GDPR International Data Transfers: SCCs, Adequacy, and the EU-First Case
Moving personal data outside the EU under GDPR Chapter V — adequacy decisions, Standard Contractual Clauses, transfer impact assessments after Schrems II, and why EU-based data processing is becoming a commercial decision, not just a legal one.
GDPR International Data Transfers: SCCs, Adequacy, and the EU-First Case
The moment personal data leaves the European Economic Area, it leaves the GDPR's home jurisdiction — and the GDPR responds by attaching conditions designed to ensure the protection travels with the data. Those conditions, set out in Chapter V of the GDPR, are among the most litigated, most revised, and most commercially consequential parts of the entire regulation.
This article covers the mechanisms for lawful international transfer — adequacy decisions, Standard Contractual Clauses, the other Chapter V tools — the transfer impact assessment that Schrems II made unavoidable, and the increasingly hard-headed commercial case for keeping data in the EU in the first place. For how GDPR sits alongside NIS2 and DORA, start with GDPR, NIS2 and DORA: How the Three EU Regimes Intersect.
This is not legal advice. The international-transfer area is unusually fast-moving — adequacy decisions and transfer frameworks are periodically litigated and revised. Verify the current position before relying on any specific mechanism.
What counts as an international transfer
GDPR Chapter V governs the transfer of personal data to a third country (any country outside the EEA) or to an international organisation. The principle is straightforward: such a transfer is lawful only if the conditions of Chapter V are met, in addition to the rest of the GDPR. Chapter V is not a substitute for having a lawful basis and complying with the GDPR's other obligations — it is an extra layer that applies specifically because the data is leaving.
The concept of "transfer" is broader than physically moving a file. Remote access to EU-stored personal data from a third country is generally treated as a transfer. Storing data with a cloud provider whose support staff in a third country can access it is a transfer. The question is not only where the data sits but who, in which jurisdiction, can reach it.
The transfer mechanisms, in order of preference
Chapter V provides a hierarchy of mechanisms. They are not equal — some are far less operationally burdensome than others.
Adequacy decisions — Article 45
The cleanest mechanism. The European Commission can decide that a third country, a territory, or a sector within a third country ensures an adequate level of data protection. Where an adequacy decision exists, personal data can flow to that destination as freely as within the EU — no additional safeguards required.
The Commission has adopted adequacy decisions for a number of jurisdictions. Adequacy is the preferred route precisely because it removes the per-transfer compliance burden. But adequacy decisions are not permanent — they are reviewed periodically, and they can be — and have been — challenged before the Court of Justice of the European Union. An organisation relying on adequacy should treat the decision as a live status to monitor, not a settled fact.
Standard Contractual Clauses — Article 46
Where no adequacy decision covers the destination, the most common mechanism is Standard Contractual Clauses (SCCs) — model contractual terms adopted by the European Commission that the data exporter and importer both sign, contractually binding the importer to GDPR-equivalent protections.
The Commission modernised the SCCs in 2021 into a modular form covering different transfer scenarios (controller-to-controller, controller-to-processor, and others). SCCs are flexible and widely used — but, since Schrems II, signing the SCCs is not by itself sufficient. They must be accompanied by a transfer impact assessment (below).
Other Article 46 safeguards
Chapter V also recognises Binding Corporate Rules (BCRs) — for transfers within a corporate group, approved by a supervisory authority — as well as approved codes of conduct and approved certification mechanisms. BCRs are robust but slow and expensive to establish; they suit large multinationals more than SMEs.
Derogations — Article 49
For situations not covered by the above, Article 49 provides derogations for specific situations — explicit consent, performance of a contract with the data subject, important reasons of public interest, and others. The derogations are deliberately narrow and intended for occasional, non-systematic transfers. Relying on a derogation for routine, repetitive transfers is generally not defensible — the European Data Protection Board has been clear that derogations are exceptions, not a structural transfer mechanism.
The transfer impact assessment — the Schrems II legacy
The single most important development in international transfers came from the Court of Justice's Schrems II judgment, which invalidated the then-current EU-US transfer framework and reshaped how SCCs must be used.
The core holding for practical purposes: SCCs remain valid, but the exporter cannot simply sign them and stop. The exporter must assess whether the law and practice of the destination country would undermine the protections the SCCs promise — in particular, whether public authorities in that country could access the transferred data in ways incompatible with EU fundamental rights. Where the destination's law would undermine the SCCs, the exporter must either implement supplementary measures that restore an essentially equivalent level of protection, or not make the transfer.
This assessment is the transfer impact assessment (TIA). In practice, an organisation transferring personal data outside the EEA under SCCs must, for each transfer or category of transfer:
- Map the transfer — what data, to where, to whom, by what means
- Identify the transfer mechanism (usually SCCs)
- Assess the destination country's law and practice, particularly government access powers
- Identify supplementary measures where the assessment shows a gap — technical (strong encryption with EU-held keys, pseudonymisation), contractual, or organisational
- Document the assessment and the conclusion
- Re-assess periodically, since the destination's law and practice can change
The TIA is now an unavoidable part of any non-adequacy international transfer. It is also genuinely difficult — assessing a foreign country's surveillance law is not a routine compliance task — which is part of what drives the next section.
The EU-first case — when data residency becomes a decision
Here is the strategic point that the mechanics build toward. Every international transfer carries a compliance cost — the TIA, the supplementary measures, the monitoring of adequacy status, the residual legal uncertainty. For a growing number of European organisations, the rational response is to ask a prior question: does this data need to leave the EU at all?
