European Union — International Data Transfers

Article 44 GDPR establishes the foundational rule for all international data transfers: any transfer of personal data that is undergoing processing or is intended for processing after transfer to a third country (a jurisdiction outside the European Economic Area) or to an international organisation may only take place if the controller and processor comply with the conditions laid down in Chapter V of the GDPR, including for onward transfers from the third country to another third country or international organisation.

The core principle codified in Article 44 is that "the level of protection of natural persons guaranteed by this Regulation is not undermined" when personal data leaves the EEA. This anti-circumvention mandate applies to every transfer mechanism in Chapter V — adequacy decisions (Article 45), appropriate safeguards (Article 46, including standard contractual clauses and binding corporate rules), and derogations for specific situations (Article 49).

What constitutes a "transfer" for Chapter V purposes is not defined in the GDPR text itself. The European Data Protection Board (EDPB) clarified in its Guidelines 05/2021 on the Interplay between Article 3 and Chapter V that three cumulative criteria must be met for a processing operation to qualify as an international transfer:

1. An exporter subject to GDPR. A controller or processor is subject to the GDPR for the given processing (under Article 3's territorial scope rules).

1. Disclosure to an importer. The exporter discloses by transmission or otherwise makes personal data available to another controller, joint controller, or processor (the "importer"). Direct collection by a third-country entity from an EU data subject is not a transfer because the data subject is not a controller or processor and therefore cannot be an exporter.

1. Importer located in a third country or international organisation. The importer is geographically in a third country (outside the EEA) or is an international organisation, irrespective of whether or not the importer itself is subject to the GDPR under Article 3.

When all three criteria are met, Chapter V applies and the transfer can proceed only if the exporter has implemented one of the Chapter V transfer mechanisms. The EDPB has emphasized that even when the data importer is itself subject to GDPR (for instance, a US company offering services to EU residents under Article 3(2)(a)), Chapter V still applies to the physical transfer of data out of the EEA because the importer remains in a third country where EU supervisory authorities cannot directly enforce GDPR obligations and where national security or law-enforcement access laws may conflict with GDPR protections.

Chapter V's three-tier hierarchy structures the available transfer mechanisms:

• Tier 1: Adequacy decisions (Article 45). The European Commission may decide, by implementing act, that a third country, a territory or specified sector within a third country, or an international organisation ensures an adequate level of protection. Transfers on the basis of an adequacy decision require no specific authorisation. As of May 2026, adequacy decisions cover Andorra, Argentina, Canada (commercial organisations subject to PIPEDA), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (organisations participating in the EU-US Data Privacy Framework under Commission Implementing Decision (EU) 2023/1795 of 10 July 2023).

• Tier 2: Appropriate safeguards (Article 46). In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country if it has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies are available. Article 46 lists standard contractual clauses (adopted by the Commission under Implementing Decision (EU) 2021/914 of 4 June 2021), binding corporate rules, and other mechanisms. Following the CJEU's judgment in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II), Case C-311/18, ECLI:EU:C:2020:559, paragraph 133, exporters must verify on a case-by-case basis whether the law or practice of the third country impinges on the effectiveness of the Article 46 safeguards, and if necessary adopt supplementary measures (technical, contractual, or organisational) to ensure essentially equivalent protection.

• Tier 3: Derogations for specific situations (Article 49). In the absence of an adequacy decision or appropriate safeguards, transfers may still occur under narrowly construed derogations: explicit consent, necessity for contract performance, necessity for important reasons of public interest, necessity to establish or defend legal claims, necessity to protect vital interests, or transfers from a public register. Article 49(1) second subparagraph permits occasional, non-repetitive transfers not part of massive or structural processing activities if necessary for compelling legitimate interests and the controller has assessed all circumstances and provided suitable safeguards. The EDPB has stressed that these derogations cannot serve as a basis for systematic or routine data flows.

Compliance obligations for controllers and processors. Article 44 applies the Chapter V conditions to both controllers and processors, and explicitly extends them to onward transfers — subsequent transfers from the initial third-country recipient to another third country or international organisation. A controller in the EEA that engages a processor also located in the EEA, which then sub-contracts processing to a sub-processor in a third country, remains responsible under Article 44 for ensuring the sub-processor transfer complies with Chapter V. Similarly, when an adequacy decision or standard contractual clauses permit the initial transfer to a third country, any onward transfer by that recipient must independently satisfy Chapter V (either through a separate adequacy decision, appropriate safeguards, or a derogation).

The GDPR's fine structure underscores the importance of Article 44 compliance: infringement of the transfer conditions in Articles 44–49 is subject to administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, under Article 83(5)(c). Data subjects also have the right to lodge a complaint with a supervisory authority (Article 77) and to an effective judicial remedy against a controller or processor for alleged infringement of Chapter V (Article 79).

Source: Regulation (EU) 2016/679 (GDPR), Articles 44–49, 83(5)(c) Source: EDPB Guidelines 05/2021 on the Interplay between Article 3 and Chapter V Source: CJEU Case C-311/18, Schrems II, ECLI:EU:C:2020:559 Source: Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses) Source: Commission Implementing Decision (EU) 2023/1795 (EU-US Data Privacy Framework)

Standard Contractual Clauses (SCCs) are the most widely used transfer mechanism under Article 46(2)(c) GDPR, enabling controllers and processors to provide "appropriate safeguards" for international data transfers in the absence of an adequacy decision. On 4 June 2021, the European Commission adopted Implementing Decision (EU) 2021/914, which modernized the SCC framework to reflect GDPR requirements and the CJEU's Schrems II judgment (Case C-311/18). The 2021 SCCs replaced the legacy 2001 and 2010 versions with effect from 27 September 2021; contracts concluded under the old clauses remained valid until 27 December 2022, provided the processing operations remained unchanged.

The four-module structure. Decision 2021/914 establishes a modular architecture to address the various controller-processor configurations that arise in modern processing chains. Parties must select the module (or combination of modules) that corresponds to their actual relationship:

• Module One: Controller to Controller. Used when an EEA controller transfers personal data to a third-country controller. Both parties act as independent controllers for their respective processing purposes. This module applies, for example, when an EU company shares customer data with a US marketing analytics firm that determines its own analytical purposes, or when a French employer sends employee records to a non-EEA subsidiary that uses the data for local payroll and HR decisions.

• Module Two: Controller to Processor. Used when an EEA controller engages a third-country processor (a service provider that processes personal data on the controller's behalf and under the controller's instructions). This is the most common commercial scenario: an EU company contracts with a US cloud-storage provider, a Japanese software-as-a-service vendor, or a Brazilian call center to process EU-origin personal data solely on the controller's documented instructions. Module Two incorporates the Article 28(3)–(4) GDPR processor obligations (written instructions, confidentiality, security measures, sub-processor authorization, assistance with data-subject requests, deletion or return of data at contract termination, and audit rights).

• Module Three: Processor to Processor. Used when an EEA processor (itself acting on behalf of an EEA controller) engages a sub-processor in a third country. The initial processor remains fully liable to the EEA controller for the sub-processor's performance. For example, if a German controller hires an Italian processor (both in the EEA) and the Italian processor sub-contracts specific database hosting to a server farm in Singapore, Module Three governs that Italy-to-Singapore leg. The EEA controller must authorize the sub-processor engagement under Article 28(2) and (4) GDPR, and the processor must flow down equivalent data-protection obligations.

• Module Four: Processor to Controller. Used when a processor in a third country transfers personal data it holds on behalf of an EEA controller to a separate controller (whether in the EEA or in a third country). This scenario arises when, for instance, a data importer must disclose data to a statutory auditor, a tax authority, or another entity that will process the data for its own purposes. Module Four is the least common; many processors are contractually prohibited from making such disclosures without the EEA controller's explicit authorization.

Multiple modules and complex chains. A single contract may incorporate multiple modules when the parties' roles shift across different processing activities. The SCCs expressly permit "docking" — allowing additional exporters or importers to accede to an existing SCC contract by completing the annexes and signing. When onward transfers occur (the initial importer in a third country subsequently transfers to another third country or back into the EEA), each leg of the chain requires its own Chapter V legal basis: adequacy, appropriate safeguards (including SCCs), or a derogation under Article 49. The 2021 SCCs include specific onward-transfer clauses requiring the initial importer to ensure the next recipient provides the same level of protection and, where the onward recipient is in a non-adequate third country, to use the SCCs or another Article 46 mechanism.

