International Data Transfers Outside the EEA — Standard Contractual Clauses, Schrems II, and Transfer Impact Assessment

Transferring personal data to third countries — outside the European Economic Area (EEA) — is an everyday reality for virtually every organisation. If you use Google Workspace, Microsoft 365, Amazon AWS, Salesforce, Mailchimp, Slack, or Zoom, there is a high probability that your data — or the data of your customers and employees — ends up in the US or other countries outside the EEA.

The GDPR (Chapter V, Articles 44–50) imposes strict conditions on such transfers, and since the Court of Justice of the EU’s Schrems II ruling, this topic has become one of the most critical in data protection law. This article explains the available transfer mechanisms, how to properly implement Standard Contractual Clauses (SCCs), and when a Transfer Impact Assessment (TIA) is required.

The General Principle — Data Stays in the EEA

The GDPR’s starting point is that personal data may flow freely within the EEA (27 EU Member States plus Norway, Iceland, and Liechtenstein). Transfers to a third country are only permitted if an adequate level of data protection — comparable to that guaranteed by the GDPR — is ensured.

Article 44 of the GDPR provides that any transfer to a third country may only take place if the controller or processor complies with the conditions set out in Chapter V. This applies to both one-off transfers and systematic data flows (e.g., continuous synchronisation with a cloud service).

Mechanism 1: Adequacy Decision (Article 45 GDPR)

The simplest transfer mechanism — the European Commission issues a decision finding that a given third country ensures an adequate level of data protection. Transfers to such a country require no additional safeguards and are treated like intra-EEA transfers.

Current adequacy decisions cover, among others: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, Japan, Jersey, South Korea, New Zealand, Switzerland, Uruguay, the United Kingdom, and — since July 2023 — the United States (under the EU-US Data Privacy Framework, but only for certified entities).

The full and current list of countries with adequacy decisions is available on the European Commission’s website.

The EU-US Data Privacy Framework — Transfers to the US

The history of data transfers to the US is a series of legal upheavals:

Safe Harbor (2000–2015) — the first agreement governing EU-US data transfers. Invalidated by the CJEU in Schrems I (C-362/14) due to mass surveillance by US intelligence agencies (revealed by Edward Snowden).

Privacy Shield (2016–2020) — Safe Harbor’s successor. Invalidated by the CJEU in Schrems II (C-311/18) for the same reasons — the Court found that US surveillance law (Section 702 FISA, Executive Order 12333) did not provide an adequate level of protection for European citizens’ data.

EU-US Data Privacy Framework (DPF) (since July 2023) — the currently applicable agreement. The European Commission issued an adequacy decision based on new safeguards introduced by the US, including Executive Order 14086, which limits US agency access to data and establishes a redress mechanism (Data Protection Review Court).

The DPF applies only to US entities that have been certified — the list is available at dataprivacyframework.gov. Google, Microsoft, Amazon, Meta, Salesforce, and most major technology providers have obtained certification.

Is the DPF safe in the long term? This is the key question. Max Schrems and the organisation NOYB have announced they will challenge the DPF — a potential Schrems III ruling could once again invalidate the US transfer mechanism. Organisations should therefore treat the DPF as the currently valid mechanism while simultaneously being prepared for alternative scenarios.

Mechanism 2: Standard Contractual Clauses — SCCs (Article 46(2)(c) GDPR)

If the third country does not have an adequacy decision (or — as in the case of the US — you want to be prepared in case the DPF is invalidated), the most commonly used mechanism is Standard Contractual Clauses (SCCs).

SCCs are model contractual clauses approved by the European Commission (Implementing Decision 2021/914 of 4 June 2021) that impose obligations on the data importer (the entity in the third country) to ensure an adequate level of data protection.

The current SCCs (2021 version) have a modular structure covering four scenarios:

Module 1: Controller → Controller (C2C) — e.g., a company in the EU shares customer data with a partner company in the US.

Module 2: Controller → Processor (C2P) — e.g., a company in the EU uses a cloud service from a US provider. This is the most common scenario.

Module 3: Processor → Processor (P2P) — e.g., a processor in the EU uses a sub-processor in a third country.

Module 4: Processor → Controller (P2C) — e.g., a data processor in the EU transfers data to a controller in a third country.

How to implement SCCs?

Determine which SCC module corresponds to your transfer scenario.

Complete the SCC annexes — a description of the transfer (categories of data, data subjects, purposes, recipients) and the technical and organisational measures applied by the importer.

Sign the SCCs with the data importer — SCCs must be signed by both parties (exporter and importer). In practice, many major providers (Google, Microsoft, AWS) incorporate SCCs into their service terms or data processing agreements.

Conduct a Transfer Impact Assessment (TIA) — this is an obligation arising from the Schrems II ruling and from the SCCs themselves (Clause 14).

Transfer Impact Assessment (TIA) — The Post-Schrems II Obligation

The CJEU’s Schrems II ruling introduced a crucial requirement: merely signing SCCs is not enough. The data exporter must additionally assess whether the laws of the third country prevent the importer from fulfilling their SCC obligations — in particular, whether local surveillance law allows the government to access data in a manner that violates the rights of individuals in the EU.

A TIA is a written assessment that should cover:

1. Circumstances of the transfer: What data is being transferred (categories, sensitivity)? To which country and entity? For what purpose? Through what channel (encrypted, unencrypted)? Will data be stored in the third country or only processed in transit?

