Cross-Border Data Transfer

Chapter V of the GDPR (Articles 44-50) establishes strict rules governing the transfer of personal data to countries outside the European Economic Area (EEA) or to international organisations. The fundamental principle is that the level of protection guaranteed by the GDPR must not be undermined when data leaves the EEA.

The primary mechanism for lawful transfers is an adequacy decision by the European Commission (Article 45), which certifies that a third country ensures an adequate level of data protection. Countries with adequacy decisions include Andorra, Argentina, Canada (for commercial organisations), Israel, Japan, New Zealand, South Korea, Switzerland, the United Kingdom, Uruguay, and the United States (under the EU-US Data Privacy Framework adopted in July 2023). Transfers to adequate countries can proceed without additional safeguards.

In the absence of an adequacy decision, controllers and processors may transfer data using appropriate safeguards (Article 46), primarily Standard Contractual Clauses (SCCs) adopted by the European Commission, Binding Corporate Rules (BCRs) for intra-group transfers, or approved codes of conduct and certification mechanisms. Following the Schrems II ruling by the Court of Justice of the EU, organisations relying on SCCs must conduct a Transfer Impact Assessment (TIA) to evaluate whether the legal framework of the recipient country provides essentially equivalent protection.

The practical implications of cross-border transfer rules are significant for organisations using cloud services, global IT systems, or international service providers. Many AI and machine learning services involve data transfers to third countries, making transfer compliance a critical consideration for organisations deploying AI systems that process personal data. Non-compliance with transfer requirements can result in fines of up to EUR 20 million or 4% of annual worldwide turnover.