Mandatory annexes and transparency. The 2021 SCCs require parties to complete and attach detailed annexes specifying the scope and nature of the transfer:

• Annex I.A: List of parties (names, addresses, contact persons, roles as controller/processor).
• Annex I.B: Description of the transfer (categories of data subjects, categories of personal data, sensitive data if any, frequency of transfer, nature and purpose of processing, retention period, and, for onward transfers, identification of sub-processors or other recipients).
• Annex I.C: Competent supervisory authority (the lead supervisory authority of the EEA data exporter under Article 56 GDPR, or the authority of the Member State where the exporter is established if Article 56 does not apply).
• Annex II: Technical and organizational measures (TOMs), including measures to ensure data security under Article 32 GDPR and, critically post-Schrems II, any supplementary measures adopted to bring the level of protection up to EU standards in light of the laws and practices of the destination country.

Incomplete or generic annexes render the SCCs unenforceable. Supervisory authorities have emphasized in enforcement guidance that annexes must be specific, granular, and kept up to date as processing evolves.

Clause 14: the Schrems II assessment obligation. The 2021 SCCs embed the Schrems II case-by-case assessment directly into the contractual text. Clause 14 ("Local laws and practices affecting compliance with the Clauses") requires both the data exporter and data importer, before and throughout the term of the contract, to assess whether the laws or practices of the third country of destination prevent the importer from fulfilling its obligations under the SCCs. This assessment must address in particular whether the third country's laws permit public authorities (intelligence services, law enforcement, regulatory agencies) to access the transferred data in a manner that impinges on the Article 46 safeguards — for instance, through broad surveillance powers that lack necessity, proportionality, judicial oversight, or effective remedies as required by Articles 47 and 52 of the EU Charter of Fundamental Rights.

Where the assessment reveals that such laws exist and are likely to be applied to the specific transfer, the parties must document the assessment and notify the competent EEA supervisory authority if they cannot identify effective supplementary measures to fill the protection gap. The SCCs explicitly state that they cannot bind the public authorities of third countries; therefore, contractual commitments alone will not suffice where governmental access is the risk. Technical, organizational, or contractual supplementary measures may be necessary to ensure essentially equivalent protection. The European Data Protection Board's Recommendations 01/2020 (adopted 10 November 2020, final version 18 June 2021) provide a six-step roadmap and a non-exhaustive catalogue of supplementary measures (encryption with EEA-held keys, pseudonymization, data minimization, split processing, contractual obligations for the importer to challenge unlawful access requests and notify the exporter).

Enforcement and liability. The 2021 SCCs grant data subjects express third-party beneficiary rights: individuals whose data is transferred may invoke Clauses 3–17 directly against either the exporter or the importer and seek compensation for material or non-material damage resulting from a breach (Clause 12). Data subjects may lodge complaints with the competent EEA supervisory authority or bring judicial proceedings in the courts of the Member State where the exporter is established (Clauses 11 and 18). The importer agrees to submit to the jurisdiction of those courts even though it is located outside the EEA.

Liability is joint and several when both exporter and importer are at fault; when only one party is liable, that party bears full liability (Clause 12(1)–(2)). The exporter remains liable even where the breach was caused solely by the importer unless the exporter proves it is not responsible for the event giving rise to the damage. Processors are liable for breaches of processor-specific obligations; controllers are liable for breaches of controller obligations; where a processor acts outside or contrary to lawful controller instructions, the processor is treated as a controller for that processing and bears corresponding liability (Clause 12(3)).

Interaction with adequacy decisions and derogations. SCCs are not required when the third country (or a sector or territory within it) benefits from a Commission adequacy decision under Article 45 GDPR; in such cases the transfer may proceed without additional safeguards. Conversely, SCCs do not cure a transfer that lacks one of the foundational elements of lawful processing (a lawful basis under Article 6, a special-category condition under Article 9 where applicable, and compliance with the transparency, purpose-limitation, data-minimization, and security obligations in Articles 5 and 32). The Article 49 derogations (explicit consent, contract necessity, vital interests, legal claims, public interest, or public registers) are available as a fallback only when SCCs are unavailable or ineffective and the transfer meets the narrow conditions for the derogation (occasional, non-repetitive, not part of massive processing activities, and—for the compelling-legitimate-interests derogation in Article 49(1) second subparagraph—accompanied by a documented assessment and suitable safeguards).

Practical adoption timeline. Decision 2021/914 entered into force 27 June 2021. Organizations had until 27 September 2021 to replace or supplement legacy 2001/2010 SCCs for new transfers. Contracts already in force on 27 September 2021 under the old clauses were grandfathered until 27 December 2022, creating a fifteen-month transition window; after that date, all transfers relying on SCCs must use the 2021 modules and complete the Clause 14 assessment. Supervisory authorities across the EEA have prioritized SCC compliance in post-Schrems II enforcement sweeps, particularly scrutinizing transfers to the United States (until the EU-US Data Privacy Framework adequacy decision of 10 July 2023 provided an alternative for DPF-certified organizations), China (in light of the PRC's National Intelligence Law and Data Security Law), Russia, and other jurisdictions whose surveillance or data-localization laws may conflict with GDPR protections.

Source: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 Source: EDPB Recommendations 01/2020 on supplementary measures (final version, 18 June 2021) Source: CJEU Case C-311/18, Schrems II, ECLI:EU:C:2020:559

Article 45 GDPR establishes the legal framework for adequacy decisions, the highest-tier and most streamlined mechanism for international data transfers under Chapter V. When the European Commission determines by implementing act under Article 45(3) that a third country, a territory or specified sector within a third country, or an international organisation ensures an adequate level of protection, personal data may flow from the EEA to that jurisdiction without any additional safeguard, specific authorisation, or data-exporter action beyond compliance with general GDPR obligations. Transfers to an adequate third country are assimilated to intra-EEA data flows.

The "essential equivalence" standard. Article 45(1) GDPR provides that the Commission "shall take account of" enumerated factors when assessing adequacy, but the overarching legal threshold—developed through CJEU case law—is essential equivalence to the level of protection guaranteed within the European Union. In Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II), Case C-311/18, paragraph 92, the Court held that adequacy "does not require a third country to ensure a level of protection 'identical' to that guaranteed in the EU legal order" but rather that the third country's regime, "assessed in the light of international commitments, must ensure a level of protection 'essentially equivalent' to that guaranteed within the European Union" by the GDPR, the Charter of Fundamental Rights (in particular Articles 7, 8, and 47), and general principles of EU law. This is a strict and holistic standard: the Commission must examine both the substantive data-protection rules applicable to data importers and the legal framework governing access to transferred data by third-country public authorities (national security agencies, law enforcement, regulatory bodies).

Assessment criteria under Article 45(2). Article 45(2) GDPR specifies that the Commission "shall take account of" the following elements when assessing adequacy:

• Rule of law, respect for human rights and fundamental freedoms (Article 45(2)(a)). The third country's general legal order, including relevant legislation concerning public security, defence, national security, and criminal law, and the access of public authorities to personal data.

• The existence and effective functioning of one or more independent data protection supervisory authorities (Article 45(2)(b)). The third-country authority must be competent to monitor and enforce compliance with data-protection rules, including adequate enforcement powers, and to assist and advise data subjects in the exercise of their rights. It must have genuine independence from government interference.

• International commitments entered into by the third country or international organisation (Article 45(2)(c)). Adherence to international or regional data-protection instruments, human-rights treaties, and other relevant international agreements (for instance, the Council of Europe Convention 108+ or the International Covenant on Civil and Political Rights).

Recital 104 GDPR clarifies that the assessment of adequacy "should be based on all relevant circumstances" and "should be of a general nature," meaning it evaluates the third country's legal framework as a whole rather than individual entities or sectors unless the adequacy decision is expressly limited to a sector or territory. The CJEU emphasised in Schrems II, paragraphs 104–105, that the assessment must include whether the third country ensures effective and enforceable data-subject rights and whether data subjects have access to effective administrative and judicial redress, including the right to bring legal action before an independent and impartial court (Article 47 of the Charter). The absence of effective judicial redress against governmental access to personal data is fatal to a finding of adequacy (Schrems II, paragraphs 186–195).

