The moment personal data leaves the EU — to a cloud region, an offshore team, or a foreign vendor — GDPR’s transfer rules apply. Getting them right is one of the more technical, and frequently mishandled, parts of GDPR compliance, especially as data flows through global services.
This guide explains what counts as a transfer, the hierarchy of mechanisms — adequacy, the Data Privacy Framework, SCCs, BCRs and derogations — and how to choose and document the right one for each flow.
The rule on transfers
GDPR places special restrictions on sending personal data outside the EU/EEA. The principle is that protection should travel with the data: you may only transfer it to a third country if that country, or the transfer arrangement, ensures an essentially equivalent level of protection.
This matters constantly in practice, because so much data flows through global cloud, SaaS and support services hosted around the world — often without anyone consciously deciding to “transfer” it.
What counts as a transfer
A “restricted transfer” is broader than shipping a database abroad. It includes remote access from outside the EU — for example, a support team in another country viewing EU customer data, or data stored in a non-EU cloud region.
So you can be transferring data without moving a file at all. The test is whether personal data becomes accessible from outside the EU/EEA.
Free resource
The Ultimate Guide to GDPR
Map your transfers and choose the right mechanism for each with confidence.
The hierarchy of mechanisms
GDPR provides a tiered set of transfer tools. The table summarises them; we explore each below.
| Mechanism | When to use it |
|---|---|
| Adequacy decision | Destination country is recognised as adequate — data flows freely. |
| EU–US Data Privacy Framework | Recipient is a certified US organisation under the DPF. |
| Standard Contractual Clauses | Most other transfers — plus a transfer impact assessment. |
| Binding Corporate Rules | Transfers within a corporate group, under approved internal rules. |
| Derogations (Art 49) | Narrow, occasional cases — e.g. explicit consent or contract necessity. |
Adequacy decisions
The simplest route is an adequacy decision: the European Commission has formally recognised that a country provides adequate protection. Data can then flow to that country as freely as within the EU, with no extra safeguards.
A number of countries hold adequacy, including the UK. If your destination is on the adequacy list, your transfer is straightforward — always check first, because it saves considerable work.
The EU-US Data Privacy Framework
For transfers to the United States, the EU–US Data Privacy Framework offers a route: if your recipient is certified under it, you can transfer without additional safeguards. You must verify the specific organisation is actively certified for the relevant data.
The DPF only covers certified recipients, so non-certified US transfers still fall back to other mechanisms.
Standard Contractual Clauses
The workhorse mechanism is the Standard Contractual Clauses (SCCs) — EU-approved contract terms usable for almost any transfer to a non-adequate country. Since the Schrems II ruling, using SCCs also requires a transfer impact assessment and, where the destination’s laws pose risk, supplementary measures such as strong encryption.
SCCs are flexible and widely used, but they carry that assessment burden, unlike adequacy or the DPF.
Binding Corporate Rules
For large multinationals, Binding Corporate Rules (BCRs) are approved internal data protection rules that legitimise transfers within a corporate group. They are robust and tailored, but require approval by a supervisory authority and significant effort to put in place.
BCRs suit groups with substantial intra-group data flows; smaller organisations generally rely on SCCs or the DPF instead.
Derogations for specific situations
Where no other mechanism applies, GDPR allows narrow derogations under Article 49 — for example, the individual’s explicit consent to the transfer, or transfer necessary to perform a contract with them.
These are meant for occasional, non-repetitive transfers, not as a routine basis for ongoing data flows. Relying on derogations for systematic transfers is a common mistake.
The Schrems II legacy
The Schrems II ruling reshaped transfers by stressing that a paper mechanism is not enough — the protection must be effective in practice. That is why SCCs now demand an assessment of the destination’s surveillance laws and, often, technical safeguards.
The broader lesson applies to all mechanisms: focus on whether the data is genuinely protected, not just on having a document on file.
Mapping your transfers
You cannot manage transfers you cannot see, so start by mapping them. For each vendor and data flow, identify whether personal data goes to or is accessible from outside the EU/EEA, which country, and through which sub-processors.
This map — which links to your Record of Processing Activities and sub-processor register — is the foundation for choosing the right mechanism for each transfer.
Choosing the right mechanism
With the map in hand, apply the hierarchy: rely on adequacy where it exists; use the DPF for certified US recipients; otherwise use SCCs with a transfer impact assessment; consider BCRs for intra-group flows; and reserve derogations for genuinely occasional cases.
Document your choice and reasoning for each transfer, so you can demonstrate that every flow out of the EU has a valid basis.
UK transfers after Brexit
The UK has its own transfer regime. Transfers out of the UK use the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus UK adequacy regulations and the UK extension of the DPF.
Organisations transferring from both the EU and the UK must apply the correct tools for each direction of travel.
How ISpectra helps
International transfers are one of the most technically demanding areas of GDPR compliance. ISpectra Technologies helps organisations map their data flows, select the right mechanism for each transfer, run transfer impact assessments, implement supplementary measures, and align EU and UK requirements — so every transfer out of Europe rests on a defensible basis.
If you are unsure where your data goes or whether your transfers are covered, a transfer review will give you clarity.
In one paragraph
GDPR restricts transfers of personal data outside the EU/EEA — including remote access from abroad — unless protection travels with the data. Use the hierarchy of mechanisms: adequacy decisions let data flow freely to recognised countries; the EU–US Data Privacy Framework covers certified US recipients; Standard Contractual Clauses (with a transfer impact assessment) handle most other transfers; Binding Corporate Rules suit intra-group flows; and narrow Article 49 derogations cover occasional cases. Map your transfers, pick and document the right mechanism for each, add safeguards where the destination’s laws pose risk, and apply the separate UK rules for transfers out of the UK.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
A practical transfer workflow
To keep transfers under control without turning every project into a legal exercise, run the same short workflow each time you adopt a tool or notice a new data flow. Ask: does personal data go to, or become accessible from, outside the EU/EEA? If not, there is nothing to do. If yes, identify the destination country and check the hierarchy in order — is it adequate? Is the recipient certified under the Data Privacy Framework? If neither, you are into SCCs (with a transfer impact assessment) or, for intra-group flows, Binding Corporate Rules.
Capture the answer in a simple transfer register linked to the vendor, its DPA, and your Record of Processing Activities, noting the mechanism and any supplementary measures. Revisit it when vendors change sub-processors or cloud regions, and whenever the legal landscape shifts — adequacy decisions and frameworks do change over time. This lightweight discipline means that at any moment you can show, transfer by transfer, that data leaving Europe is travelling on a lawful, documented basis — which is exactly what a regulator or a security-conscious customer will want to see.