In a globalised world, working with organisations in other countries is unavoidable, both within and outside the EU. But when that collaboration involves personal data, the GDPR imposes specific rules on transfers to countries outside the EU/EEA, known as third country transfers.
In this guide, we walk through what a third country transfer is, when the rules are triggered, and which transfer mechanisms you can use to ensure lawful handling of personal data across borders.
What Is a Third Country Transfer?
A third country, in the context of the GDPR, is any country that is not a member of the EU/EEA. If you wish to transfer personal data to such third countries, you must comply with the GDPR's provisions on third country transfers.
A transfer to a third country occurs, for example, when:
- You use a data processor based in a third country.
- You use a data processor based in the EU/EEA that has sub-processors based in a third country.
- You have a call centre in a third country that handles customer calls.
- An IT consultant in a third country gains access to a database containing customer data.
Any physical storage, viewing or remote access to personal data from an area outside the EU/EEA triggers the rules on third country transfers.
Why Are There Special Rules for Third Country Transfers?
The special requirements for third country transfers exist because the rights of EU citizens must not be undermined by a data controller "exporting" the processing of personal data to a third country. It should not be possible to simply outsource data processing and, in doing so, bypass the rules and leave data subjects worse off.
In many countries, citizens do not enjoy the same level of data protection as in the EU. Some countries also have intelligence laws that allow third-country authorities to access foreigners' data.
That is why Articles 44–50 of the GDPR set out the requirements for transferring personal data to third countries. The purpose is to ensure that the EU's data protection standards follow personal data throughout the entire processing lifecycle, even when processing takes place outside the EU.
Requirements for Third Country Transfers
All transfers of personal data to third countries must comply with the GDPR. Broadly speaking, there are two categories of third countries to consider: adequate and non-adequate countries.
Adequate third countries
The European Commission has determined that certain third countries offer an "adequate" level of data protection. This means personal data can be processed in these countries without diminishing EU citizens' rights. Consequently, no additional authorisation or approval under the GDPR is required to use, for instance, data processors in adequate third countries.
You can find an up-to-date list of adequate third countries on the European Commission's website.
Non-adequate third countries
All countries outside the EU/EEA that are not on the EU's list of adequate third countries are considered non-adequate. Transfers of personal data to these countries can only take place on the basis of a specific transfer mechanism under the GDPR.
Transfer Mechanisms for Non-Adequate Third Countries
If you wish to transfer personal data to a non-adequate third country, the transfer must be "subject to appropriate safeguards." This means it must comply with one of the transfer mechanisms set out in Article 46 of the GDPR.
When assessing which transfer mechanism is best suited for your organisation, you can take into account whether you are a private or public body, whether you are part of a corporate group, and when the transfer mechanism needs to be applied.
Standard Contractual Clauses (SCCs)
The most commonly used transfer mechanism for non-adequate third countries is the European Commission's Standard Contractual Clauses (SCCs). These are contract templates developed by the authorities that govern how personal data must be handled in connection with the transfer to the third country.
When you use SCCs as your transfer mechanism, you do not need prior approval from a supervisory authority. This does, however, require that you apply the SCCs correctly and that all parties are able to fulfil the requirements they set out.
When you are a data controller using SCCs for a transfer to a data processor, the clauses also serve as a data processing agreement, provided you use the relevant modules included in the SCCs.
Ad hoc contracts
If you need to transfer data to a non-adequate third country and require adjustments to the content of the SCCs, the result is an ad hoc contract. Ad hoc contracts must be approved by the relevant supervisory authority, which must also obtain an opinion from the European Data Protection Board (EDPB). This can take considerably more time compared with using SCCs.
Binding Corporate Rules (BCRs)
For corporate groups that need to transfer personal data between group companies in non-adequate third countries, Binding Corporate Rules (BCRs) can be used as a transfer mechanism.
The advantage of BCRs is that a corporate group can establish a single, unified transfer mechanism covering all of the group's transfers to non-adequate third countries, rather than having to set up a separate mechanism for each individual transfer.
In practice, the group would need to embed these rules in its data protection policy across the organisation to ensure that processing aligns with the transfer mechanism. BCRs must be approved by the relevant supervisory authority and the EDPB, which can take some time.