Sectoral and territorial scope. Article 45(3) third sentence GDPR permits the Commission to adopt adequacy decisions that are geographically or sectorally limited. The implementing act must "specify its territorial and sectoral application" and, where applicable, identify the competent supervisory authority or authorities in the third country. For example:

• Canada (commercial organisations subject to PIPEDA): The adequacy decision (Decision 2002/2/EC of 20 December 2001, reaffirmed under GDPR review in January 2024) covers only organisations governed by Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) in the commercial sector, not public authorities or provincially regulated sectors outside PIPEDA's scope.

• United States (EU-US Data Privacy Framework): The adequacy decision adopted by Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 covers only U.S. organisations that have self-certified participation in the Data Privacy Framework and are listed on the publicly available DPF List maintained by the U.S. Department of Commerce (Article 1 of Decision 2023/1795). Transfers to non-participating U.S. entities require Article 46 safeguards or Article 49 derogations.

• Japan (business operators under APPI): Commission Implementing Decision (EU) 2019/419 of 23 January 2019, Article 1, covers "personal information handling business operators" in Japan subject to the Act on the Protection of Personal Information (APPI) as complemented by Supplementary Rules adopted by the Personal Information Protection Commission.

A sectoral adequacy decision does not lift the Chapter V requirement for transfers falling outside its scope; exporters must verify that each transfer falls within the decision's defined boundaries.

Adoption procedure — Article 93(2) examination and EDPB opinion. Article 45(3) second sentence provides that the implementing act is adopted "in accordance with the examination procedure referred to in Article 93(2)," meaning the Commission must submit the draft decision to a committee composed of representatives of the Member States. Before adoption, the Commission must consult the European Data Protection Board (EDPB) under Article 70(1)(s) GDPR; the EDPB opinion is public and, while not legally binding on the Commission, carries significant political and interpretive weight. The European Parliament and Council may, under Article 93(3), indicate to the Commission that a draft exceeds the implementing powers provided for in the GDPR.

Current list of adequacy decisions as of January 2024. The European Commission publishes the official list of adequacy decisions on its website. As of the Commission's January 2024 review report, adequacy decisions under the GDPR (or reaffirmed from Directive 95/46/EC) cover: Andorra, Argentina, Canada (commercial organisations subject to PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea (South Korea), Switzerland, United Kingdom (both GDPR and Law Enforcement Directive), United States (organisations participating in the EU-US Data Privacy Framework), and Uruguay. With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law-enforcement sector, which are governed separately by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

Mandatory periodic review — Article 45(3) fourth sentence. Adequacy decisions are not permanent. Article 45(3) provides that "[t]he implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation." The Commission must monitor the continued adequacy of the third country's legal framework, including new legislation, judicial developments, enforcement practice, and—critically—surveillance or governmental-access laws that may impinge on the protection of transferred data. The first review of the eleven "legacy" adequacy decisions adopted under Directive 95/46/EC was completed in January 2024; the Commission concluded that all eleven continue to provide an adequate level of protection under GDPR standards. The EU-US Data Privacy Framework decision (Decision (EU) 2023/1795, Article 3(4)) provides for a first review one year after entry into force, followed by reviews at least every four years. The Japan adequacy decision underwent its first review in April 2023 (Staff Working Document SWD(2023) 75 final of 4 April 2023), with the Commission concluding that Japan continues to ensure an adequate level of protection.

Suspension, amendment, or repeal — Article 45(5). Where the Commission finds—whether through periodic review, supervisory-authority notification under Article 45(4), or its own monitoring—that a third country "no longer ensures an adequate level of protection within the meaning of paragraph 2," Article 45(5) requires the Commission "to the extent necessary" to repeal, amend, or suspend the adequacy decision "without retro-active effect." The implementing act effecting the repeal, amendment, or suspension is adopted under the same Article 93(2) examination procedure. The Commission must inform the European Parliament and the Council "on the grounds on which the third country in question no longer ensures an adequate level of protection."

The effect of repeal or suspension is immediate for future transfers: data exporters must cease relying on the adequacy decision and instead implement Article 46 appropriate safeguards (standard contractual clauses, binding corporate rules, or ad hoc contractual clauses authorised by a supervisory authority) or, where available and applicable, invoke an Article 49 derogation for specific situations.

Historical example: Safe Harbour and Privacy Shield invalidations. The Commission's adequacy decision for the United States under the Safe Harbour framework (Decision 2000/520/EC of 26 July 2000) was invalidated by the CJEU in Maximillian Schrems v Data Protection Commissioner (Schrems I), Case C-362/14, ECLI:EU:C:2015:650, paragraph 106, on 6 October 2015, on the grounds that U.S. mass-surveillance programs and the absence of effective judicial redress for EU data subjects rendered the level of protection not essentially equivalent to that guaranteed in the EU. The Commission subsequently negotiated a replacement framework, the EU-US Privacy Shield (Decision (EU) 2016/1250 of 12 July 2016), which was in turn invalidated by the CJEU in Schrems II, paragraph 201, on 16 July 2020 for substantially similar reasons (limitations and safeguards applicable to U.S. surveillance programs under Section 702 FISA and E.O. 12333 did not satisfy EU standards of necessity and proportionality, and the Ombudsperson mechanism did not provide effective judicial protection). The current EU-US Data Privacy Framework (Decision (EU) 2023/1795 of 10 July 2023) was adopted following U.S. Executive Order 14086 of 7 October 2022, which introduced binding safeguards limiting U.S. signals-intelligence activities to what is necessary and proportionate and established a Data Protection Review Court to provide independent redress for Europeans.

Interaction with supervisory-authority powers. Under the CJEU's holdings in Schrems I (paragraph 52) and Schrems II (paragraphs 118–120), supervisory authorities are bound by a valid adequacy decision: a supervisory authority may not, on the sole ground that it considers the third country inadequate, suspend or prohibit a transfer to a jurisdiction covered by a Commission adequacy decision. A supervisory authority that doubts the validity of an adequacy decision must bring the matter before its national courts, which may make a reference for a preliminary ruling to the CJEU under Article 267 TFEU; only the CJEU may declare a Commission adequacy decision invalid (Schrems I, paragraph 62). Supervisory authorities retain full powers under Article 58 GDPR to investigate and sanction transfers on other grounds: lack of a lawful basis under Article 6, insufficient technical and organisational measures under Article 32, non-compliance with transparency or purpose-limitation obligations, or violations of conditions within the adequacy decision's sectoral or territorial scope.

Practical implications for data exporters. An adequacy decision under Article 45(3) removes the need for specific Article 46 safeguards or Article 49 derogations, but does not dispense with the exporter's obligation to comply with all other GDPR provisions. The exporter must still:

1. Have a lawful basis for the processing under Article 6(1) GDPR (and Article 9(2) for special categories of data).
2. Comply with transparency obligations under Articles 13(1)(f) and 14(1)(f) (informing data subjects of the transfer to a third country).
3. Ensure the transfer is compatible with the original purpose under Article 5(1)(b) or obtain consent for a new purpose.
4. Implement appropriate technical and organisational measures under Article 32 regardless of where the data resides.
5. Maintain a record of the transfer in the Article 30 records of processing activities.
6. Verify that the specific transfer falls within the adequacy decision's scope (sectoral, territorial, or entity-based limitations as specified in the implementing act).

Data subjects retain the right to lodge complaints with EEA supervisory authorities under Article 77 and to seek judicial remedy under Articles 78–79 even when data is transferred to an adequate third country. Adequacy decisions do not immunise controllers from liability for unlawful processing; they simply remove the need for additional Chapter V transfer mechanisms.

Source: Regulation (EU) 2016/679 (GDPR), Article 45 Source: CJEU Case C-311/18, Schrems II, ECLI:EU:C:2020:559 Source: CJEU Case C-362/14, Schrems I, ECLI:EU:C:2015:650 Source: Commission Implementing Decision (EU) 2023/1795 (EU-US Data Privacy Framework) Source: Commission Implementing Decision (EU) 2019/419 (Japan adequacy decision) Source: European Commission adequacy decisions page

Binding Corporate Rules (BCRs) under Article 47 GDPR are internal data-protection policies that enable multinational corporate groups to transfer personal data from the European Economic Area to third-country affiliates within the same group, serving as an alternative to Standard Contractual Clauses for intra-group transfers. Unlike SCCs, which govern transfers between individual legal entities on a contract-by-contract basis, BCRs create a unified compliance framework binding on every member of a corporate group or group of enterprises engaged in a joint economic activity, including their employees. BCRs provide "appropriate safeguards" under Article 46(2)(b) GDPR and, once approved by the competent supervisory authority through the Article 63 consistency mechanism, permit transfers to any third country covered by the BCR without additional authorization for each individual transfer.

