GDPR International Data Transfers: SCCs & Adequacy (2026)

Every time a company routes EU personal data to a server outside the European Economic Area, to a US cloud provider, an Indian outsourcing firm, or a Canadian subsidiary, it triggers a binding legal obligation under GDPR Chapter V. Without a valid transfer mechanism in place before the data moves, that transfer is unlawful regardless of how securely the data is handled at the destination. If you are new to the GDPR framework, start with What Is GDPR? before continuing.

Why GDPR Restricts International Data Transfers

The GDPR's protection of personal data does not stop at the EEA border. Article 44 establishes what practitioners call the anti-loophole principle: "Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation." Without this rule, an organisation could escape GDPR obligations simply by routing data through a non-EU server once and then passing it anywhere in the world.

Article 44's second sentence reinforces that point: "All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined." Protection follows the data wherever it goes. The destination country's own domestic privacy law is irrelevant to the analysis. What matters is whether the specific Chapter V mechanism used will maintain a standard of protection essentially equivalent to that guaranteed within the EU for the data subjects whose data is being moved.

The Chapter V rules apply to every controller and every processor covered by the GDPR, regardless of organisation size, sector, or transfer volume. A startup sending customer records to a US payment processor is subject to the same obligations as a multinational routing HR data to Asian subsidiaries. The threshold question is simply: is the recipient in a country or territory outside the EEA? If yes, Chapter V applies.

It is also worth clarifying what constitutes a "transfer." The EDPB has confirmed in Guidelines 05/2021 that remote access by a recipient in a third country, a system administrator logging in from outside the EEA, or a support technician retrieving a backup, counts as a transfer even if no file is physically copied across a border. Controllers must map all such access points when assessing their transfer exposure.

The Three-Tier Decision Hierarchy

GDPR Chapter V establishes a structured hierarchy of transfer tools. The hierarchy must be applied in order: Tier 1 (adequacy decisions) is checked first; only if no adequacy decision exists does Tier 2 (appropriate safeguards) become relevant; and only if Tier 2 options are genuinely unavailable or infeasible does Tier 3 (Article 49 derogations) come into play. Supervisory authorities have consistently rejected attempts to jump directly to derogations when Tier 2 options were available.

The table below summarises the three tiers and the individual mechanisms within each.

Tier 1: Adequacy Decisions Under Article 45

Article 45(1) provides the simplest possible transfer route: "A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

In practical terms, a transfer to an adequate jurisdiction requires no bespoke contract, no risk assessment, and no supervisory-authority notification. The transfer is treated the same as a transfer within the EU. As of mid-2026, 17 jurisdictions hold adequacy status: Andorra, Argentina, Brazil (adequacy granted January 26, 2026), Canada (commercial organisations only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea (December 2021), Switzerland, the United Kingdom (adequacy renewed December 19, 2025), the United States (commercial organisations certified under the EU-US Data Privacy Framework only), Uruguay, and the European Patent Organisation (July 2025).

Adequacy decisions are not permanent grants of equivalence. Article 45(3) requires the Commission to conduct a periodic review at least every four years and grants the Commission power to repeal, amend, or suspend a decision if the relevant country's protection falls below the required standard. Article 45(4) requires the Commission to monitor ongoing developments in third countries and international organisations that could affect the functioning of existing decisions. The UK's adequacy decision, for example, was subject to a sunset review and was renewed in December 2025 following scrutiny of post-Brexit legislative developments. Japan's adequacy decision has been reviewed and confirmed, though the Commission noted supplementary rules negotiated with Japan's Personal Information Protection Commission.

The Commission evaluates adequacy by examining the rule of law, respect for human rights and fundamental freedoms, relevant legislation in force (both general and sector-specific, including public-security, criminal law, and international-security law), the existence of independent supervisory authorities with adequate enforcement powers, and international commitments the country has entered into. No country is declared adequate solely because it has enacted a privacy law. The Commission must also assess enforcement in practice.

