SkarpSkarp

Chapter 9 of 13

International Data Transfers: Tools, Schrems II and the EU–U.S. Landscape

Navigate the minefield of cross‑border data flows—adequacy, SCCs, BCRs, derogations and the post‑Schrems II world—so you can confidently untangle any transfer scenario the exam throws at you.

15 min readen

Step 1 – What Counts as an International Transfer under the GDPR?

When is it a GDPR "transfer"?

Use the EDPB 3‑step test: 1) Exporter is subject to the GDPR, 2) It discloses or makes data available to another entity, 3) The recipient is in a third country or an international organisation.

Non‑transfer examples

Not a Chapter V transfer: an EU tourist emailing a foreign hotel; an EU employee accessing data while travelling; a non‑EEA processor directly subject to GDPR that does not onward disclose.

Exam trick

In exam scenarios, first write the 3‑step test in the margin. Only if all three conditions are met should you move on to adequacy, SCCs, BCRs or derogations.

Step 2 – Is This a Transfer? Mini Scenarios

Scenario A – EU cloud, non‑EU staff

Data is hosted in Germany by an EU cloud provider; some engineers in India have support access. Legal recipient is the EU entity, so this is generally not treated as a separate Chapter V transfer.

Scenario B – Non‑EU sub‑processor

French company sends data to an Indian sub‑processor. Exporter is GDPR‑subject, recipient is a separate entity in a third country. This is a Chapter V transfer that needs a transfer tool.

Scenario C – Individual to U.S. university

A German student sends their CV directly to a U.S. university. No controller/processor exporter in the EEA, so Chapter V does not apply, even though data crosses borders.

Step 3 – Adequacy Decisions: The Easiest Route (If You Have It)

Adequacy in a nutshell

Adequacy (Art. 45) means the Commission has found a third country or framework offers essentially equivalent protection. Transfers to it generally need no extra transfer tool.

Examples of adequacy

Examples include the UK, Japan, Switzerland, South Korea, and the EU–U.S. Data Privacy Framework for U.S. organisations that are DPF‑certified.

Exam strategy with adequacy

In a problem, first ask: is there adequacy for this destination and context? If yes, rely on Art. 45, but remember you still need a lawful basis and overall GDPR compliance.

Quick Check – Adequacy or Not?

Test your ability to spot when adequacy solves the transfer problem.

An Irish controller wants to send customer data to a U.S. company that is listed as certified under the EU–U.S. Data Privacy Framework (DPF). Which statement is most accurate?

  1. No Chapter V tool is needed because the U.S. as a whole has adequacy.
  2. No additional transfer tool is needed for this transfer because the specific U.S. recipient is DPF‑certified.
  3. SCCs are still mandatory even if the U.S. recipient is DPF‑certified.
Show Answer

Answer: B) No additional transfer tool is needed for this transfer because the specific U.S. recipient is DPF‑certified.

The DPF is an adequacy decision for participating U.S. organisations. If the specific recipient is DPF‑certified and the transfer fits the DPF scope, Article 45 applies and no SCCs/BCRs are required. The U.S. as a whole does not have blanket adequacy, and SCCs are not mandatory in this case.

Step 4 – SCCs, BCRs and Other Safeguards (Article 46)

When to use Article 46

If no adequacy decision applies, look to Article 46 safeguards. The main ones in practice are Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

SCCs in practice

Modernised SCCs (2021) offer modules for different controller/processor combinations. They are pre‑approved clauses you add to the contract between exporter and importer.

BCRs in practice

BCRs are internal rules for a corporate group, approved by regulators. They suit large multinationals that need a stable solution for many intra‑group transfers.

Step 5 – Matching SCCs and BCRs to Real‑World Structures

Example – EU to U.S. SaaS

EU retailer → U.S. SaaS provider (non‑DPF). Use SCCs (controller‑to‑processor module) plus a transfer impact assessment and any needed supplementary measures.