Article 4(20) GDPR defines BCRs as "personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity." The definition encompasses both controller BCRs (BCR-C, governing transfers where group entities act as independent controllers or where an EEA controller engages a third-country affiliate as a processor) and processor BCRs (BCR-P, governing transfers where the entire group acts as a processor on behalf of external EEA clients and must subcontract processing to third-country affiliates).

Approval procedure: the BCR Lead and the consistency mechanism. Article 47(1) GDPR provides that "the competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63." The approval process is cross-border by design: the applicant group proposes a "BCR Lead" supervisory authority, which acts as a single point of contact throughout the approval process, coordinates with all other concerned EEA supervisory authorities, and submits a draft approval decision to the European Data Protection Board (EDPB) for an opinion under Article 64(1)(f) GDPR. Article 64(1)(f) requires the EDPB to issue an opinion on any supervisory authority's draft decision "to approve binding corporate rules pursuant to Article 47." The EDPB's opinion, while not legally binding on the BCR Lead supervisory authority, is public and carries substantial weight in ensuring consistent application of Article 47 across the EEA.

Three foundational conditions under Article 47(1). BCRs must meet three threshold requirements before the supervisory authority may approve them:

• Legally binding and enforced across the group (Article 47(1)(a)). The BCRs must be "legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees." Groups typically achieve internal bindingness through an intra-group agreement signed at board level by all participating entities, unilateral declarations by the parent company recognized as binding under the applicable corporate law, or incorporation into employment contracts with disciplinary sanctions for non-compliance.

• Enforceable data-subject rights (Article 47(1)(b)). The BCRs must "expressly confer enforceable rights on data subjects with regard to the processing of their personal data." Data subjects must be able to invoke the BCRs as third-party beneficiaries and bring claims for compensation directly against any group member that breaches the rules, regardless of whether that member is in the EEA or in a third country.

• Fulfillment of Article 47(2) requirements (Article 47(1)(c)). The BCRs must specify at least the fourteen elements detailed in Article 47(2)(a)–(n).

Fourteen mandatory elements under Article 47(2). Article 47(2) provides that BCRs "shall specify at least" the following:

(a) Structure and contact details of the group of undertakings or group of enterprises engaged in a joint economic activity and of each of its members.

(b) Data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected, and the identification of the third country or countries in question.

(c) Legally binding nature, both internally and externally. The BCRs must explain how they bind group members vis-à-vis each other and how data subjects can enforce their rights externally.

(d) Application of the general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and "the requirements in respect of onward transfers to bodies not bound by the binding corporate rules." This last requirement means that when a group member subject to the BCRs transfers personal data to an external third party (a non-group entity in a third country), the transfer must comply independently with Chapter V—typically through SCCs, an adequacy decision, or an Article 49 derogation.

(e) Rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules.

(f) Acceptance of liability by the controller or processor established on the territory of a Member State for "any breaches of the binding corporate rules by any member concerned not established in the Union." This EEA-based "liability entity" must commit to accepting liability for breaches by third-country affiliates, enabling data subjects to sue an EEA entity even when the breach occurred outside the EEA. The EEA controller or processor must make "appropriate arrangements" to ensure it can pay compensation for any damages resulting from the breach by any part of the group.

(g) Data subjects' ability to lodge complaints with a data protection supervisory authority, in particular in the Member State in which the controller or processor has an establishment, and to bring proceedings before the courts of the Member States in accordance with Article 79.

(h) Identification of the competent supervisory authority or authorities "in accordance with Article 56" (the lead supervisory authority) or "the Member State in which the controller or processor is established" if Article 56 does not apply.

(i) Cooperation with the supervisory authority or authorities.

(j) Mechanisms within the group for ensuring the verification of compliance with the binding corporate rules. Article 47(2)(j) second sentence specifies: "Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject."

(k) Mechanisms for reporting and recording changes to the rules and for communicating those changes to the supervisory authority.

(l) Cooperation mechanisms with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, including in third countries.

(m) Mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group in a third country is subject and which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules. This obligation requires groups to assess and report governmental access laws (surveillance, law-enforcement access, national-security orders, data-localization mandates) in each third country where a BCR member is located and to report those that conflict with the BCRs.

(n) Appropriate data protection training to personnel having permanent or regular access to personal data.

**Post-Schrems II assessment of third-country laws and supplementary measures.** Although Article 47(2)(m) has required reporting of adverse legal requirements since the GDPR's entry into force, the CJEU's judgment in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II), Case C-311/18, ECLI:EU:C:2020:559, 16 July 2020, clarified that all Article 46 appropriate safeguards—including BCRs—must ensure a level of protection "essentially equivalent" to that guaranteed within the EU. Paragraph 133 of Schrems II held that exporters relying on Article 46 safeguards must verify "on a case-by-case basis" whether the law or practice of the third country impinges on the effectiveness of the safeguards and, if necessary, adopt supplementary measures (technical, contractual, or organizational) to ensure essentially equivalent protection. The EDPB's Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (adopted 10 November 2020, final version 18 June 2021) provide a six-step roadmap for this assessment and a non-exhaustive catalogue of supplementary measures, including encryption with EEA-held keys, pseudonymization, data minimization, split processing, and contractual obligations for the importer to challenge unlawful access requests and notify the exporter.

The EDPB's Recommendations 1/2022 on the Application for Approval and on the Elements and Principles to be Found in Controller Binding Corporate Rules (adopted 20 June 2023) update the legacy Article 29 Working Party BCR-C referential (WP256 rev.01 and WP264) and integrate the Schrems II assessment obligation into the BCR approval process. Recommendations 1/2022 require BCR applicants and holders to document their assessment of third-country laws under Article 47(2)(m), identify supplementary measures where necessary, and report material legal requirements in the annual update to the BCR Lead supervisory authority. All existing BCR-C holders were required to bring their BCRs into line with Recommendations 1/2022 as part of their 2024 annual update.

Controller BCRs versus processor BCRs. The EDPB Recommendations 1/2022 apply to controller BCRs (BCR-C). The Article 29 Working Party previously published separate guidance for processor BCRs (WP257 rev.01 and WP265, endorsed by the EDPB on 25 May 2018). A single corporate group may hold both a BCR-C (for internal administrative processing such as HR, finance, IT, and legal) and a BCR-P (for client data processing when the group acts as a service provider), although this requires separate applications and supervisory-authority approvals.

Enforcement, liability, and data-subject remedies. BCRs create direct third-party beneficiary rights for data subjects under Article 47(1)(b) and (2)(e). An individual whose personal data is transferred under BCRs may:

• Lodge a complaint with any competent supervisory authority under Article 77 GDPR.
• Bring judicial proceedings before the courts of the Member State where the EEA controller or processor is established, or where the data subject has habitual residence (Article 79 GDPR), directly against any group member (including third-country affiliates) for breach of the BCRs.
• Claim compensation for material or non-material damage resulting from the breach under Article 82 GDPR. The EEA liability entity identified in the BCRs under Article 47(2)(f) is liable for breaches by third-country affiliates.

Supervisory authorities retain full investigative and corrective powers under Article 58 GDPR. Infringement of the Article 46 and 47 transfer conditions is subject to administrative fines up to €20 million or 4% of total worldwide annual turnover, whichever is higher, under Article 83(5)(c) GDPR.

Annual update and ongoing compliance. Article 47(2)(k) requires BCR holders to maintain "mechanisms for reporting and recording changes to the rules and for communicating those changes to the supervisory authority." The EDPB Recommendations 1/2022 operationalize this as a mandatory annual update submitted to the BCR Lead supervisory authority, which must include at minimum: (i) changes to the group structure (members added or removed), (ii) changes to third countries of transfer, (iii) summary of data-protection audits conducted and corrective actions taken, (iv) summary of data-subject complaints and supervisory-authority inquiries, (v) confirmation that the EEA liability entity maintains sufficient assets to satisfy potential claims, and (vi) any legislative or regulatory developments in third countries that may have a substantial adverse effect on the BCRs under Article 47(2)(m).

Commission implementing powers. Article 47(3) provides that "the Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2)." As of June 2026, the Commission has not adopted such implementing acts; the EDPB Recommendations 1/2022 and the EDPB's procedural cooperation document serve as the operative guidance.