2. Analysis of the third country’s legal framework: Do the authorities of the third country have powers to access the data (surveillance law, disclosure requests)? Are these powers proportionate and subject to judicial oversight? Do individuals from the EU have access to effective remedies? What is the practical experience — do the authorities actually exercise these powers with respect to data of this type?

3. Assessment of supplementary measures: Are additional technical measures applied (end-to-end encryption, pseudonymisation, encryption keys under the exporter’s control)? Are additional contractual measures applied (importer’s commitment to challenge disclosure requests, to inform the exporter of government requests)? Are additional organisational measures applied (data minimisation, access limitation)?

4. Conclusion: Do the SCCs plus supplementary measures collectively ensure an adequate level of protection? If yes — the transfer may proceed. If no — the transfer must be suspended or halted.

The EDPB in Recommendations 01/2020 provides a detailed TIA methodology and examples of supplementary measures. This is the key document for anyone conducting a TIA.

Practical Scenarios — Most Common Transfers

Google Workspace / Google Analytics

Google LLC is certified under the DPF — the transfer to the US is currently permissible under the adequacy decision. Google additionally offers SCCs as a fallback mechanism (in case the DPF is invalidated). Google provides detailed documentation on security measures and data locations.

Microsoft 365 / Azure

Microsoft Corporation is certified under the DPF. Microsoft also offers SCCs and the option to store data exclusively in EU data centres (EU Data Boundary). This option minimises the transfer risk — although it does not eliminate it entirely (technical support from the US may involve data access).

Amazon Web Services (AWS)

Amazon is certified under the DPF. AWS offers SCCs and the option to choose a data storage region (e.g., Frankfurt, Ireland). As with Microsoft, it is advisable to configure data storage in an EU region.

Mailchimp, HubSpot, Salesforce

All of these entities are certified under the DPF and offer SCCs. When using marketing platforms, pay attention to the scope of data being transferred — email addresses, behavioural data, profile data — and ensure that the privacy notice correctly informs about the transfer.

Binding Corporate Rules — BCRs (Article 47 GDPR)

Binding Corporate Rules (BCRs) are internal data protection policies adopted by a corporate group or a group of enterprises engaged in joint economic activity. BCRs must be approved by the competent supervisory authority.

BCRs are primarily used by large multinational corporations — the approval process is complex and time-consuming (it can take 1–2 years). For small and medium-sized companies, SCCs are a far more practical solution.

Derogations — Article 49 GDPR

Where there is no adequacy decision, SCCs, or BCRs, the GDPR provides a catalogue of derogations in Article 49 that permit transfers in specific circumstances:

Explicit consent of the data subject — after being informed of the risks. To be used as a last resort, not as a standard mechanism.

Contract performance — the transfer is necessary for the performance of a contract between the data subject and the controller (e.g., booking a hotel abroad).

Important reasons of public interest — recognised in EU or Member State law.

Establishment, exercise, or defence of legal claims.

Vital interests of the data subject — where the data subject is incapable of giving consent.

These derogations are limited in scope and cannot serve as the basis for systematic, large-scale data transfers. The EDPB emphasises that they should be applied exceptionally and interpreted narrowly.

Documentation Obligations

Data transfers outside the EEA require proper documentation:

Record of Processing Activities (ROPA) — Article 30 GDPR requires the ROPA to include information about transfers to third countries and the safeguards applied.

Privacy notice — Articles 13(1)(f) and 14(1)(f) GDPR require that data subjects be informed of the intention to transfer data to a third country and the applicable mechanism (adequacy decision, SCCs, etc.).

Signed SCCs — if used, they must be properly completed and signed.

TIA — a written assessment of the third country’s laws and supplementary measures.

Data processing agreement — if the transfer is to a data processor, it must address transfer issues (Article 28 GDPR).

Most Common Transfer Mistakes

Lack of awareness that a transfer is occurring — the organisation uses cloud services, analytics tools, or marketing platforms based in the US without realising that this constitutes a transfer of data outside the EEA.

Relying solely on the DPF without a contingency plan — the DPF may be invalidated. Organisations should have SCCs in place as a supplementary mechanism.

No TIA — signing SCCs without conducting a Transfer Impact Assessment. This violates the Schrems II requirements.

Outdated SCCs — using old contractual clauses (pre-2021). Since 27 December 2022, only the new SCCs from Decision 2021/914 are valid.

No information in the privacy notice — failing to inform data subjects about data transfers to third countries and the mechanism used.

Superficial TIA — an assessment limited to a single sentence such as “the US ensures an adequate level of protection under the DPF” without analysing the specific transfer scenario.

Checklist — Data Transfers Outside the EEA

1. Identify all data transfers outside the EEA in your organisation (cloud services, tools, sub-processors).
2. Check whether the data importer is covered by an adequacy decision (including the DPF for the US).
3. If not — implement SCCs (the appropriate module).
4. Conduct a TIA for each transfer.
5. Implement supplementary measures (encryption, pseudonymisation, EU data localisation).
6. Update privacy notices with transfer information.
7. Update the ROPA with transfer details.
8. Prepare a contingency plan in case the DPF is invalidated.
9. Monitor legal developments (potential Schrems III, ePrivacy Regulation).
10. Regularly review and update transfer documentation.

Need Help With International Data Transfers?

International data transfers are one of the most complex areas of the GDPR — requiring legal, technical, and geopolitical analysis simultaneously. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies manage their data transfers comprehensively — from identifying transfers, through implementing SCCs and conducting TIAs, to preparing documentation and contingency plans.