Example – Global group with many flows

EU HQ with non‑EEA subsidiaries sharing HR and customer data. BCRs are ideal here, covering many intra‑group transfers once approved.

Example – Processor to sub‑processor

EU processor → non‑EEA sub‑processor. Use SCCs (processor‑to‑processor) and ensure the EU controller has authorised the sub‑processor under Article 28.

Step 6 – Schrems II, Transfer Impact Assessments and Supplementary Measures

Schrems II in one line

Schrems II killed Privacy Shield but kept SCCs, while adding a strict requirement: assess destination country laws and ensure SCCs work in practice for each transfer.

What is a TIA?

A Transfer Impact Assessment documents whether, in your specific context, third‑country laws (e.g. surveillance) undermine SCC/BCR protections, and what extra measures you take.

Supplementary measures

Examples include strong encryption with EU‑held keys, pseudonymisation, data minimisation, contractual commitments on government access, and robust organisational controls.

Quick Check – Schrems II Logic

Confirm you understand what Schrems II actually changed.

After Schrems II, what is the best description of the role of SCCs?

  1. SCCs are invalid and cannot be used for transfers to any third country.
  2. SCCs remain valid, but exporters must assess third‑country laws and may need supplementary measures.
  3. SCCs automatically guarantee adequate protection without any further analysis.
Show Answer

Answer: B) SCCs remain valid, but exporters must assess third‑country laws and may need supplementary measures.

The CJEU confirmed SCCs remain valid but require a case‑by‑case assessment of the destination country’s legal environment and, where needed, supplementary technical, contractual or organisational measures.

Step 7 – Article 49 Derogations: Emergency Exits, Not Main Roads

What are Article 49 derogations?

They are narrow exceptions (explicit consent, necessity for contract, public interest, legal claims, vital interests, public registers) when no adequacy or Article 46 safeguard works.

Not for routine transfers

Derogations are for specific, often occasional situations. They are not meant to justify ongoing, large‑scale transfers for convenience or cost savings.

Exam phrasing

Show that you know: use Article 46 tools where possible; rely on Article 49 only as a last resort and explain exactly which derogation and why it applies.

Step 8 – EU–U.S. Landscape: From Schrems II to the Data Privacy Framework

Mentally map the changing EU–U.S. transfer story. Try to reconstruct the timeline and then compare with the summary below.

Your task (thought exercise):

  1. On a sheet of paper, draw a timeline with four points.
  2. Label them with: Safe Harbor, Privacy Shield, Schrems II, Data Privacy Framework.
  3. Under each, write: valid/invalid and the year.

Now check with this high‑level summary:

  • Safe Harbor – earlier EU–U.S. framework, invalidated in 2015 by Schrems I.
  • Privacy Shield – replacement framework, invalidated in 2020 by Schrems II.
  • Post‑Schrems II (2020–2023) – heavy reliance on SCCs + TIAs for U.S. transfers.
  • EU–U.S. Data Privacy Framework (DPF) – adequacy decision adopted in 2023; currently in force in 2026 for certified U.S. organisations.

Key exam‑level points about the DPF:

  • It is an adequacy decision under Article 45, but only for U.S. organisations that self‑certify and comply with the DPF principles.
  • It includes commitments by the U.S. government (e.g. on signals intelligence and redress mechanisms) to address concerns raised in Schrems II.
  • Controllers can choose between DPF (for certified U.S. importers) or SCCs/BCRs + TIA.

Reflect: In a problem question involving transfers to a U.S. cloud provider, what facts would you look for to decide between relying on the DPF or SCCs + TIA?

Step 9 – Flashcard Review of Key Terms

Flip through these flashcards (mentally or on paper) to lock in the core vocabulary.

