Artifact GuideEU GDPR

EU GDPR International Transfers and SCCs

A Chapter V guide for deciding whether a transfer can rely on an adequacy decision, SCCs, another Article 46 safeguard, or a narrow Article 49 derogation.

Built for privacy, legal, procurement, security, product, and data-governance teams that need a defensible transfer file instead of a one-line vendor approval.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

GDPR Chapter V is the transfer gate for personal data sent to a third country or international organisation. A useful transfer record should show the destination, recipient, data categories, transfer tool, data-subject information, and the assessment behind any SCC or supplementary-measures decision.

Section 1

Start with the Chapter V transfer route

Article 44 sets the general rule: Chapter V conditions apply so the level of GDPR protection is not undermined when personal data moves to a third country or international organisation. The first scoping step is therefore factual, not contractual: identify each destination, importer, onward transfer, processing purpose, data category, and recipient role.

Once the transfer is mapped, select the legal route in order. Check for an Article 45 adequacy decision first. If there is no applicable adequacy decision, test Article 46 safeguards such as Commission SCCs, binding corporate rules, approved codes of conduct, or approved certification mechanisms with binding commitments. Treat Article 49 derogations as a separate fallback only when neither Article 45 nor Article 46 supports the transfer.

  • Keep a transfer inventory that identifies the third country or international organisation, importer, purpose, data categories, and onward-transfer chain.
  • Record whether a Commission adequacy decision covers the exact country, territory, sector, or organisation involved.
  • If relying on SCCs, identify the exporter-importer roles before choosing the SCC module.
  • Record the reason Article 49 is or is not being used; do not treat derogations as a standing replacement for an Article 46 transfer tool.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Chapter V
Supports the Chapter V route: Article 45 adequacy, Article 46 safeguards, and Article 49 derogations.
European Commission - Adequacy decisions
Explains that adequacy decisions allow covered personal data flows without further safeguards.
Section 2

Use adequacy decisions only where the decision actually covers the transfer

An adequacy decision is not a generic country-risk note. It is a Commission determination under Article 45 that a specific country, territory, sector, or international organisation provides an adequate level of protection. The transfer file should cite the decision or Commission adequacy page and explain why the recipient and processing fall inside its coverage.

Adequacy coverage should also be monitored. The Commission page describes periodic review, and it identifies adequacy decisions and related review material. A vendor onboarding record should therefore include an adequacy-status check and a trigger to reassess if the destination, sector, recipient status, or Commission decision changes.

  • Do not write 'adequate country' unless the adequacy decision covers the relevant recipient and transfer context.
  • For the United States, separate EU-US Data Privacy Framework participants from other US recipients that may still need another transfer tool.
  • Keep a dated screenshot or source citation showing the adequacy basis used at approval time.
  • Add reassessment triggers for importer status, onward-transfer changes, Commission review updates, and withdrawal or amendment of a decision.
Sources for this answer
European Commission - Adequacy decisions
Grounds the effect, scope, and review of adequacy decisions for international transfers.
European Commission - EU-US data transfers
Grounds EU-US DPF use for transfers to participating US companies.
Section 3

Build SCC files around modules, annexes, and transfer impact evidence

Commission Implementing Decision (EU) 2021/914 provides SCCs for transfers to third countries. The SCC file should show the chosen module, parties, data description, transfer frequency, retention, onward transfers, technical and organisational measures, sub-processor information where relevant, and signatures or accession evidence.

SCCs are not just contract paper. Clause 14 requires the parties to take account of the transfer's specific circumstances, third-country laws and practices relevant to the transfer, and supplementary contractual, technical, or organisational safeguards. Clause 15 and Clause 16 evidence should also be retained because importer notification, public-authority access requests, suspension, and termination are part of the operational control set.

  • Select the SCC module: controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller.
  • Complete Annex I with party details, transfer description, data subjects, categories of data, purposes, frequency, retention, and competent supervisory authority where required.
  • Complete Annex II with transfer-specific technical and organisational measures, not a generic security policy link.
  • For processor chains, keep sub-processor authorisation records and Annex III information where the selected module requires it.
  • Keep Clause 14 assessment evidence, importer notifications, access-request logs, suspension decisions, and termination decisions with the signed SCCs.
Sources for this answer
Commission Implementing Decision (EU) 2021/914
Provides the SCC modules, annex requirements, Clause 14 assessment, and suspension/termination mechanics.
European Commission - Standard Contractual Clauses
Confirms Commission SCCs are pre-approved clauses for EU-to-third-country data transfers.
Section 4

Run the transfer impact assessment before treating SCCs as enough

The EDPB supplementary-measures recommendations describe a sequence that begins with knowing transfers and verifying the transfer tool, then assessing whether third-country law or practice may undermine that tool in the specific transfer. This is the practical core of a transfer impact assessment.