For transfers that fall partially outside an adequacy decision, for example, transfers to Canadian government bodies, which are not covered by Canada's commercial-sector adequacy decision, or transfers to US organisations that are not DPF-certified, the controller must use an Article 46 mechanism for those uncovered flows. Adequacy decisions frequently exclude public authorities, law-enforcement bodies, or specific sectors. Reading the scope of the relevant decision carefully is essential.

For the complete and current list of adequate countries, decision texts, and scope summaries, see our dedicated EU Adequacy Decisions page.

Tier 2: Appropriate Safeguards Under Article 46

For the vast majority of destinations worldwide, including China, India, Russia, and most US organisations that are not DPF-certified, no adequacy decision exists. Article 46(1) provides the solution: "In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available."

Article 46(2) lists the safeguards that do not require case-by-case supervisory-authority authorisation, meaning the controller or processor can implement them without seeking regulatory approval in advance: legally binding instruments between public authorities, BCRs approved under Article 47, SCCs adopted by the Commission, standard clauses adopted by a supervisory authority and approved by the Commission, approved codes of conduct under Article 40, and approved certifications under Article 42. Safeguards requiring prior DPA authorisation are listed in Article 46(3): ad hoc contractual clauses and administrative arrangements between public authorities.

Standard Contractual Clauses in Depth

The Commission's modernised SCCs were adopted on June 4, 2021 in Commission Implementing Decision (EU) 2021/914, published in the Official Journal of the EU at L 199/31 on June 7, 2021. They replaced three sets of SCCs adopted under the predecessor Directive 95/46/EC (Commission Decisions 2001/497/EC and 2010/87/EU), which were repealed with effect from September 27, 2021. A transitional period ran until December 27, 2022, during which contracts relying on old SCCs and entered into before September 27, 2021 could remain valid without amendment. After December 27, 2022, any new reliance on old SCCs became unlawful.

The 2021 SCCs use a modular architecture: rather than issuing separate SCC sets for each transfer scenario, the Commission published a single document from which parties select the applicable module. The four modules are:

• Module 1 (Controller to Controller): Covers situations where a controller in the EEA exports data to a controller outside the EEA. Each party is independently responsible for compliance with its own obligations. Typical use case: sharing customer data between two business partners.
• Module 2 (Controller to Processor): The most widely used module. Covers a controller in the EEA engaging a processor outside the EEA (for example, a US cloud-infrastructure provider or an outsourced payroll processor). The processor must act only on the controller's documented instructions.
• Module 3 (Processor to Processor): Covers a processor in the EEA engaging a sub-processor outside the EEA, where the processor acts under instructions from the upstream controller. Authorisation from the original controller is required before the sub-processor relationship is established.
• Module 4 (Processor to Controller): Covers a processor outside the EEA returning or sending data back to its controller inside the EEA. This scenario arises where a non-EEA processor collects data on behalf of an EEA controller (for example, a US market-research firm processing EU respondent data and sending results back to its EU client).

The 2021 SCCs also introduced a docking mechanism: new parties can join an existing SCC relationship by countersigning the clauses, avoiding the need to re-execute a full SCC set each time the processing arrangement expands. This simplifies compliance for complex supply chains.

Parties may add additional safeguards or business-specific terms to the SCCs, provided the additions do not contradict the mandatory clauses and do not reduce the level of protection for data subjects. They may not delete or alter the mandatory provisions.

A critical structural addition in the 2021 SCCs is Clause 14: Local Laws and Practices Affecting Compliance with the Clauses. Clause 14(a) requires the parties to warrant that they have no reason to believe that the laws and practices in the destination country prevent the importer from fulfilling its SCC obligations. Clause 14(c) imposes a documented assessment obligation, specifying that the parties must assess whether the laws of the destination country respect the essence of fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society. This clause effectively codifies the Transfer Impact Assessment requirement that Schrems II imposed, making it an express contractual obligation between exporter and importer rather than merely a regulatory expectation.

For step-by-step module selection guidance, a Clause 14 assessment template, and commentary on key SCC clauses, see our dedicated Standard Contractual Clauses page.