Keeping personal data within the EU — EU-based cloud regions, EU-based processors, EU-resident support staff — does not engage Chapter V at all. No TIA, no SCCs, no supplementary measures, no adequacy-status monitoring. The compliance burden of the entire international-transfer apparatus simply does not arise.
This is increasingly framed not only as a legal simplification but as a commercial differentiator. For organisations whose customers are themselves regulated — financial entities under DORA, essential entities under NIS2, public sector bodies — the ability to state that personal data never leaves the EU is a procurement advantage. DORA's own third-party regime requires financial entities to know and assess where their ICT providers process data; a provider that can answer "entirely within the EU" removes a category of risk from the customer's assessment. The connection to supplier due diligence is covered in Data Processor Due Diligence: GDPR Article 28 Meets NIS2 Supply Chain.
The EU-first position has trade-offs — it can constrain tooling choices, and not every service has a mature EU-based equivalent. It is a decision, not a default. But it is a decision more European organisations are making deliberately, because the alternative — a sprawl of international transfers each carrying its own TIA and its own residual uncertainty — has a real and recurring cost. For an organisation building its data architecture now, designing for EU residency from the start is far cheaper than retrofitting it after an adequacy decision is challenged.
How transfers intersect with NIS2 and DORA
International transfers are primarily a GDPR concern, but the other two regimes touch the same question from their own angles.
NIS2 does not regulate personal data transfers as such, but its supply chain obligation (Article 21(2)(d)) requires assessing the security of suppliers — and where a supplier processes data outside the EU, the jurisdictional dimension is part of that security assessment.
DORA requires financial entities to document, in the Register of Information, where their ICT providers process and store data — see DORA Register of Information: Template and Requirements. DORA's concentration risk assessment also has a jurisdictional dimension: a critical function dependent on a provider operating from a particular third country carries a geopolitical exposure that DORA expects to be assessed.
The three regimes therefore converge on a single practical truth: knowing where your data and your dependencies physically and legally sit is now a multi-regime obligation, not a GDPR niche. The cross-domain analysis The Trust Supply Chain develops this point.
Common pitfalls
- Treating SCCs as sufficient on their own. Post-Schrems II, SCCs require an accompanying transfer impact assessment. Signing the clauses and stopping is not compliant.
- Missing remote access as a transfer. Third-country support staff accessing EU-stored data is a transfer, even though no data is "sent" anywhere.
- Relying on Article 49 derogations for routine transfers. Derogations are for occasional, non-systematic situations — not a structural transfer mechanism.
- Treating adequacy as permanent. Adequacy decisions are reviewed and can be litigated. Relying on one means monitoring its status.
- Never re-assessing. The TIA depends on the destination country's law and practice, which change. A TIA from three years ago may no longer hold.
- Ignoring the EU-first option. The most reliable way to avoid the entire transfer compliance burden is not to transfer. Many organisations never assess whether they could simply keep the data in the EU.
Frequently asked questions
Can I transfer personal data to a country with an adequacy decision freely? Largely yes — where a valid adequacy decision covers the destination, data can flow without additional safeguards. But monitor the decision's status, as adequacy can be reviewed or challenged.
Are Standard Contractual Clauses still valid after Schrems II? Yes. SCCs remain valid, but they must be accompanied by a transfer impact assessment and, where needed, supplementary measures.
Is remote access from outside the EU a transfer? Generally yes. If personnel in a third country can access EU-stored personal data, that access is treated as an international transfer subject to Chapter V.
What is a transfer impact assessment? An assessment of whether the destination country's law and practice would undermine the protections of the chosen transfer mechanism, and what supplementary measures are needed to restore essentially equivalent protection.
Can I just use consent for international transfers? Explicit consent is an Article 49 derogation, suitable for occasional, specific transfers. It is not a sound basis for routine, systematic transfers.
Does keeping data in the EU remove all transfer obligations? Keeping personal data and its access strictly within the EEA means Chapter V does not apply at all — no SCCs, no TIA, no adequacy monitoring. It is the cleanest way to avoid the transfer compliance burden.
The bottom line
Three takeaways:
- There is a hierarchy of transfer mechanisms — use the cleanest available. Adequacy first, SCCs with a TIA second, derogations only for genuine exceptions.
- Schrems II made the transfer impact assessment unavoidable. SCCs alone are not enough; the destination country's law must be assessed and supplementary measures applied where needed.
- EU-first is a legitimate strategic choice. Keeping data in the EU removes the entire Chapter V burden — and is increasingly a commercial advantage with regulated customers.
For how data location intersects with supplier risk across all three regimes, see GDPR, NIS2 and DORA: How the Three EU Regimes Intersect and Data Processor Due Diligence: GDPR Article 28 Meets NIS2 Supply Chain.
Sources & further reading
- Regulation (EU) 2016/679 — GDPR — Chapter V, Articles 44 to 49 (international transfers)
- Court of Justice of the European Union — Schrems II judgment (Case C-311/18)
- European Commission — Standard Contractual Clauses (2021 modernised SCCs); adequacy decisions
- European Data Protection Board (EDPB) — Recommendations on supplementary measures for transfer tools
- Regulation (EU) 2022/2554 — DORA — Article 28 (ICT third-party data location documentation)