The Schrems II judgment grounds why this assessment matters. For SCC transfers, the level of protection must be essentially equivalent to EU protection, and the assessment must consider both the contractual clauses and relevant aspects of the third country's legal system. If the SCCs cannot be complied with and protection cannot be ensured by other means, transfer suspension or prohibition is part of the control framework.

  • Document the transfer circumstances: processing chain, actors, transmission channels, storage location, data format, purpose, sector, and onward transfers.
  • Assess third-country laws and practices relevant to public-authority access and importer obligations for this transfer.
  • Identify supplementary measures only after the transfer facts and legal-practice assessment are documented.
  • Record whether technical measures, contractual commitments, and organisational measures are effective for the specific data and processing architecture.
  • Set a review interval and event triggers for legal changes, importer notices, access requests, architecture changes, and new onward transfers.
Sources for this answer
EDPB Recommendations 01/2020 on supplementary measures
Grounds the transfer assessment sequence and the need to document supplementary measures.
CJEU Schrems II judgment, Case C-311/18
Grounds essential equivalence, third-country-law assessment, and suspension/prohibition where SCC protection cannot be ensured.
Section 5

Checklist: evidence to keep for international transfers

A transfer approval should be reusable by procurement, security, privacy, product, and customer-facing teams. The evidence should show both the legal transfer tool and the operational facts that make the tool credible for the actual data flow.

Keep the transfer file close to the vendor, product, and data-map records. If a destination, importer, module, data category, security architecture, or onward transfer changes, the record should be reopened before the transfer continues under the old approval.

Can SCCs be approved without a transfer impact assessment?

No. For SCC transfers, the file should document the specific transfer circumstances, the relevant third-country law and practice, and whether supplementary measures are needed so the transfer tool remains effective.

When can EU-US DPF replace SCCs?

Only when the transfer is to a US company that participates in the EU-US Data Privacy Framework and the transfer is covered by that participation. Other US transfers still need a separate Chapter V route, such as SCCs with assessment and safeguards.

What is the strongest evidence for an SCC transfer?

The strongest file links the signed SCC module and annexes to the transfer inventory, importer input, Clause 14 assessment, supplementary measures, notice language, access-request handling, and a review trigger.

  • Transfer inventory entry with destination, importer, exporter, roles, purposes, data categories, data subjects, retention, and onward transfers.
  • Adequacy decision citation or Article 46 transfer-tool selection with a short explanation of why it fits.
  • Signed SCCs with selected module, completed Annex I, completed Annex II, and Annex III where applicable.
  • Transfer impact assessment covering transfer circumstances, relevant third-country law and practice, importer input, and supplementary measures.
  • Evidence of importer notifications, public-authority access requests where disclosed, challenge records, suspension decisions, and termination decisions.
  • Privacy notice and data-subject access wording that describes third-country transfers and Article 46 safeguards where GDPR Articles 13, 14, or 15 require it.
Sources for this answer
Regulation (EU) 2016/679 (GDPR), Articles 13, 14, 15, and Chapter V
Grounds transfer disclosure, data-subject access to safeguard information, and Chapter V transfer routes.
Commission Implementing Decision (EU) 2021/914
Grounds SCC annex content, importer notification, documentation, suspension, and termination evidence.
EDPB Recommendations 01/2020 on supplementary measures
Grounds transfer-mapping, assessment, supplementary-measure, and reassessment evidence.
Recommended next step

Build a transfer file that links Chapter V sources to vendor and data-flow facts

Sorena can help convert the transfer inventory, adequacy check, SCC module, TIA, supplementary measures, and review triggers into a cited workflow for privacy, legal, procurement, and security teams.

Research workflow
Open Research Copilot for GDPR transfers

Ask source-linked questions about adequacy, SCC modules, transfer impact evidence, supplementary measures, and EU-US DPF coverage.

Explore next step
Talk to Sorena
Talk through implementation

Review your international-transfer inventory, SCC file structure, and transfer-impact assessment evidence with Sorena.

Explore next step
Primary sources

References and citations

CJEU Schrems II judgment, Case C-311/18
curia.europa.eu
Referenced sections
  • Grounds essential equivalence, third-country-law assessment, and suspension/prohibition where SCC protection cannot be ensured.
"essentially equivalent"
Regulation (EU) 2016/679 (GDPR), Chapter V
eur-lex.europa.eu
Referenced sections
  • Supports the Chapter V route: Article 45 adequacy, Article 46 safeguards, and Article 49 derogations.
"Transfers subject to appropriate safeguards"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.