Binding Corporate Rules in Depth

BCRs are legally binding internal data protection codes that a multinational group adopts to govern intra-group personal data transfers from the EEA to group entities outside the EEA. Article 47(1) specifies that BCRs must be legally binding and apply to and be enforced by every member of the group, must expressly confer enforceable rights on data subjects with regard to the processing of their personal data, and must satisfy the requirements listed in Article 47(2).

Article 47(2) sets out a minimum content list. BCRs must specify the group structure and contact details of members; the data transfers, including the categories of data, type of processing, and purpose; their legally binding nature; the application of general data protection principles (purpose limitation, data minimisation, limited retention, and so on); data subjects' rights and how to exercise them; liability arrangements and how complaints are handled; and how a supervisory authority can audit compliance.

The GDPR distinguishes controller BCRs (governing intra-group transfers where EEA entities are the data controllers) from processor BCRs (governing intra-group processor chains). The EDPB has published dedicated working papers and recommendations for each type. Controller BCRs are governed primarily by EDPB Recommendations 1/2022; processor BCRs have their own framework.

The BCR approval process involves: submitting draft BCRs to the competent lead supervisory authority (typically the DPA of the country where the EEA entity with main establishment is located); the lead DPA completing a review and drafting a decision under the consistency mechanism in GDPR Article 63; the EDPB reviewing the decision and issuing an opinion; and the lead DPA issuing the final approval reflecting EDPB feedback. The process typically takes 12 to 18 months even for well-prepared submissions. Pre-GDPR BCR authorisations issued under Directive 95/46/EC remain valid unless amended or repealed.

The key limitation: BCRs cover only transfers within the group. They do not authorise transfers to unrelated third-party processors or controllers. An organisation that has approved BCRs for intra-group transfers still needs SCCs or another Article 46 mechanism for external processors.

Schrems II: The Ruling That Changed Everything

The July 2020 CJEU judgment in Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, is the most consequential data-transfer ruling in GDPR history. It reshaped international data transfer compliance in two fundamental ways.

The first holding: the Court invalidated Commission Decision 2016/1250, which had established the EU-US Privacy Shield. The Court found that the US legal framework, particularly the Foreign Intelligence Surveillance Act Section 702 and Executive Order 12333, did not provide EU data subjects with protection essentially equivalent to that guaranteed within the EU, because US surveillance programs allowed access to personal data in a manner not strictly necessary and proportionate to what was required in a democratic society. The Court also found that EU data subjects lacked an effective judicial remedy against US intelligence agency access to their data, a requirement under Article 47 of the EU Charter of Fundamental Rights. Privacy Shield transfers to the United States became unlawful on July 16, 2020, the day the judgment was delivered.

The second holding, with wider global effect: the Court upheld the validity of SCCs as a transfer mechanism but imposed a conditional obligation. SCCs create contractual rights and obligations between the exporter and importer but cannot bind government authorities in the destination country. Before relying on SCCs, the parties must assess whether the laws of the destination country impair the practical effectiveness of the clauses. If the importer cannot comply with the SCC obligations in light of local law, the data exporter must suspend or terminate the transfer. If the relevant supervisory authority becomes aware of such a situation, it is required under Article 58(2)(f) to suspend or prohibit the transfer.

The ruling put an immediate premium on what became known as Transfer Impact Assessments. Controllers relying on SCCs could no longer simply execute the template and consider the compliance analysis done. They had to document a genuine legal and factual assessment of destination-country law and, if the assessment identified gaps, either implement supplementary measures to address them or refrain from the transfer.

The Schrems Timeline: Safe Harbor, Privacy Shield, DPF

The EU-US data transfer relationship has been shaped by three successive frameworks, each adopted after its predecessor was invalidated.