International transfer (GDPR, Chapter V)
A disclosure or making available of personal data by a GDPR‑subject controller/processor to another controller/processor in a third country or international organisation that is not subject to the GDPR for that processing.
Adequacy decision (Article 45)
A decision by the European Commission that a third country, territory, sector, or international organisation ensures an essentially equivalent level of data protection, allowing transfers without additional transfer tools.
Standard Contractual Clauses (SCCs)
Pre‑approved contractual clauses adopted by the Commission that, when used correctly and combined with a TIA and any needed supplementary measures, provide safeguards for international transfers under Article 46.
Binding Corporate Rules (BCRs)
Internal rules for a group of undertakings or enterprises, approved by supervisory authorities, that allow intra‑group transfers of personal data to third countries under Article 47.
Transfer Impact Assessment (TIA)
A structured assessment, required post‑Schrems II, where the exporter evaluates whether third‑country laws and practices undermine the protections in SCCs/BCRs and whether supplementary measures are needed.
Article 49 derogations
Narrow exceptions (e.g. explicit consent, necessity for contract, public interest, legal claims) that allow transfers in specific situations when no adequacy decision or Article 46 safeguard is available.
EU–U.S. Data Privacy Framework (DPF)
An EU adequacy framework (since 2023) for U.S. organisations that self‑certify and comply with DPF principles, allowing transfers from the EEA to those organisations without SCCs.

Step 10 – Putting It All Together: Mini Exam Scenario

Apply the full decision logic to an exam‑style scenario.

A Spanish controller wants to send customer data to a payment processor in Brazil on a continuous basis. Brazil does not currently have an EU adequacy decision. The Brazilian processor is willing to sign the modern SCCs and implements strong encryption with keys held only in the EEA. Which is the best exam‑style answer?

  1. The transfer is prohibited because there is no adequacy decision for Brazil.
  2. The transfer can rely on SCCs plus a TIA and strong encryption as supplementary measures under Article 46.
  3. The transfer should rely on Article 49 derogations because SCCs cannot be used without adequacy.
Show Answer

Answer: B) The transfer can rely on SCCs plus a TIA and strong encryption as supplementary measures under Article 46.

Lack of adequacy does not automatically prohibit transfers. Here, the controller can use Article 46 safeguards: modern SCCs, perform a TIA, and rely on strong encryption as a supplementary measure. Article 49 derogations are not appropriate for continuous, routine transfers.

Key Terms

Processor
An entity that processes personal data on behalf of a controller.
Controller
An entity that determines the purposes and means of the processing of personal data.
Third country
A country outside the European Economic Area (EEA).
Adequacy decision
A decision by the European Commission under Article 45 GDPR that a third country or framework ensures an essentially equivalent level of data protection, allowing transfers without additional safeguards.
Article 49 derogations
Specific exceptions in Article 49 GDPR that permit transfers in the absence of adequacy or Article 46 safeguards, such as explicit consent or necessity for contract, typically for occasional transfers.
International transfer
A disclosure or making available of personal data by a GDPR‑subject controller or processor to another controller or processor in a third country or international organisation that is not subject to the GDPR for that processing.
Supplementary measures
Technical, contractual, or organisational measures (e.g. encryption, pseudonymisation, policy commitments) added to SCCs/BCRs to ensure a level of protection essentially equivalent to the EU standard.
Binding Corporate Rules (BCRs)
Group‑wide internal rules for multinational organisations, approved by supervisory authorities, that allow intra‑group transfers of personal data to third countries.
Transfer Impact Assessment (TIA)
An assessment carried out by the data exporter to evaluate whether the law and practices of the destination country affect the effectiveness of transfer safeguards such as SCCs or BCRs.
Standard Contractual Clauses (SCCs)
Pre‑approved contract clauses adopted by the European Commission that provide safeguards for international transfers under Article 46 GDPR.
EU–U.S. Data Privacy Framework (DPF)
An adequacy framework adopted in 2023 that allows transfers of personal data from the EEA to U.S. organisations that self‑certify and comply with DPF principles.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself