Chapter V of the GDPR restricts the transfer of personal data to countries outside the European Economic Area unless an adequate level of protection is ensured. The rationale is straightforward: the GDPR’s protections should not be circumvented by simply moving data to a jurisdiction with weaker rules.
For most organisations, international data transfers are not a niche concern. They happen every time you use a cloud service hosted outside the EEA, send an email through a US-based provider, use analytics or advertising tools operated by companies in third countries, share data with a parent company, subsidiary, or business partner outside Europe, or allow a third-party script on your website to transmit visitor data to servers outside the EEA. In practice, most organisations make dozens of international transfers every day — many without realising it.
The GDPR provides several mechanisms for lawfully transferring personal data outside the EEA.
Adequacy decisions. The European Commission can determine that a third country provides an adequate level of data protection. Transfers to adequate countries can proceed without additional safeguards. Countries with adequacy decisions include the United Kingdom, Switzerland, Japan, South Korea, Canada (for commercial organisations subject to PIPEDA), Israel, New Zealand, Argentina, and Uruguay, among others. The United States has a partial adequacy decision through the EU-US Data Privacy Framework, which applies only to certified organisations.
Standard Contractual Clauses (SCCs). These are pre-approved contractual terms adopted by the European Commission that bind the data exporter and data importer to specific data protection obligations. The current SCCs, adopted in June 2021, are modular and cover four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. SCCs are by far the most commonly used transfer mechanism.
Binding Corporate Rules (BCRs). These are internal data protection policies approved by a supervisory authority for transfers within a corporate group. BCRs are complex and expensive to implement but provide a comprehensive framework for multinational organisations.
Derogations. Article 49 provides limited derogations for specific situations, including explicit consent, contractual necessity, important reasons of public interest, legal claims, and vital interests. These are intended for occasional, non-repetitive transfers and cannot be used as a systematic transfer mechanism.
In July 2020, the Court of Justice of the European Union issued its judgment in Data Protection Commissioner v Facebook Ireland (C-311/18), commonly known as Schrems II. The judgment had two major consequences.
First, the Court invalidated the EU-US Privacy Shield, the adequacy decision that had previously authorised transfers to certified US companies. The Court found that US surveillance laws — particularly Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 — did not provide adequate protections for EU data subjects.
Second, and more broadly, the Court ruled that organisations relying on SCCs must assess, on a case-by-case basis, whether the legal framework of the destination country provides a level of protection essentially equivalent to that guaranteed in the EU. If it does not, the data exporter must implement supplementary measures to fill the gap — or suspend the transfer.
This second element — the obligation to conduct transfer impact assessments — applies to all transfers based on SCCs, not just transfers to the United States. It fundamentally changed the compliance landscape for international data transfers.
In July 2023, the European Commission adopted a new adequacy decision for the United States — the EU-US Data Privacy Framework (DPF). This allows transfers to US organisations that have self-certified under the Framework, which is administered by the US Department of Commerce.
The DPF addresses the concerns raised in Schrems II through Executive Order 14086, which introduced new safeguards and limitations on US signals intelligence activities and established a Data Protection Review Court for EU individuals to challenge surveillance measures.
Important caveats apply. The DPF only covers transfers to certified organisations. You must verify that the specific US recipient is on the DPF List maintained by the Department of Commerce. Transfers to non-certified US organisations still require SCCs and a transfer impact assessment. The DPF is also subject to periodic review by the European Commission, and its long-term stability is not guaranteed — legal challenges have already been announced.
For transfers based on SCCs or BCRs, you must conduct a transfer impact assessment (TIA) to evaluate whether the legal framework of the destination country provides essentially equivalent protection. The assessment should consider the specific circumstances of the transfer, including the nature of the data, the purpose of the transfer, the legal framework of the destination country (including laws on government access to data), and any supplementary measures applied.
The European Data Protection Board has issued detailed recommendations on transfer impact assessments and supplementary measures (Recommendations 01/2020). The assessment should be documented and reviewed periodically, particularly when there are changes to the legal framework of the destination country or to the circumstances of the transfer.
Where a TIA reveals that the destination country does not provide essentially equivalent protection, you must implement supplementary measures to bridge the gap. These can be technical (encryption in transit and at rest with keys held exclusively by the data exporter, pseudonymisation before transfer, split processing across jurisdictions), contractual (additional obligations on the data importer beyond the SCCs, such as transparency obligations regarding government access requests and commitments to challenge disproportionate access requests), or organisational (internal policies, governance structures, and procedural safeguards).
Technical measures are generally the most effective because they can prevent access to the data even if the legal framework of the destination country permits it. Contractual and organisational measures alone are unlikely to be sufficient where the core problem is a legal obligation on the data importer to provide access to government authorities.
Many organisations focus their transfer compliance on deliberate, contractual data sharing — sending data to a cloud provider, sharing with an affiliate, engaging an offshore processor. But a significant volume of international transfers happens implicitly, through the technologies embedded in your website, your email infrastructure, your collaboration tools, and your SaaS stack.
Every time your website loads Google Analytics, every time an employee sends an email through a US-hosted provider, every time a marketing tool syncs data with an advertising platform — personal data is potentially transferred outside the EEA. A website technology audit is often the most effective way to identify these hidden transfers and bring them within your compliance framework.
Map your transfers. Identify every flow of personal data that leaves the EEA — including those embedded in your technology stack. Your RoPA should document each transfer with the destination country and the transfer mechanism used.
Verify your mechanisms. For each transfer, confirm that the appropriate mechanism is in place — adequacy decision, SCCs, BCRs, or a valid derogation. For US transfers, check whether the recipient is DPF-certified.
Conduct TIAs. For transfers based on SCCs or BCRs, assess the legal framework of the destination country and document your findings. Where gaps exist, identify and implement supplementary measures.
Update your SCCs. If you are still using the old pre-2021 SCCs, you are non-compliant. Ensure all your transfer agreements use the current modular SCCs adopted in June 2021.
Monitor changes. Transfer mechanisms can change — adequacy decisions can be invalidated, DPF certifications can lapse, and the legal frameworks of destination countries can evolve. Build periodic review into your compliance programme.
At Pitch, we advise organisations on all aspects of international data transfer compliance — from mapping transfers and selecting appropriate mechanisms to conducting transfer impact assessments and implementing supplementary measures. Our website technology audit capabilities help identify hidden transfers embedded in your digital properties, and our data protection practice ensures that your transfer framework is documented, current, and defensible.
Pitch is the law firm for innovators and creatives. If you need to review your international data transfers or conduct a transfer impact assessment, get in touch or schedule a meeting with our team.
%402x.svg){kind=small}
%402x.svg){kind=icon}
%402x.svg){kind=icon}