Safe Harbor (2000-2015): The original US self-certification framework under Commission Decision 2000/520/EC allowed US companies to self-certify compliance with Safe Harbor Principles. In October 2015, the CJEU invalidated Safe Harbor in Case C-362/14 (Maximillian Schrems v. Data Protection Commissioner, known as Schrems I), finding that the Commission had no competence to limit the powers of national supervisory authorities to investigate complaints simply by declaring a country's protection adequate, and that Safe Harbor failed to meet equivalency because US law permitted broad access by public authorities without proportionality constraints.

Privacy Shield (2016-2020): Privacy Shield was adopted in Commission Decision 2016/1250 on July 12, 2016 as a replacement for Safe Harbor, incorporating additional commitments and an Ombudsperson mechanism for EU data-subject complaints. It was invalidated by Schrems II on July 16, 2020 on the grounds described above. Organisations relying solely on Privacy Shield for US transfers immediately lost their transfer basis. Those that had SCCs in parallel were required to complete TIAs to assess whether those SCCs remained workable.

EU-US Data Privacy Framework (2023-present): On July 10, 2023, the Commission adopted Commission Implementing Decision (EU) 2023/1795, finding the United States adequate for DPF-certified organisations. The legal basis for the adequacy finding is US Executive Order 14086 of October 7, 2022, "Enhancing Safeguards for United States Signals Intelligence Activities", which imposed proportionality and necessity constraints on US signals intelligence collection and established the Data Protection Review Court as an independent body to adjudicate EU data-subject complaints. The DPRC is a new judicial mechanism with authority to order remedies, including deletion of improperly collected data, binding on US intelligence agencies.

The DPF adequacy decision is scoped. It covers transfers only to US organisations that have self-certified to the DPF Principles (available at the DPF website maintained by the US Department of Commerce) and that fall under the jurisdiction of the Federal Trade Commission or the Department of Transportation. Approximately 2,700 US organisations were certified as of mid-2026. US financial institutions and other entities outside FTC/DoT jurisdiction are excluded and must use SCCs.

The DPF's legal durability is contested. The European Parliament adopted a resolution on April 11, 2023 expressing concerns about the adequacy of US safeguards, and civil-liberties organisations have signalled intent to challenge the decision before the CJEU. Organisations that rely on the DPF as their sole US transfer basis should maintain SCC fallback arrangements so that a potential future invalidation does not create a compliance emergency.

Transfer Impact Assessments: What They Are and How to Conduct One

A Transfer Impact Assessment is a structured due-diligence exercise that a data exporter must complete before relying on SCCs, BCRs, or other Article 46 safeguards. The TIA requirement emerged from Schrems II and was operationalised by the EDPB in Recommendations 01/2020 v2.0, adopted June 18, 2021. The 2021 SCCs embedded the TIA into Clause 14, making it a contractual obligation between exporter and importer.

The EDPB's Recommendations establish a six-step roadmap for the TIA process:

Step 1, Know your transfers. Map all transfers of personal data to third countries, including onward transfers and remote access by non-EEA parties. Identify the categories of data, the recipient, the country, and the transfer mechanism currently in use. This inventory forms the foundation for the assessment.

Step 2, Verify the transfer tool you are relying on. Confirm that the Article 46 instrument is one that can in principle be relied on for the destination country. SCCs cannot, for example, be used for transfers to public authorities in the destination country, because SCCs bind only private-sector parties.

Step 3, Assess whether the transfer tool is effective in the destination country. This is the core of the TIA. The exporter and importer must evaluate whether the destination country's laws and practices, in particular its surveillance and law-enforcement frameworks, would prevent the importer from fulfilling the Article 46 safeguard in practice. The EDPB recommends examining: (a) whether the destination country is a member of multilateral surveillance networks such as the Five Eyes; (b) whether its surveillance laws permit bulk collection of communications content without individualised suspicion; (c) whether data subjects can obtain judicial redress against government access; and (d) the historical track record of surveillance activity in the sector concerned.