Approved BCRs register. The EDPB maintains a public register of approved BCRs on its website (edpb.europa.eu/our-work-tools/accountability-tools/bcr_en). The register lists BCRs approved under the GDPR (post-25 May 2018) separately from pre-GDPR BCRs approved under Directive 95/46/EC. Each entry includes the company name, the type of BCR (controller or processor), the BCR Lead supervisory authority, the date of the EDPB opinion, and the scope of transfers.

Source: Regulation (EU) 2016/679 (GDPR), Articles 4(20), 46, 47, 63, 64, 77, 79, 82, 83(5)(c) Source: CJEU Case C-311/18, Schrems II, ECLI:EU:C:2020:559 Source: EDPB Recommendations 1/2022 on the Application for Approval and on the Elements and Principles to be Found in Controller Binding Corporate Rules, adopted 20 June 2023 Source: EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, final version 18 June 2021

Article 49 GDPR establishes narrow derogations permitting international data transfers in the absence of an adequacy decision under Article 45 or appropriate safeguards under Article 46, but only in tightly defined specific situations and subject to strict conditions. These derogations function as the third and final tier of the Chapter V transfer framework—a safety valve for exceptional circumstances, not a routine compliance mechanism. The EDPB has emphasized that Article 49 derogations "cannot become 'the rule' in practice, but need to be restricted to specific situations" and must be interpreted restrictively, primarily for processing activities that are occasional and non-repetitive.

The layered hierarchy and Article 49's subsidiary role. Recital 111 GDPR confirms that transfers based on Article 49 derogations "should be possible in certain specific situations" but only "where no other legal grounds for transfer ... is available." Article 44 requires all Chapter V provisions to ensure that the level of protection guaranteed by the GDPR is not undermined; the EDPB has clarified that recourse to Article 49 derogations "should never lead to a situation where fundamental rights might be breached." Data exporters must first assess whether an adequacy decision covers the transfer (Article 45), then whether appropriate safeguards can be implemented (Article 46 SCCs, BCRs, ad hoc clauses, codes of conduct, or certification mechanisms), and only when neither is available or effective may they turn to Article 49. The derogations are a last resort, not a first choice.

Article 49(1) first subparagraph: six core derogations. Article 49(1) provides that in the absence of an adequacy decision or appropriate safeguards, a transfer or a set of transfers may take place only if one of the following conditions is met:

(a) Explicit consent after being informed of possible risks. The data subject has explicitly consented to the proposed transfer "after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards." This consent must meet all the Article 7 and Recital 32 conditions for valid GDPR consent: freely given, specific, informed, and unambiguous. The EDPB's Guidelines 2/2018 emphasize that consent in this context requires heightened information because the data subject must understand the concrete implications of transferring data to a jurisdiction that does not provide an adequate level of protection. Consent obtained before the transfer occurred but without disclosure of the specific risks at the time is invalid. Article 49(3) prohibits public authorities from relying on the consent derogation when they are "engaged in the performance of their tasks."

(b) Necessity for contract performance or pre-contractual measures. The transfer is "necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request." Necessity means the transfer is objectively essential to fulfill the contractual obligation; it is not sufficient that the transfer is merely convenient, customary, or specified in the contract. The EDPB has clarified that a controller cannot artificially create necessity by inserting a clause in the contract requiring transfer to a third country when alternative means exist within the EEA. The necessity must be assessed case-by-case, taking into account whether the same contractual purpose could reasonably be achieved by other means (for instance, processing within the EEA or in an adequate third country). This derogation does not cover routine commercial transfers that are ancillary to the main contract—for example, outsourcing customer-support services to a third-country call center is not "necessary" for the sale contract between the data subject and the controller.

(c) Necessity for a contract in the interest of the data subject. The transfer is "necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person." This covers, for instance, a bank in the EEA arranging a mortgage with a property seller in a third country on behalf of an EEA customer. The contract must be in the interest of the data subject, not solely for the controller's commercial benefit.

(d) Important reasons of public interest. The transfer is "necessary for important reasons of public interest." Recital 112 specifies that such public-interest grounds must be "recognised in Union law or in the law of the Member State to which the controller is subject." Article 49(4) confirms that public-interest transfers may take place on the basis of a provision in Union or Member State law "which provides for suitable safeguards with regard to the protection of personal data" and requires the Member State to notify the Commission of such provisions. Examples recognized by the EDPB and Recital 112 include international data exchanges between competition authorities, tax and customs authorities, financial supervisory authorities, and social-security institutions, where grounded in specific legal instruments. A controller's subjective assessment of public importance is not sufficient; the importance must be recognized by law.

(e) Necessity to establish, exercise, or defend legal claims. The transfer is "necessary for the establishment, exercise or defence of legal claims." This derogation is strictly limited to transfers that are essential for litigation, arbitration, administrative proceedings, or pre-litigation dispute resolution. The EDPB Guidelines 2/2018 clarify that the transfer must be directly necessary for the legal claim—for example, transmitting evidence to a third-country tribunal or providing data to a lawyer in a third country representing the controller in a lawsuit. Routine disclosures to a third-country legal department for general compliance monitoring do not qualify. The necessity criterion is strict: the claim must be concrete and the transfer must be an unavoidable element of its establishment, exercise, or defense.

(f) Necessity to protect vital interests when consent cannot be obtained. The transfer is "necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent." Vital interests are understood narrowly as life-or-death situations—medical emergencies requiring immediate treatment in a third country, evacuation in a natural disaster, humanitarian assistance. Recital 46 GDPR notes that vital interests "should not apply where the data subject is capable of giving consent." This derogation is invoked rarely and requires documentation that obtaining consent was genuinely impossible in the time available.

(g) Transfers from a public register. The transfer is made from a register established by Union or Member State law "which is intended to provide information to the public" and is open to consultation either by the public in general or by any person demonstrating a legitimate interest, "but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case." This permits, for instance, transfers from company registries, land registries, or professional registers when accessed in accordance with the applicable legal framework. The transfer must respect the purpose and access conditions of the register.

Article 49(1) second subparagraph: the compelling-legitimate-interests exception. When none of the six derogations above applies, Article 49(1) second subparagraph provides a residual exception for transfers that meet three cumulative conditions:

1. Not based on adequacy or appropriate safeguards. No adequacy decision or Article 46 safeguards apply.
2. Necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.
3. Occasional, non-repetitive, concerns only a limited number of data subjects, and suitable safeguards provided. Recital 111 elaborates: the transfer must not be part of "massive, disproportionate and repetitive transfers" or "massive and structural activities." The controller must assess all the circumstances surrounding the transfer and provide suitable safeguards (which the controller must document and, on request, provide to the supervisory authority and the data subject). The data subject must be informed of the transfer and of the compelling legitimate interests pursued.

The EDPB Guidelines 2/2018 interpret "occasional" and "not repetitive" as permitting transfers that may happen more than once but occur outside the regular course of business, under random or unknown circumstances, and within arbitrary timeframes—not as part of systematic or routine data flows. "Limited number of data subjects" is context-specific but implies that the transfer cannot involve thousands or tens of thousands of individuals; the scale must be genuinely constrained. The controller's assessment under this exception must be documented in writing, including the nature of the legitimate interests, the assessment of necessity and proportionality, the description of suitable safeguards, and the conclusion that the data subjects' rights are not overridden. Suitable safeguards may include encryption, pseudonymization, strict access controls, contractual commitments by the recipient (even though they do not constitute Article 46 appropriate safeguards), and data minimization. Importantly, the second subparagraph does not require explicit consent, but does require the controller to inform the data subject of the transfer and the compelling legitimate interests.

Article 49(2): one-off urgent contract transfers. Article 49(2) addresses an edge case: where a transfer is necessary for a contract between the controller and a person other than the data subject, the derogation under Article 49(1)(b) (contract necessity with the data subject) does not apply, so the controller may instead rely on the derogation under Article 49(1) second subparagraph (compelling legitimate interests) only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests which are not overridden by the data subject's interests, and the controller has assessed all circumstances and provided suitable safeguards. This duplicates much of the second-subparagraph framework but clarifies that it may be invoked for urgent one-off B2B contract situations involving data subjects who are not contractual parties.

Article 49(3): public authorities cannot rely on consent. Article 49(3) prohibits a public authority or body "in the exercise of its public powers" from invoking the explicit-consent derogation (Article 49(1)(a)) or the compelling-legitimate-interests exception (Article 49(1) second subparagraph). Public authorities engaged in their official tasks must rely on adequacy decisions, Article 46 safeguards (including Article 46(2)(a) or (3)(b) international agreements), or one of the other Article 49(1) first-subparagraph derogations (contract, public interest, legal claims, vital interests, or public register). The EDPB explains that public authorities exercise inherent power over individuals, so consent cannot be freely given in that context, and reliance on the flexible compelling-legitimate-interests exception would risk undermining Chapter V's protective framework.

Article 49(4): notification of Member State public-interest provisions. Article 49(4) requires Member States to notify the Commission of the provisions of their law that authorize public-interest transfers under Article 49(1)(d), including the categories of personal data, the type of transfer, and the purpose. The Commission must make this information accessible in a publicly available register and transmit it to the EDPB.

Article 49(5): Member State restrictions. Article 49(5) permits Union or Member State law to impose additional limits on transfers for "important reasons of public interest." For example, national law may prohibit or require prior authorization for transfers of health data, tax data, or national-security-related data even when an Article 49 derogation would otherwise apply. Such restrictions must themselves meet proportionality and necessity standards under EU law.

Interaction with other Chapter V obligations and the Schrems II assessment. Article 49 derogations do not exempt controllers from the Article 44 requirement that the level of protection guaranteed by the GDPR "is not undermined." Even when a derogation applies, the transfer must not lead to a situation where fundamental rights are breached. The EDPB has noted that in exceptional cases, relying on a derogation may be unlawful if the data subject's interests or fundamental rights override the controller's interest—for instance, transferring sensitive data of vulnerable individuals to a jurisdiction with a documented record of mass surveillance or where the data subject faces a concrete risk of harm. Article 49 derogations also do not relieve controllers of the obligation to have a lawful basis under Article 6 (or Article 9 for special categories), to comply with transparency obligations (Articles 13(1)(f) and 14(1)(f) require informing data subjects of transfers to third countries, including the derogation invoked), to implement appropriate security measures under Article 32, and to document the transfer in the Article 30 records of processing.

Enforcement and practical guidance. Infringement of the Chapter V transfer conditions, including misuse of Article 49 derogations, is subject to administrative fines up to €20 million or 4% of total worldwide annual turnover, whichever is higher, under Article 83(5)(c) GDPR. Supervisory authorities have issued enforcement decisions penalizing reliance on Article 49 derogations for transfers that were in fact repetitive, massive, or not genuinely necessary. The EDPB's Guidelines 2/2018 on derogations of Article 49, adopted 25 May 2018, provide detailed case-by-case examples, including permissible and impermissible uses of the consent, contract-necessity, legal-claims, and compelling-legitimate-interests derogations. Controllers should document the factual and legal basis for each reliance on Article 49, including the assessment of necessity, the measures taken to inform data subjects, and any suitable safeguards implemented.

Source: Regulation (EU) 2016/679 (GDPR), Article 49 Source: EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted 25 May 2018

The transfer impact assessment (TIA) is the mandatory case-by-case evaluation every data exporter must conduct when relying on Article 46 GDPR appropriate safeguards—Standard Contractual Clauses, Binding Corporate Rules, or ad hoc contractual clauses—to determine whether the law or practice of the third country impinges on the effectiveness of those safeguards and, if so, whether supplementary measures can bring the level of protection up to the EU standard of essential equivalence. The TIA obligation was crystallized by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II), Case C-311/18, ECLI:EU:C:2020:559, 16 July 2020, paragraph 133, which held that data exporters and importers must verify "on a case-by-case basis, whether the law or practice of the third country of destination ensures a level of protection essentially equivalent to that guaranteed by the GDPR, read in the light of the Charter [of Fundamental Rights], by providing, where necessary, additional safeguards to those offered by" the Article 46 transfer tool.

Although the GDPR text does not use the term "transfer impact assessment," the concept is now embedded in operational practice through the 2021 Standard Contractual Clauses (Clause 14, "Local laws and practices affecting compliance with the Clauses") and the European Data Protection Board's Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (final version adopted 18 June 2021). EDPB Recommendations 01/2020 provide data exporters with a six-step roadmap, a non-exhaustive catalogue of supplementary measures, and detailed use cases. The TIA is not a one-time exercise: it must be repeated whenever the circumstances of the transfer change materially (new categories of data, new purposes, change in third-country importer or sub-processors, new legislation in the destination country) and exporters must monitor legislative and enforcement developments in the third country on an ongoing basis.

The six-step TIA roadmap (EDPB Recommendations 01/2020, paragraphs 8–96). The EDPB's methodology structures the assessment as follows:

Step 1: Know your transfers (paragraphs 8–10). The exporter must map all transfers of personal data to third countries, identifying the categories of personal data transferred, the categories of data subjects, the purposes of processing, the nature of the processing, the frequency and volume of the transfers, the identity and location of the data importer, any onward transfers or sub-processors, and the retention period. This transfer inventory is foundational: the exporter cannot assess the level of protection afforded to the data without knowing what data is being transferred, to whom, where, and why. The EDPB emphasizes that the exporter must also verify that the data transferred is adequate, relevant, and limited to what is necessary in relation to the purposes (Article 5(1)(c) GDPR data minimization). Reducing the volume, scope, or sensitivity of the transferred data can itself be a supplementary measure that mitigates risk.

Step 2: Identify the transfer tool you are relying on (paragraphs 11–13). The exporter must confirm which Chapter V legal basis applies. If an adequacy decision under Article 45 GDPR covers the transfer, no TIA is required—the Commission's adequacy determination is binding on the exporter and on supervisory authorities (Schrems II, paragraphs 118–120). If no adequacy decision applies, the exporter must identify the Article 46 safeguard in use: Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Binding Corporate Rules approved under Article 47, ad hoc contractual clauses authorized by a supervisory authority under Article 46(3)(a), approved codes of conduct or certification mechanisms under Article 46(2)(e) or (f), or other mechanisms listed in Article 46(2). The TIA obligation applies to all Article 46 safeguards because, as the CJEU held in Schrems II, paragraph 125, contractual commitments alone cannot bind third-country public authorities and therefore cannot by themselves ensure essential equivalence where governmental access to data is the concern.

Step 3: Assess the Article 46 transfer tool in light of all circumstances of the transfer (paragraphs 14–88). This is the substantive assessment step. The exporter (with the assistance of the importer, who has superior knowledge of the third country's legal framework and practices) must evaluate whether the law or practice of the third country prevents the importer from fulfilling its obligations under the Article 46 transfer tool and, more broadly, whether the level of protection guaranteed to the transferred data in the destination country is essentially equivalent to that guaranteed within the EEA by the GDPR, read in the light of Articles 7, 8, and 47 of the Charter of Fundamental Rights.

The assessment must be based on objective factors, not subjective likelihood. Paragraph 33 of Recommendations 01/2020 (as amended in the final June 2021 version) emphasizes that "this assessment should be based on objective factors and not on subjective factors such as the likelihood of public authorities' access to your data in a manner not in line with EU standards." The EDPB clarified in response to public consultation that the exporter cannot rely on claims such as "our data is not interesting to intelligence agencies" or "the importer has never received a national security request." The legal framework of the third country—whether or not it permits access to the transferred data by public authorities under conditions that do not meet EU standards of necessity, proportionality, and effective redress—is the relevant inquiry, regardless of the statistical likelihood that the particular data importer will receive a governmental demand.

All relevant circumstances of the transfer must be examined, including (paragraph 42):

• The purposes for which the data are transferred and processed (e.g., marketing, human resources, IT support, cloud storage, analytics, or law-enforcement cooperation). Certain processing purposes may trigger application of third-country national-security or law-enforcement access laws.

• Categories of personal data transferred. Sensitive data (special categories under Article 9 GDPR, data concerning children, financial records, communications content, location data) may fall within the scope of specific third-country legislation or may present heightened risks of harm to data subjects if accessed unlawfully.

• Sector of the data importer. Electronic communications providers, financial institutions, cloud infrastructure providers, and other entities designated as "critical infrastructure" or subject to lawful-intercept obligations in the third country may face statutory duties to cooperate with governmental requests that override GDPR-compliant contractual commitments.

