under Schrems II; adequacy decisions do not.
Does Schrems II mean US data transfers are unlawful?
Not necessarily. The EU-US Data Privacy Framework (adopted in 2023) provides an adequacy decision for transfers to certified US organizations. Transfers to non-certified US entities still require SCCs supplemented by a Transfer Impact Assessment. Your DPO assesses the correct mechanism for each US transfer on a case-by-case basis, accounting for the recipient's certification status and the nature of the data transferred.
Are Transfer Impact Assessments required for all international transfers?
TIAs are required for transfers to countries without an adequacy decision, where SCCs or another Article 46 mechanism is being used. They are not required where the transfer is covered by an adequacy decision — though your DPO monitors the validity of adequacy decisions and will initiate a TIA if an adequacy decision is suspended or invalidated.
What should an organization do if a TIA reveals that a transfer cannot be adequately protected?
If a TIA concludes that neither the transfer mechanism nor supplementary measures can provide effective protection for the data transferred, the transfer must be suspended or terminated. Your DPO advises on alternative processing arrangements — such as migrating data to an EEA-based processor — and documents the decision and rationale for regulatory accountability purposes.