Skip to content
Last reviewed: 2026-05-04 Methodology Report inaccuracy

Topic · TRANSFERS

International data transfers

Schrems II, DPF, SCCs — what works where in 2026.

Cross-border transfer decision tree — try mechanisms in priority order If a question answers Yes → use that mechanism. If No → try the next. 1 Adequacy decision exists for the destination? EC, UK ICO, or Swiss FDPIC adequacy list YES Art 45 · direct path No supplementary measures required NO 2 Standard Contractual Clauses + TIA in place? EU 2021 SCCs + Transfer Impact Assessment YES Art 46(2)(c) · most common path Supplementary measures may be required (post-Schrems II) NO 3 Binding Corporate Rules approved? Intra-group transfers only · lead DPA approval YES Art 47 · group-internal path Approval typically takes 12–24 months NO 4 US importer DPF-certified? EU-US Data Privacy Framework · dpf.gov self-certification YES DPF · US-specific path EU General Court upheld T-553/23 on 2025-09-03; CJEU appeal pending NO 5 Article 49 derogation applies? Consent · contract · vital · public interest · legal claims YES Art 49 · narrow exception Case-specific; not for systematic transfers NO No mechanism applies → transfer prohibited Re-architect the data flow (regional hosting, EU-only processing) or stop the transfer.

Countries currently covered by adequacy decisions · 14

As of 2026-05. EC, UK ICO, and Swiss FDPIC maintain parallel lists; UK + CH inherit most EC decisions but make their own determinations.

Andorra Argentina Canada (PIPEDA) Faroe Islands Guernsey Isle of Man Israel Japan Jersey New Zealand South Korea Switzerland United Kingdom Uruguay
Mechanism When applicable Setup Renewal Frequency Statute
Adequacy decision Destination appears on EC / UK / CH adequacy list None — the decision sets the rule Periodic EC review Used when available GDPR Art 45
SCCs + TIA Default fallback when no adequacy / BCR / DPF Execute SCCs + perform TIA Re-do TIA on material change Most common in practice GDPR Art 46(2)(c)
Binding Corporate Rules Intra-group transfers within a corporate family Lead DPA approval (12–24 months) Periodic review Rare — high setup cost GDPR Art 47
EU-US DPF Destination is a US importer that has self-certified US importer self-certifies on dpf.gov Annual re-certification Common for US transfers EC adequacy decision 2023-07-10
Article 49 derogation Narrow case-specific exception (consent, contract, vital interest) None — case-by-case justification Per-transfer Rare — not for systematic flows GDPR Art 49

Most controllers default to SCCs+TIA when adequacy isn't available; DPF is the US-specific shortcut.

Cross-border transfers under GDPR Chapter V — 5 mechanisms tried in priority order. Editorial reading; not legal advice.

Personal data leaves the EU, UK, Switzerland, Canada (Quebec), Brazil, Korea, India and many other regimes only under specific safeguards. The post-Schrems II landscape (CJEU C-311/18, July 2020) means a contract is rarely enough on its own.

The four EU transfer mechanisms

  1. Adequacy decisions (GDPR Art 45). The Commission has decided the country offers equivalent protection. Active for: Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, UK, Uruguay, USA (under DPF only — see below).
  2. Data Privacy Framework (DPF). The current EU-US adequacy bridge, in force since July 2023 — replacing Privacy Shield (struck down 2020). Specific to certified US recipients. German LfDI BW, CNIL, and Garante all expect supplementary measures (TIA — Transfer Impact Assessment) even with DPF active.
  3. Standard Contractual Clauses (SCCs). The 2021 modular SCCs cover most B2B vendor relationships. Transfer Impact Assessment + supplementary technical measures (encryption-in-transit, encryption-at-rest, no-keys-shared, sub-processor obligations) are non-negotiable.
  4. Binding Corporate Rules (BCRs). Intra-group transfers within multinational corporations — long approval process, only practical for large enterprises.

Schrems II realities

If your US-based vendor is subject to FISA 702 surveillance authority, no contract or DPF certification fully cures the access risk to a US court of inquiry. The technical controls that actually move the needle:

Other regional regimes

UK Extension to DPF (Oct 2023) — UK companies can transfer to DPF-certified US entities. Swiss-US DPF — same model, separate certification.

Brazil LGPD Art 33 — adequacy decisions pending; SCC-equivalent contracts allowed. India DPDPA §16 — restricted-territories list to be notified; default permitted unless restricted. Korea PIPA Art 17 — opt-in re-consent often required for cross-border; one of the strictest regimes.

Practical workflow

For every vendor you onboard: (1) document where the data physically goes, (2) identify the legal mechanism, (3) run a TIA if SCCs/DPF, (4) document supplementary technical measures, (5) re-review annually. Vendor due-diligence templates handle this systematically.