• Storage versus remote access. Whether the personal data will be stored persistently in the third country or accessed only remotely by personnel located there. Remote access may still constitute a transfer (EDPB Guidelines 05/2021 on the Interplay between Article 3 and Chapter V, paragraphs 19–20), and laws permitting public-authority access to data "in transit" or held temporarily in RAM can impinge on the effectiveness of the safeguards.

• Laws and practices of the third country. The exporter must assess both the legislation of the third country governing access to personal data by public authorities (national security, signals intelligence, law enforcement, tax authorities, regulatory agencies) and the practices of those authorities—including enforcement statistics, transparency reports, judicial oversight mechanisms, and available redress for individuals whose data is accessed. For evaluating whether governmental access laws meet EU standards of necessity, proportionality, independent oversight, and effective judicial remedies, the EDPB refers exporters to its Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (adopted 10 November 2020), which set out the minimum safeguards required by Articles 7, 8, and 47 of the Charter and Recital 109 GDPR.

Assessing third-country laws and practices. Paragraph 39 of Recommendations 01/2020 provides a non-exhaustive list of sources exporters should consult: legislation governing public-authority access (statutes, regulations, decrees, executive orders, ministerial instructions), judicial decisions interpreting those laws, reports by independent oversight bodies (privacy commissioners, intelligence oversight boards, ombudspersons), transparency reports published by government agencies or by major service providers subject to access requests, civil-society reports and academic studies, and country-specific guidance issued by EEA supervisory authorities. Where the legislation is ambiguous or not publicly available, the exporter should look to "other relevant and objective factors" and must not rely on subjective assessments of likelihood (paragraph 40). The EDPB stresses that "you may dispense with implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer" (paragraph 43, emphasis added). The burden is on the exporter to document the assessment; a bald assertion that no problematic laws exist is not sufficient.

The practices of public authorities were given heightened emphasis in the final June 2021 version of Recommendations 01/2020. The EDPB clarified that the assessment must examine not only the legal framework but also how public authorities apply the law in practice—whether requests are targeted and proportionate, whether judicial authorization is obtained, whether notice is given to data subjects or service providers, whether effective remedies are available, and whether statistical data on access requests demonstrate routine or mass surveillance. Where the third country's laws permit broad governmental access but the practical application is narrower, the exporter must document the basis for concluding that the practices provide adequate protection (for instance, binding internal policies published by the intelligence agency, enforceable ministerial guidelines, or a consistent pattern of judicial oversight).

When the importer is itself subject to GDPR under Article 3(2) (for example, a US-based social-media platform offering services to EU residents), the exporter still must conduct the TIA because Chapter V applies to the physical transfer of data out of the EEA, and the third-country location means that EEA supervisory authorities cannot directly enforce GDPR obligations against the importer and that third-country public authorities may lawfully access the data under that country's laws (EDPB Guidelines 05/2021, paragraph 20). The importer's GDPR obligations do not immunize the transfer from third-country legal interference.

Step 4: Adopt supplementary measures where necessary (paragraphs 44–61 and Annexes, use cases 1–7). If the Step 3 assessment reveals that the law or practice of the third country impinges on the effectiveness of the Article 46 transfer tool, the exporter must identify and implement supplementary measures—technical, organizational, or contractual safeguards that, in combination with the Article 46 tool, bring the level of protection up to the EU standard of essential equivalence. Supplementary measures must be effective in practice: they must prevent or remedy the specific deficiency identified in the third country's legal framework.

The EDPB provides a non-exhaustive catalogue of supplementary measures organized by type:

Technical measures (paragraphs 78–81 and use cases 1–6):

• End-to-end encryption with keys held exclusively in the EEA. The exporter encrypts personal data before transfer using strong, state-of-the-art encryption algorithms, and the decryption keys are generated, stored, and managed solely within the EEA under the control of the exporter or a trusted EEA-based key custodian. The data importer receives and processes only ciphertext and has no access to the keys. This measure can be effective when the importer performs data storage, backup, or transit services but does not need to access the plaintext data (use case 1). However, encryption is not effective as a supplementary measure if the importer requires access to the data in cleartext to perform its contractual functions (for instance, a US-based customer-support provider analyzing support tickets, or a cloud application that must parse the data for search indexing, analytics, or machine learning), or if third-country law compels the importer to surrender encryption keys or plaintext data upon governmental demand.

• Pseudonymization (use case 2). The exporter replaces identifying fields in the dataset with pseudonyms and retains the mapping table (the "key" to re-identify individuals) exclusively within the EEA, separated from the pseudonymized data transferred to the third country. Under Article 4(5) GDPR, pseudonymized data remains personal data (because it can be re-identified with the additional information), but the separation can reduce the risk that third-country authorities accessing the pseudonymized dataset alone can identify individuals. Pseudonymization is effective only when the third-country importer does not need the mapping table and when the risk of re-identification from the pseudonymized dataset (using auxiliary information or linkage attacks) is acceptably low. The EDPB cautions that pseudonymization alone is rarely sufficient when governmental access is the concern, because intelligence or law-enforcement agencies may possess auxiliary datasets enabling re-identification.

• Split or multi-party processing (use case 3). The exporter divides the processing operation such that no single third-country importer holds a complete dataset or can reconstruct the full personal data. For example, one third-country processor receives encrypted data; a second, independent processor receives encrypted keys; neither can decrypt without cooperation from the other, and the exporter ensures that such cooperation cannot occur. This is technically complex and typically requires the exporter to retain a significant processing role within the EEA.

• Data minimization and aggregation. The exporter transfers only aggregate, anonymized, or statistically masked data to the third country, ensuring that individual-level personal data does not leave the EEA. Under Article 4(1) GDPR, information that is truly anonymous (it cannot be re-identified by any means reasonably likely to be used) is not personal data and Chapter V does not apply. The exporter must document that the transferred data meets the GDPR anonymization standard (which is strict; see Article 29 Working Party Opinion 05/2014 on anonymisation techniques, endorsed by the EDPB).

Organizational and contractual measures (paragraphs 82–83):

• Contractual obligations for the importer to challenge unlawful governmental requests. The exporter adds contractual clauses requiring the importer, upon receipt of a public-authority access request, to (i) immediately notify the exporter (unless legally prohibited), (ii) challenge the request before the relevant court or administrative tribunal if it does not meet the third country's domestic legal standards for lawfulness and necessity, and (iii) seek a stay of the request pending judicial review. The 2021 SCCs incorporate such obligations in Clause 15, but exporters may strengthen them with additional contractual detail (for instance, requiring the importer to engage external legal counsel at the exporter's expense, or to pursue appeals through the highest available court).

• Transparency obligations. The importer publishes periodic transparency reports detailing the number, type, and legal basis of governmental access requests received, the number challenged, and the outcomes. Transparency does not prevent governmental access but can provide the exporter and supervisory authorities with empirical evidence of whether problematic laws are being applied in practice.

• Split jurisdiction clauses and data minimization commitments. The importer contractually commits to store personal data only in jurisdictions covered by an adequacy decision (or, if storage in a non-adequate third country is unavoidable, to implement specific technical measures such as encryption), to notify the exporter of any proposed change in storage location, and to minimize the duration and scope of data retention.

• Internal policies and audits. The importer adopts binding internal policies restricting employee access to personal data, logging all access, conducting regular audits (by independent third-party auditors), and notifying the exporter of any breach or governmental request. The exporter reserves contractual audit rights under Article 28(3)(h) GDPR and exercises them periodically.

Critically, the EDPB emphasizes that contractual and organizational supplementary measures alone will not suffice when the deficiency in the third country's legal framework is that public-authority access laws override private contractual commitments. Paragraph 51 of Recommendations 01/2020 states: "You should bear in mind that the supplementary measures added to the [Article 46 transfer tool] cannot contradict, directly or indirectly, the standard contractual clauses and have to be effective in practice. Where access by public authorities is the issue, contractual guarantees, such as an obligation for the importer to notify you or resist a government request, will not be sufficient alone to provide essential equivalence. In that case, you should look primarily at technical measures." If no effective technical measure can be identified and implemented, the transfer cannot proceed under that Article 46 tool; the exporter must either suspend the transfer, switch to a different third country or importer where essential equivalence can be achieved, or (if applicable and appropriate) invoke an Article 49 derogation for the specific transfer.

Use cases and examples. Annexes 2 and 3 of Recommendations 01/2020 present seven detailed use cases illustrating when supplementary measures are or are not effective:

• Use case 1 (encrypted data at rest with EEA-held keys): Effective supplementary measure if the importer never needs access to plaintext data.

