GDPR4All
Sign inFree Assessment

International Data Transfers

Transfer mechanisms explained — adequacy decisions, SCCs, BCRs, and derogations

7 min readUpdated 26 February 2026

The GDPR restricts the transfer of personal data to countries outside the European Economic Area (EEA) unless adequate safeguards are in place. This is one of the regulation's most distinctive features: it ensures that the level of protection guaranteed within the EU is not undermined simply by moving data across borders. For any organisation using cloud services, outsourcing to non-EU providers, or operating internationally, understanding these rules is essential.

Why Transfers Are Restricted

Chapter V of the GDPR (Articles 44-49) establishes the principle that personal data may only be transferred to a third country or international organisation if the controller or processor complies with specific conditions. The rationale is straightforward: the rights of EU data subjects should not be diminished because their data is processed outside the EEA, whether in a data centre in Virginia, a call centre in Mumbai, or a subsidiary in Sao Paulo.

What Constitutes a "Transfer"

The GDPR does not precisely define "transfer," but the EDPB has clarified that three conditions must be met:

  1. A controller or processor is subject to the GDPR for the processing in question.
  2. That controller or processor discloses (or makes available) personal data to another controller or processor.
  3. The recipient is in a third country or is an international organisation, regardless of whether the recipient is subject to the GDPR.

Common examples of transfers: Storing customer data with a US cloud provider, sharing employee data with a parent company headquartered in Singapore, using an analytics platform with servers in Australia, allowing remote access by a support team based in India.

Merely transiting data through a third country (without the data being accessed) is generally not considered a transfer.

Transfer Mechanisms

The GDPR provides a hierarchy of mechanisms for lawfully transferring data outside the EEA.

1. Adequacy Decisions (Article 45)

The European Commission can determine that a third country, territory, sector, or international organisation ensures an adequate level of protection. Once an adequacy decision is in place, transfers to that country require no further authorisation — they are treated essentially like intra-EEA transfers.

Countries with current adequacy decisions include:

  • Andorra, Argentina, Canada (commercial organisations under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay
  • United States (limited to organisations certified under the EU-US Data Privacy Framework, adopted in July 2023)

Adequacy decisions are periodically reviewed and can be revoked if the level of protection deteriorates.

Practical note: Even with an adequacy decision, you still need to comply with all other GDPR requirements (lawful basis, data minimisation, etc.). Adequacy only addresses the transfer mechanism — it does not exempt you from the regulation's other obligations.

2. Standard Contractual Clauses (Article 46(2)(c))

Where no adequacy decision exists, the most commonly used mechanism is Standard Contractual Clauses (SCCs) — pre-approved contractual terms adopted by the European Commission that the data exporter and data importer must sign and abide by.

The current SCCs (adopted in June 2021) are structured as four modules:

  • Module 1: Controller to Controller (C2C) — e.g. two companies sharing customer data for their respective purposes.
  • Module 2: Controller to Processor (C2P) — e.g. a European company engaging a non-EU cloud hosting provider.
  • Module 3: Processor to Processor (P2P) — e.g. a European processor sub-contracting to a non-EU sub-processor.
  • Module 4: Processor to Controller (P2C) — e.g. a European processor returning data to a non-EU controller.

Transfer Impact Assessments (TIAs): Following the Schrems II ruling, simply signing SCCs is not sufficient. The data exporter must carry out a Transfer Impact Assessment to evaluate whether the laws and practices of the recipient country provide an essentially equivalent level of protection. If they do not, supplementary measures (technical, contractual, or organisational) must be implemented to bridge any gaps.

Examples of supplementary measures: End-to-end encryption where the importer does not hold the decryption key, pseudonymisation before transfer, split processing across jurisdictions, contractual commitments not to comply with disproportionate government access requests.

3. Binding Corporate Rules (Article 47)

Binding Corporate Rules (BCRs) are internal data protection policies adopted by a multinational corporate group and approved by the competent supervisory authority. They allow intra-group transfers worldwide.

BCRs are comprehensive documents that must cover all GDPR principles, data subject rights, and enforcement mechanisms. They are expensive and time-consuming to implement — typically taking 12-24 months to gain approval — and are therefore primarily used by large multinational corporations.

Two types exist:

  • BCR-C (for controllers) — governing transfers within the group where entities act as controllers.
  • BCR-P (for processors) — governing transfers where group entities process data on behalf of external clients.

4. Derogations (Article 49)

Where no adequacy decision, SCCs, or BCRs are in place, Article 49 provides a set of derogations that may be relied upon in specific circumstances. These are intended to be strictly interpreted and used only for occasional, non-repetitive transfers:

  • Explicit consent — the data subject has been informed of the risks and has explicitly consented to the transfer.
  • Contractual necessity — the transfer is necessary for the performance of a contract between the data subject and the controller, or for pre-contractual steps taken at the data subject's request.
  • Important reasons of public interest — recognised in EU or member state law.
  • Legal claims — the transfer is necessary for the establishment, exercise, or defence of legal claims.
  • Vital interests — necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent.
  • Public register — the transfer is from a register intended for public consultation.

Important: Derogations cannot be used as the primary mechanism for systematic, large-scale, or repeated transfers. They are a safety valve, not a routine pathway.

The Schrems Legacy

Two landmark cases before the Court of Justice of the European Union (CJEU) have shaped the modern transfer landscape:

Schrems I (2015)

The Court invalidated the EU-US Safe Harbour framework, finding that mass surveillance programmes by US intelligence agencies undermined the adequacy of protection for EU data transferred to the United States.

Schrems II (2020)

The Court struck down the EU-US Privacy Shield (Safe Harbour's replacement) on similar grounds. Critically, the Court also ruled that SCCs remain valid in principle, but that data exporters must assess, on a case-by-case basis, whether the recipient country's legal framework provides adequate protection — and implement supplementary measures where it does not.

The Schrems II ruling transformed the use of SCCs from a "sign and forget" exercise into an ongoing compliance obligation. The requirement for Transfer Impact Assessments and supplementary measures now applies to every SCC-based transfer, regardless of destination country.

The EU-US Data Privacy Framework (DPF), adopted in 2023, addresses some of the concerns raised in Schrems II by introducing new safeguards and redress mechanisms on the US side. However, it remains subject to legal challenge and periodic review.

How GDPR4All Tracks International Transfers

GDPR4All integrates transfer tracking across two key modules:

  • ROPA — each processing activity records the countries to which personal data is transferred and the transfer mechanism relied upon (adequacy, SCCs, BCRs, or derogation).
  • Vendor Management — the vendor register and DPA (Data Processing Agreement) management features capture transfer mechanisms, including the specific SCC modules applicable, and flag upcoming DPA expiry dates so that transfer safeguards remain current.

This ensures that your organisation maintains a complete, auditable picture of where personal data flows outside the EEA and what safeguards are in place for each transfer.

Summary

International data transfers require careful attention under the GDPR. Rely on adequacy decisions where available, use SCCs with a documented Transfer Impact Assessment for all other transfers, and reserve derogations for genuinely occasional situations. The Schrems II ruling makes clear that the legal framework of the recipient country must be actively assessed — signing contractual clauses alone is no longer enough.

Related Articles

The Accountability Principle

Article 5(2) accountability — what records to keep and how GDPR4All helps you demonstrate compliance

5 min read· Updated 26 Feb 2026

Vendor Management

Maintain your vendor register, track DPAs, assess compliance, and manage sub-processors

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

When Is a DPIA Required?

Next

The Accountability Principle