GDPR · Chapter V

International data transfers under EU GDPR

Updated April 2026EU GDPR Chapter VEDPB aligned

Chapter V of EU GDPR restricts transfers of personal data to countries outside the EU/EEA unless an appropriate safeguard or exception applies. The Schrems II judgment (2020) fundamentally reshaped the transfer landscape, requiring Transfer Impact Assessments alongside contractual mechanisms. The EU-US Data Privacy Framework provides a new adequacy basis for US transfers, though its long-term stability remains a monitored risk.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

The EU transfer framework

Article 44 of EU GDPR prohibits transfers of personal data to third countries (countries outside the EU/EEA) unless one of the transfer mechanisms in Articles 45–49 applies. The mechanisms are: an adequacy decision from the European Commission (Article 45); appropriate safeguards including Standard Contractual Clauses, Binding Corporate Rules, or approved codes of conduct (Article 46); or specific derogations for exceptional circumstances (Article 49).

Source: EU GDPR Articles 44–49; EDPB Guidelines 05/2021 on transfers

Adequacy decisions

The European Commission has issued adequacy decisions for countries considered to provide essentially equivalent data protection. These include: the UK (renewed December 2025, valid to December 2031 as at April 2026, subject to ongoing review); Switzerland; Japan; South Korea; Canada (partial); New Zealand; Israel; Andorra; Argentina; the Faroe Islands; Guernsey; Isle of Man; Jersey; and Uruguay. Transfers to adequate countries require no additional mechanisms.

Source: EC adequacy decisions; Article 45 EU GDPR

Standard Contractual Clauses

SCCs are the most widely used mechanism for transfers to non-adequate countries. The European Commission adopted new SCCs in June 2021, replacing the 2001 and 2004 versions. The 2021 SCCs use a modular structure covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. All legacy SCCs should have been replaced by the 2021 versions. SCCs must be executed between the data exporter and importer without modification to the mandatory clauses.

EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy basis for transfers to US organisations self-certified under the framework. It replaced the invalidated Privacy Shield. The DPF provides for EU individuals to access a new Data Protection Review Court in the US for redress. However, the PCLOB quorum was lost in January 2025 — a development that affects the DPF’s redress mechanism and is being monitored by the EDPB. Organisations relying on the DPF should maintain alternative SCC-based mechanisms as contingency.

Transfer Impact Assessments

Following Schrems II, the CJEU requires that before relying on contractual mechanisms for transfers to non-adequate countries, controllers must assess whether the destination country’s law enforcement access powers undermine the protection provided by the SCCs. This Transfer Impact Assessment (TIA) must be documented. The EDPB has published guidance on conducting TIAs, including a recommended methodology. Where a TIA concludes that the SCCs cannot be effective, supplementary measures (technical, contractual, or organisational) or an alternative transfer mechanism must be applied.

Source: CJEU Data Protection Commissioner v Facebook Ireland Ltd (Schrems II) C-311/18; EDPB Guidelines 05/2021

Record this. Map every data transfer in your ROPA — destination country, mechanism relied upon, date the mechanism was put in place, and TIA reference where applicable. Retain executed SCCs and TIAs. Adequacy decisions can be challenged and revoked — the Schrems I and II cases demonstrate that transfer mechanisms cannot be assumed to be permanent.

Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.