• Use case 2 (pseudonymization with EEA-held key): May be effective if re-identification risk is acceptably low and the importer does not require the key.

• Use case 3 (encrypted data merely transiting third countries): May be effective if the data is encrypted end-to-end and transit servers cannot access keys, but the exporter must assess whether the third country's laws permit interception or compelled decryption.

• Use case 4 (contractual obligation to challenge governmental requests): Not effective alone when the third country's laws compel disclosure and override contractual commitments; must be combined with technical measures.

• Use case 5 (transparency reporting): Useful for monitoring but does not prevent access; not a standalone supplementary measure ensuring essential equivalence.

• Use case 6 (access to encrypted data in the clear for limited processing): If the importer must decrypt the data to perform its services, encryption alone cannot be a supplementary measure because the cleartext data becomes accessible to third-country authorities at the point of decryption.

• Use case 7 (split processing / multi-party computation): Effective if implemented correctly but technically complex and requires careful design.

Step 5: Take any formal procedural steps the Article 46 transfer tool may require (paragraphs 89–92). If the exporter adds supplementary measures to Standard Contractual Clauses, the exporter must verify that the supplementary measures do not contradict the SCCs, directly or indirectly. Supplementary measures that are consistent with and reinforce the SCCs (for instance, adding encryption or narrowing the scope of transferred data) do not require supervisory-authority authorization under Article 46(3)(a) GDPR; the exporter may implement them unilaterally by mutual agreement with the importer, documenting them in Annex II of the 2021 SCCs or in a separate supplementary agreement. However, if the supplementary measures contradict the SCCs—for example, by limiting the importer's ability to perform its contractual obligations or by amending core clauses—the exporter is no longer deemed to be relying on the Commission's standard clauses and must instead seek authorization from the competent supervisory authority for ad hoc contractual clauses under Article 46(3)(a). The distinction is subtle; exporters should consult supervisory-authority guidance or, when in doubt, notify the supervisory authority of the proposed measures.

For Binding Corporate Rules, supplementary measures addressing third-country laws must be documented in the BCR text or in the annual update submitted to the BCR Lead supervisory authority under Article 47(2)(k) and (m). The EDPB Recommendations 1/2022 on Controller BCRs (adopted 20 June 2023) integrate the Schrems II assessment into the BCR compliance framework, requiring BCR applicants to assess third-country laws under Article 47(2)(m) and to identify supplementary measures during the approval process and in ongoing annual updates.

Step 6: Re-evaluate the level of protection at appropriate intervals and monitor developments (paragraphs 93–96). The TIA is not static. The exporter must periodically re-assess whether the conditions that justified the initial transfer continue to hold—particularly whether new legislation or enforcement practice in the third country undermines the effectiveness of the Article 46 tool and the supplementary measures. Paragraph 94 specifies that the exporter should monitor "in particular, any changes in the laws and practices of the third country which may affect the initial assessment." Triggering events requiring immediate re-assessment include: (i) new surveillance, national-security, or data-localization legislation in the third country; (ii) changes in the importer's corporate structure, ownership, or location; (iii) changes in the categories or volume of data transferred; (iv) public reports of governmental access requests received by the importer or by similar entities in the same sector and country; and (v) enforcement decisions by EEA supervisory authorities suspending or prohibiting similar transfers to that third country.

If the re-assessment reveals that the level of protection is no longer essentially equivalent and no effective supplementary measures can be identified, the exporter must suspend or terminate the transfer (paragraph 95). The exporter must notify the competent supervisory authority of the suspension and the reasons (paragraph 96 and Clause 14(e) of the 2021 SCCs). Continuing the transfer in the face of a known deficiency constitutes an infringement of Chapter V, subject to administrative fines up to €20 million or 4% of total worldwide annual turnover under Article 83(5)(c) GDPR.

Interaction with the 2021 Standard Contractual Clauses. Commission Implementing Decision (EU) 2021/914 embeds the TIA directly into the contractual text. Clause 14 ("Local laws and practices affecting compliance with the Clauses") requires both parties, before concluding the contract and throughout the term, to assess whether the laws and practices of the third country of destination—including requirements to disclose personal data or measures authorising access by public authorities—prevent the data importer from fulfilling its obligations under the SCCs. Clause 14(a) specifies that the assessment must consider "all relevant circumstances" including (i) the specific circumstances of the transfer, (ii) the laws and practices of the third country relevant to the importer's obligations, including disclosure requirements and lawful governmental access, and (iii) relevant contractual, technical, or organisational safeguards in place to supplement the protections in the SCCs. Clause 14(b) obliges the parties to document the assessment and make it available to the competent supervisory authority on request. Clause 14(c) requires the importer to notify the exporter promptly if it becomes aware that it is unable to comply with the SCCs, and Clause 14(e) requires the exporter, if it concludes that the SCCs cannot be honored, to suspend the transfer and/or terminate the contract. The 2021 SCCs thus operationalize the Schrems II obligation as a live, ongoing contractual duty enforceable by data subjects as third-party beneficiaries.

Documentation and accountability. The TIA must be documented in writing and retained as part of the exporter's records of processing activities under Article 30 GDPR and its accountability obligations under Article 5(2). Supervisory authorities conducting Chapter V enforcement investigations under Article 58 GDPR will request the TIA documentation, including the Step 3 assessment of third-country laws, the identified supplementary measures, the contractual text implementing those measures, and evidence of the periodic re-evaluations. An exporter that cannot produce a documented TIA when requested by a supervisory authority faces potential administrative fines under Article 83(4)(a) for infringement of the controller's obligations under Articles 24–25 (accountability, data protection by design and by default) and Article 83(5)(c) for infringement of the Chapter V transfer conditions.

Practical consequences: when transfers must be suspended. The EDPB and national supervisory authorities have issued enforcement decisions and public guidance suspending or prohibiting specific categories of transfers where no effective supplementary measures could be identified. Examples include:

• Transfers to US-based cloud and SaaS providers for services requiring access to data in cleartext (customer support, analytics, search indexing) in sectors where the provider is likely subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA) or Executive Order 12333, prior to the EU-US Data Privacy Framework adequacy decision of 10 July 2023. Between the Schrems II judgment of 16 July 2020 and the DPF adequacy decision, exporters relying on SCCs for US transfers were required to conduct a TIA, and many concluded that encryption or other supplementary measures were not effective, leading to transfer suspensions or provider switches.

• Transfers to cloud providers or data centers located in the People's Republic of China, where the National Intelligence Law (2017), the Data Security Law (2021), and the Personal Information Protection Law (2021) impose broad data-access and data-localization obligations that may conflict with GDPR commitments, and where effective judicial redress for non-Chinese data subjects is unavailable.

• Transfers to Russia post-2022, where data-localization laws (Federal Law No. 242-FZ) and the legal framework governing state access to personal data do not provide essential equivalence to EU standards and where the geopolitical context raises heightened risks of governmental interference.

In each case, the outcome depends on the specific facts: the nature of the data, the purposes of processing, the technical architecture of the transfer, and the practical ability to implement effective supplementary measures. The TIA is inherently fact-specific and cannot be reduced to a jurisdiction-level blanket approval or prohibition (except in the limited case of Article 45 adequacy decisions, which do provide blanket authorization for the covered scope).

Relationship to Article 49 derogations. If the TIA concludes that essential equivalence cannot be achieved through Article 46 safeguards plus supplementary measures, the exporter may invoke an Article 49 GDPR derogation for the specific transfer—if the transfer meets the narrow conditions for the derogation (explicit informed consent, contract necessity, important reasons of public interest, legal claims, vital interests, or public register) and is occasional, non-repetitive, and not part of massive or structural processing activities. The EDPB has emphasized that Article 49 derogations "cannot become 'the rule' in practice, but need to be restricted to specific situations" (Recommendations 01/2020, paragraph 7; EDPB Guidelines 2/2018 on Article 49 derogations). The inability to complete a TIA successfully does not automatically permit reliance on derogations; the derogation itself must independently meet the Article 49 criteria.

Source: CJEU Case C-311/18, Schrems II, ECLI:EU:C:2020:559, 16 July 2020 Source: EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, final version 18 June 2021 Source: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Standard Contractual Clauses), Clause 14 Source: Regulation (EU) 2016/679 (GDPR), Articles 44, 46, 83(5)(c)