Transfer Rules Overview

GDPR Chapter V restricts transfers of personal data to countries outside the EEA unless appropriate safeguards are in place. Following the Schrems II judgment, organizations must take additional steps to ensure data remains protected.

Transfer Mechanisms (in preference order)

  1. Adequacy decision: Commission has determined adequate protection
  2. Appropriate safeguards: SCCs, BCRs, codes of conduct, certification
  3. Derogations: Explicit consent, contract necessity, public interest (limited)

Adequacy Decisions

Countries with adequacy decisions can receive data without additional safeguards:

  • Andorra, Argentina, Canada (commercial), Faroe Islands
  • Guernsey, Israel, Isle of Man, Japan, Jersey
  • New Zealand, Republic of Korea, Switzerland
  • United Kingdom (until 2025), Uruguay
  • USA (via EU-US Data Privacy Framework for participating companies)

Standard Contractual Clauses (SCCs)

The 2021 SCCs are the most common transfer mechanism. They come in modular form:

SCC Modules

ModuleTransfer Type
Module 1Controller to Controller
Module 2Controller to Processor
Module 3Processor to Processor
Module 4Processor to Controller

SCC Implementation Steps

  1. Identify all transfers outside EEA
  2. Determine transfer type (C2C, C2P, etc.)
  3. Select appropriate module
  4. Complete Annex I (parties, data details)
  5. Complete Annex II (technical/organizational measures)
  6. Conduct Transfer Impact Assessment
  7. Implement supplementary measures if needed
  8. Sign SCCs with data importer

Transfer Impact Assessments (TIA)

Following Schrems II, you must assess whether the destination country provides essentially equivalent protection. A TIA evaluates whether SCCs can be complied with in practice.

TIA Steps

  1. Know your transfers: Map all transfers, data types, purposes
  2. Identify the transfer tool: SCCs, BCRs, etc.
  3. Assess destination country law: Focus on government access powers
  4. Assess if importer can comply with SCCs: Given local laws
  5. Identify supplementary measures: If needed to fill gaps
  6. Re-evaluate at appropriate intervals: Or when circumstances change

Key Assessment Questions

  • Does the destination country have mass surveillance laws?
  • Can authorities compel access without judicial oversight?
  • Is there effective redress for EU data subjects?
  • What is the practical likelihood of government access?
  • What type of data is being transferred?

Supplementary Measures

Where TIA identifies gaps, supplementary measures may help:

Technical Measures

  • Strong encryption (with keys retained in EEA)
  • Pseudonymization (with key kept separate)
  • Split processing (sensitive elements remain in EEA)

Organizational Measures

  • Policies restricting onward transfers
  • Transparency reporting
  • Procedures to challenge government requests

Contractual Measures

  • Commitment to notify of government requests (where legally possible)
  • Commitment to challenge unlawful requests
  • Audit rights

Practical Steps

Immediate Actions

  1. Create a transfer register (all non-EEA transfers)
  2. Identify current transfer mechanisms
  3. Update to 2021 SCCs if still using old versions
  4. Conduct TIAs for each transfer
  5. Document assessment and decisions

Ongoing Obligations

  • Monitor regulatory developments (new adequacy decisions, guidance)
  • Re-assess when circumstances change
  • Include transfer assessment in vendor due diligence
GDPR SCCs International Transfers