GDPR international transfers: adequacy, SCCs, and Schrems II

When Chapter V applies

Chapter V kicks in any time personal data leaves the European Economic Area. That includes the obvious cases (using a US cloud provider, sending HR data to a parent company outside the EU) and the less obvious ones (granting remote support access to a vendor whose employees sit in a third country, hosting an analytics endpoint outside the EEA).

Adequacy decisions

The simplest basis is an adequacy decision. The European Commission has determined that the destination country provides an essentially equivalent level of protection, so the transfer can proceed without additional safeguards.

Countries with current full or partial adequacy include the United Kingdom, Switzerland, Andorra, Argentina, the Faroe Islands, Guernsey, the Isle of Man, Jersey, Israel, Japan, New Zealand, the Republic of Korea, Uruguay, and Canada (commercial sector). The European Commission also adopted an adequacy decision for the United States on 10 July 2023 under the EU-US Data Privacy Framework, which applies only to organisations certified to the framework.

Standard Contractual Clauses

Where no adequacy decision applies, the most common basis is the Standard Contractual Clauses (SCCs). The European Commission adopted a new set of SCCs on 4 June 2021 (Implementing Decision (EU) 2021/914 of 4 June 2021), published in the Official Journal on 7 June 2021 and applicable from 27 June 2021. They replaced the older 2010 clauses.

The 2021 SCCs have four modules covering the four transfer relationships: Module 1 (controller to controller), Module 2 (controller to processor), Module 3 (processor to processor), Module 4 (processor to controller). Pick the module that matches the relationship, fill in the annexes (parties, processing description, technical and organisational measures, sub-processors), sign.

Schrems II and Transfer Impact Assessments

The Court of Justice of the European Union’s Schrems II judgment of 16 July 2020 struck down the EU-US Privacy Shield and held that SCCs alone are not enough if the law of the destination country allows surveillance authorities access to the transferred data in a way incompatible with EU fundamental rights.

The consequence is a Transfer Impact Assessment (TIA): the data exporter assesses the law and practice of the destination country, identifies any risk to the data, and adopts supplementary measures to bring the transfer back to an essentially equivalent level of protection. The European Data Protection Board published Recommendations 01/2020 with worked examples.

Supplementary measures include technical measures (end-to-end encryption with keys held in the EEA, pseudonymisation), contractual measures (warranties about the absence of back doors, notification obligations on government access requests), and organisational measures (internal policies, transparency reporting, response protocols).

Other Article 49 derogations

Article 49 provides derogations for specific situations: explicit consent, necessity for the performance of a contract, important reasons of public interest, legal claims, vital interests, and others. These are narrowly construed and not a substitute for an ongoing transfer mechanism. EDPB Guidelines 2/2018 cover their interpretation.

Practical checklist for an SME

• Inventory every personal-data transfer out of the EEA. Map source country, destination country, vendor, purpose.
• For each transfer, identify the lawful basis: adequacy, SCC, BCR (Binding Corporate Rules, mostly used by multinationals), or Article 49 derogation.
• For each SCC-based transfer, run a TIA against the destination country’s surveillance law and the type of data involved.
• Document supplementary measures where the TIA concludes they are needed. End-to-end encryption with EEA-held keys covers most cases for SMEs.
• Update the ROPA international-transfers section with the basis, the country, and the safeguards.
• Re-run the TIA when the law of a destination country changes materially. The UK Investigatory Powers Act amendments and US FISA reauthorisations are recent examples.