Step 4, Adopt supplementary measures if needed. Where Step 3 reveals a gap, the exporter must adopt supplementary measures sufficient to bring the level of protection up to the EU standard. The EDPB groups these into three categories:

• Technical measures: end-to-end encryption where the importer or third parties cannot access the plaintext key; pseudonymisation (replacing direct identifiers with tokens, retaining the key only in the EEA); split or multi-party processing so no single non-EEA party holds the complete dataset; and zero-knowledge architectures for cloud storage. The EDPB stresses that technical measures must be genuinely effective: encryption is only a valid supplementary measure where the importer has no access to the cleartext key and the processing purpose can be achieved on encrypted data.

• Contractual measures: provisions requiring the importer to notify the exporter of any government access request or legally binding demand; provisions requiring the importer to challenge access demands that appear disproportionate or unlawful; transparency clauses; audit rights; and restrictions on onward transfers. Contractual measures alone are rarely sufficient where the destination country's surveillance law overrides contractual commitments, but they can reinforce technical measures.

• Organisational measures: data minimisation at export (transfer only what is strictly necessary); adopting internal policies requiring escalation when government access is received; training personnel; and maintaining transfer logs to demonstrate ongoing compliance.

If no combination of supplementary measures can bridge the gap, typically where destination-country law provides blanket government access to the data in a form that the technical measures cannot prevent, the EDPB concludes that the transfer cannot proceed on Article 46 grounds.

Step 5, Procedural and formal steps. Execute the SCC clauses (or other Article 46 instrument), document the TIA outcome, and ensure any supplementary measures are contractually embedded. Keep the TIA documentation on file as evidence of compliance.

Step 6, Re-evaluate at appropriate intervals. A TIA is not a one-time exercise. The EDPB requires exporters to monitor legal developments in the destination country and re-evaluate whether the assessment remains valid. Significant changes in destination-country surveillance law, new judicial decisions, or enforcement developments may require updating the TIA and potentially suspending the transfer.

The EU-US Data Privacy Framework in Practice

For day-to-day compliance, the DPF operates as follows. A US organisation seeking DPF certification self-certifies to the US Department of Commerce that it commits to adhere to the DPF Principles, which cover notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse/enforcement/liability. The Department of Commerce maintains a public list of certified organisations. Certification must be renewed annually.

EU data subjects whose data is processed by a DPF-certified organisation have multiple redress avenues. They may first complain directly to the certified organisation, which must respond within 45 days. If unsatisfied, they may escalate to an independent recourse mechanism (typically an approved dispute resolution body or their national DPA). If the complaint concerns potential national security access, they may refer the matter to their national DPA, which can forward it to the DPRC. The DPRC was established under US law as a new judicial mechanism sitting within the executive branch, with binding powers over US intelligence agencies.

For HR data transferred from the EU to certified US entities under the DPF HR Principles, a distinct pathway applies: EU data subjects can bring complaints through their national DPA, which acts as the recourse body.

Organisations that were certified under Privacy Shield automatically received transitional DPF coverage for a limited period but were required to complete formal DPF self-certification to maintain ongoing adequacy protection. Any Privacy Shield certification that was not converted to DPF certification has lapsed.

Tier 3: Article 49 Derogations, Narrow Exceptions, Not a Compliance Route

Article 49(1) provides a final tier for situations where neither an adequacy decision nor Article 46 safeguards apply or are feasible. There are seven derogations, each with strict conditions.

Article 49(1)(a), Explicit consent. The data subject must explicitly consent to the proposed transfer, having been informed of the possible risks of transfers to countries without adequate protection and without an appropriate safeguard. The consent must be specific to the international transfer itself, it cannot be buried in a general privacy notice or bundled with consent to the overall processing. GDPR Recital 111 confirms that the derogation is available "where the transfer is occasional and necessary in relation to a contract or a legal claim."

Article 49(1)(b), Contract necessity. The transfer is necessary for the performance of a contract between the data subject and the controller. "Necessary" is interpreted objectively and strictly: the transfer must be required for the specific contract, not simply convenient or commercially efficient. Booking a flight to a non-adequate country necessarily requires transmitting passenger data to the airline. Routing customer account data through a US data warehouse to generate marketing analytics does not qualify as "necessary for the contract."

