CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to GDPR Compliance

🌐 International Data Transfers

GDPR Chapter V (Articles 44-49) restricts transfers of personal data to countries outside the EU/EEA that do not ensure an adequate level of data protection. This is one of the most complex areas of GDPR, especially since the Schrems II ruling in 2020 invalidated the EU-US Privacy Shield. Below are the main mechanisms for legally transferring personal data internationally.

Adequacy Decisions

The European Commission can determine that a third country, territory, or sector provides a level of data protection essentially equivalent to the EU. Transfers to countries with adequacy decisions are treated the same as intra-EU transfers — no additional safeguards are required. The Commission regularly reviews adequacy decisions.

When to Use: When transferring data to a country or sector that has received an adequacy decision from the European Commission. As of 2024, adequacy decisions exist for: Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (limited to organizations certified under the EU-US Data Privacy Framework).

Steps

  • 1. Verify that the destination country or sector has a current adequacy decision
  • 2. For US transfers, verify the specific recipient is certified under the EU-US Data Privacy Framework (check the DPF List at dataprivacyframework.gov)
  • 3. Document the adequacy decision as the basis for the transfer in your ROPA and privacy notice
  • 4. Monitor for any changes to or revocation of the adequacy decision
  • 5. No additional contractual or technical safeguards are required (but remain good practice)

Standard Contractual Clauses (SCCs)

SCCs are pre-approved contractual clauses issued by the European Commission that parties can incorporate into their contracts to provide adequate safeguards for data transfers. The new 2021 SCCs replaced the older versions and include a modular structure covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.

When to Use: When transferring data to a country without an adequacy decision and Binding Corporate Rules are not in place. SCCs are the most commonly used transfer mechanism. They must be supplemented by a Transfer Impact Assessment (TIA) to evaluate the laws of the destination country.

Steps

  • 1. Identify the correct SCC module for your transfer scenario (C2C, C2P, P2P, or P2C)
  • 2. Complete the SCC annexes with specific details: parties, data description, technical measures, sub-processors
  • 3. Conduct a Transfer Impact Assessment (TIA) to evaluate the destination country's legal framework
  • 4. If the TIA reveals the destination country's laws undermine the SCC protections, implement supplementary measures (additional encryption, pseudonymization, data splitting)
  • 5. Execute the SCCs with the data importer (recipient)
  • 6. Incorporate the SCCs into the broader Data Processing Agreement
  • 7. Review SCCs and TIAs periodically, and whenever the legal situation in the destination country changes

Binding Corporate Rules (BCRs)

BCRs are internal rules adopted by a multinational group of companies that define their global policy for transferring personal data within the group to countries outside the EU/EEA. BCRs must be approved by a lead supervisory authority through a cooperation procedure. They are a significant investment but provide the most flexibility for intra-group transfers.

When to Use: When your organization is a multinational group that regularly transfers personal data between group entities across borders. BCRs are most suitable for large organizations with the resources to develop and maintain them (the approval process typically takes 1-2 years). BCRs can cover both controller and processor transfers.

Steps

  • 1. Assess whether BCRs are the right mechanism (consider size, complexity, and transfer volume)
  • 2. Draft the BCRs covering all WP256/257 requirements: scope, data protection principles, rights mechanisms, training, audit, complaint handling
  • 3. Identify the lead supervisory authority based on where the group's EU headquarters or main decision-making entity is located
  • 4. Submit the BCRs for approval through the cooperation procedure
  • 5. Once approved, implement the BCRs across all group entities globally
  • 6. Maintain and update BCRs as the group structure, processing activities, or legal requirements change
  • 7. Conduct regular compliance audits against the BCRs

Derogations (Article 49 Exceptions)

In the absence of an adequacy decision or appropriate safeguards, GDPR allows transfers in specific, limited situations called derogations. These are narrow exceptions, not general permissions. They should be used as a last resort, not as a primary transfer mechanism.

When to Use: Only when no other transfer mechanism is available AND one of the specific derogation conditions applies. Derogations should be interpreted restrictively and used only for occasional, non-repetitive transfers. They are not suitable for systematic or large-scale transfers.

Steps

  • 1. Confirm that no other transfer mechanism (adequacy, SCCs, BCRs) is available or feasible
  • 2. Identify the applicable derogation: (a) Explicit consent after being informed of risks, (b) Necessary for contract performance with the data subject, (c) Necessary for a contract in the data subject's interest, (d) Important reasons of public interest, (e) Necessary for legal claims, (f) Necessary to protect vital interests, (g) Transfer from a public register
  • 3. Document why the derogation applies and why no other mechanism was feasible
  • 4. Ensure the transfer is limited in scope — derogations should not be used for bulk, ongoing transfers
  • 5. Inform the data subject of the transfer and the specific risks (for consent-based derogations)
  • 6. Report to the supervisory authority if using the 'compelling legitimate interests' derogation (Article 49(1) second subparagraph)

Transfer Impact Assessments (TIAs)

A Transfer Impact Assessment is a documented evaluation of whether the laws and practices of the destination country may impinge on the effectiveness of the safeguards provided by SCCs or BCRs. Required after the Schrems II ruling. The TIA assesses government access laws, surveillance practices, data protection enforcement, and rule of law in the destination country.

When to Use: Whenever you rely on SCCs or BCRs as your transfer mechanism. The TIA must be conducted BEFORE the transfer begins and should be reviewed periodically or when the destination country's legal framework changes.

Steps

  • 1. Identify the specific laws and practices of the destination country that could affect data protection (focus on government surveillance and access laws)
  • 2. Assess whether those laws are limited to what is necessary and proportionate in a democratic society
  • 3. Evaluate practical enforcement: are the laws actually applied in practice?
  • 4. Consider the specific circumstances of the transfer: data type, sensitivity, volume, technical measures, onward transfer risk
  • 5. Determine whether supplementary measures are needed (additional encryption, pseudonymization, contractual restrictions)
  • 6. Document the TIA including: countries assessed, laws analyzed, risk conclusions, supplementary measures, and decision to proceed or halt
  • 7. If you conclude that the destination country's laws fundamentally undermine the safeguards and supplementary measures cannot compensate, you must not proceed with the transfer
← Back to GDPR Compliance