Article 49(1)(c), Pre-contractual steps at the data subject's request. Similar to (b) but applies before a contract is concluded. The data subject must have requested the transfer as part of pre-contractual measures.

Article 49(1)(d), Important public interest. The transfer must be necessary for important reasons of public interest recognised by EU or Member State law. International health emergencies, inter-governmental tax cooperation, and financial crime investigations have been recognised as qualifying public interests. This derogation applies primarily to public bodies and non-profit organisations acting in the public interest.

Article 49(1)(e), Legal claims. The transfer is necessary for the establishment, exercise, or defence of legal claims. This covers transfers of evidence to foreign courts, disclosure in international litigation, and regulatory investigations. Like all Article 49 derogations, it covers only the specific transfer required for the specific proceeding.

Article 49(1)(f), Vital interests. The transfer is necessary to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving consent. Medical emergencies involving patients abroad are the paradigm case.

Article 49(1)(g), Public registers. The transfer is made from a register that is open to consultation by the public or by any person who can demonstrate a legitimate interest, subject to any conditions the register's governing law establishes.

The most critical limitation on all Article 49 derogations is that they are exceptional, not structural. GDPR Recital 111 states explicitly: "Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport." The architecture of recitals and supervisory authority guidance is clear: Article 49 does not provide a lawful basis for systematic, repeated, or large-scale routine transfers. An organisation that relies on Article 49 consent as its basis for ongoing transfer of employee HR data to a US parent company is misapplying the provision.

The EDPB's Guidelines 2/2018 on derogations under Article 49 confirm that the "occasional" requirement means the transfer must be genuinely infrequent and non-systematic. A single transfer that forms part of an ongoing business relationship, even if the individual transfer event happens once a month, may be treated as systematic if the relationship contemplates repeated transfers.

Enforcement: Fines and Transfer Bans

Routing EU personal data abroad without a valid Chapter V basis is treated as a top-tier GDPR violation. Article 83(5) expressly lists breaches of Chapter V among the infringements subject to the maximum administrative fine: up to EUR 20,000,000 or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. This is the same penalty tier as violations of the fundamental processing principles in Articles 5 and 6 and breaches of consent requirements under Article 7.

Fines are not the only tool. Supervisory authorities hold authority under Article 58(2) to impose temporary or permanent transfer bans, the power to order that a specific transfer or category of transfers must cease. A transfer ban can halt operations more disruptively than any fine, particularly for organisations that depend on cross-border cloud infrastructure. The Irish Data Protection Commission issued a transfer ban order against Meta Platforms in May 2023 (in proceedings ultimately resolved by a EUR 1.2 billion fine plus ban) on the grounds that Meta's SCC-based transfers to the United States failed to comply with Schrems II requirements.

Other notable enforcement actions involving international transfers include the CNIL's (French DPA) 2022 decisions finding that the use of Google Analytics constituted an unlawful transfer to the US (because Google LLC's server logs allowed potential NSA access to IP addresses), and the Austrian DSB's parallel analysis reaching the same conclusion. These rulings applied to analytics tools widely used by European websites and prompted Google to introduce enhanced data anonymisation features.

The combination of maximum fines and transfer-ban authority means incomplete TIAs, stale SCC assessments, or transfers to uncertified US organisations that are not DPF-covered carry genuine operational and legal risk. Building a documented transfer mapping exercise into annual GDPR compliance reviews, and updating the TIA whenever destination-country law changes materially, is the minimum standard recommended by supervisory authorities.

Practical Decision Flow for Choosing a Transfer Mechanism

Applying the Chapter V hierarchy in practice follows a sequential decision tree.

Step 1: Identify the destination. Confirm the country or territory to which personal data is being transferred. Remember that remote access from a non-EEA location counts as a transfer.

Step 2: Check for an adequacy decision. Consult the Commission's current adequacy list. If an adequacy decision covers the transfer (including the scope, is it a full decision or sector-specific?), no further mechanism is required. Check the EU Adequacy Decisions page for the current list and scope summaries.

Step 3: For the US, check DPF certification. If the destination is a US organisation, verify whether it appears on the current DPF certification list maintained by the Department of Commerce. If yes, the adequacy decision covers the transfer. If no, proceed to Step 4.

Step 4: Select an Article 46 mechanism. For transfers to external third parties (not group entities), the 2021 SCCs are the standard tool. Select the applicable module: Module 2 for the typical controller-to-processor scenario (EEA company using a US cloud provider), Module 1 for controller-to-controller data sharing, Module 3 for processor-to-sub-processor relationships, or Module 4 for non-EEA processor returning data to its EEA controller. For intra-group transfers within a multinational, BCRs provide a cleaner long-term structure, though SCCs can be used while BCR approval is pending.

Step 5: Complete a Transfer Impact Assessment. Before executing the SCCs, complete the six-step EDPB roadmap: inventory the transfer, confirm the SCC module is applicable, assess destination-country surveillance law, identify any supplementary measures needed (technical, contractual, organisational), document the conclusion, and schedule re-evaluation. The assessment should be documented in writing and retained as evidence of compliance. See the Standard Contractual Clauses page for a detailed TIA framework.

Step 6: Review a GDPR Data Processing Agreement if the transfer involves a processor. Where Module 2 SCCs are used, they incorporate the Article 28 DPA requirements. If the parties have a separate DPA, the SCC Module 2 and DPA must be consistent; in the event of a conflict, the SCCs take precedence.

Step 7: Consider Article 49 only as a genuine last resort. Only after confirming that Tier 1 and Tier 2 options are genuinely unavailable, and that the transfer is truly occasional and non-repetitive, should an Article 49 derogation be considered. Document the specific derogation relied on and the factual basis for the conclusion that it applies.

Relationship Between Chapter V and Other GDPR Requirements

Chapter V operates on top of the rest of the GDPR, not in place of it. An international transfer that is validly authorised under Chapter V must still satisfy all other GDPR requirements: the transfer must have a lawful basis under Article 6 (consent, contract, legitimate interests, etc.); if special-category data is involved, an Article 9 condition must also be satisfied; and the controller must have provided the data subject with information about the transfer under Articles 13 or 14, including the identity of the third-country recipient and the transfer mechanism used.

The interplay between Chapter V and Article 28 (processor obligations) deserves attention. Where an organisation transfers data to a non-EEA processor, it needs both an Article 28 Data Processing Agreement and a Chapter V transfer mechanism. The 2021 SCC Module 2 satisfies both requirements simultaneously: it incorporates the mandatory Article 28 content within its clauses. Organisations using Module 2 SCCs do not need a separate DPA, though many add one for organisational clarity.

For a detailed explanation of what a GDPR Data Processing Agreement must contain and how to structure one, see our GDPR Data Processing Agreement page.

The broader EU data privacy legal framework, including the roles of the EDPB, national supervisory authorities, and the one-stop-shop mechanism, is covered in the EU Data Privacy Laws hub.

Disclaimer: This page provides general legal information, not legal advice. GDPR compliance requirements are fact-specific and jurisdiction-sensitive. Consult qualified legal counsel for advice tailored to your organisation's specific transfer arrangements, destination countries, and processing activities.

Sources

The sources for this article are maintained in the accompanying JSON file. Key primary sources consulted include: GDPR Regulation (EU) 2016/679 Articles 44-50 and Recitals 101-115 (eur-lex.europa.eu); Commission Implementing Decision (EU) 2021/914 on Standard Contractual Clauses (eur-lex.europa.eu); Commission Implementing Decision (EU) 2023/1795 on the EU-US Data Privacy Framework (eur-lex.europa.eu); CJEU judgment Case C-311/18 Schrems II (curia.europa.eu); EDPB Recommendations 01/2020 v2.0 on supplementary measures (edpb.europa.eu); EDPB Guidelines 2/2018 on Article 49 derogations (edpb.europa.eu); and the European Commission's adequacy decisions page (commission.europa.eu).