Legally binding instruments
Public authorities can transfer personal data to authorities in a third country if this is required by an international treaty or convention that is legally binding and enforceable in that country. Private organisations may also rely on these instruments if the agreement provides for it.
Administrative arrangements between public authorities
A public authority may also transfer personal data to a third-country authority if this is set out in an administrative arrangement. The arrangement must, however, still safeguard data subjects' rights and ensure they are enforceable.
Codes of conduct and certification mechanisms
Codes of conduct and certification mechanisms can also serve as transfer mechanisms for third country transfers, but in practice these are not currently in use and are therefore unlikely to be relevant. It would typically fall to industry associations or similar bodies to develop these for the benefit of their members within a given sector.
Supplementary Measures for Third Country Transfers
The Court of Justice of the EU (CJEU) has determined that a valid transfer mechanism alone is not sufficient for transfers to non-adequate third countries. Before any transfer takes place, you must ensure that appropriate safeguards are in place.
This means you must carry out a Transfer Impact Assessment (TIA) before transferring data to a third country. The TIA evaluates conditions in the recipient country to determine whether the transfer mechanism provides data subjects with adequate protection.
If the assessment reveals that protection is insufficient, you must implement supplementary measures to safeguard the data subjects' information.
When preparing your Transfer Impact Assessment, you can also draw on your risk assessment for the processing activity that underpins the transfer.
The EDPB's guidance provides further detail on the supplementary measures you can pair with your transfer mechanism. In this context, technical measures are always required, meaning organisational and contractual measures cannot stand alone.
Derogations: Special Situations for Third Country Transfers
In exceptional cases, you may transfer personal data to a non-adequate third country without one of the transfer mechanisms mentioned above, as set out in Article 49 of the GDPR. These derogations are only available in "special situations." If you require a transfer mechanism for an established, recurring business process, you should not rely on these derogations.
Explicit consent to the transfer
You may, as an exception, request the data subject's explicit consent to the transfer, provided you also specifically inform them of the risks involved in transferring their data to the non-adequate third country.
Contractual relationship with the data subject
You may, as an exception, transfer a data subject's personal data if it is necessary for the performance or conclusion of a contract with them. You may also rely on this derogation if the transfer is necessary to carry out pre-contractual measures at the data subject's request.
Contractual relationship with a party other than the data subject
As an exception, you may transfer personal data about a third party to a non-adequate third country if it is necessary for the conclusion or performance of a contract that is in the data subject's interest and has been entered into between you and another party.
Public interest
As an exception, you may transfer personal data to a non-adequate third country if it is necessary for important reasons of public interest. These interests must, however, be recognised in national or EU legislation.
Legal claims
You may, as an exception, transfer personal data to a non-adequate third country if it is necessary for the establishment, exercise or defence of legal claims, for example in connection with litigation or a dispute. You must ensure that the transfer is genuinely necessary for the legal claim.
Vital interests
If a person's life or health is at risk and they are unable to give consent, you may, as an exception, transfer personal data to a non-adequate third country to protect their vital interests.
Transfer from a public register
If personal data forms part of a publicly accessible register and a transfer to a non-adequate third country complies with the rules governing access to that register, you may carry out the transfer as an exception, but only on a case-by-case basis and not for the entire register or large volumes of data.
Compelling legitimate interests
If none of the other derogations apply, you may, in very limited circumstances, transfer data to a non-adequate third country. This is only permitted on an occasional basis, for a limited number of data subjects, and where the transfer is necessary for a compelling legitimate interest. You must assess the risks, implement appropriate safeguards, and inform both the supervisory authority and the data subject.
Your assessment and the safeguards for this transfer must also be documented in your Record of Processing Activities (RoPA).
Overview: Transfer Mechanisms for Third Country Transfers
| Transfer mechanism |
Who can use it? |
Requires approval? |
| Adequate third countries |
All organisations |
No |
| Standard Contractual Clauses (SCCs) |
All organisations |
No (but correct use is required) |
| Ad hoc contracts |
All organisations |
Yes, by supervisory authority + EDPB |
| Binding Corporate Rules (BCRs) |
Corporate groups |
Yes, by supervisory authority + EDPB |
| Legally binding instruments |
Primarily public authorities |
No |
| Administrative arrangements |
Public authorities |
No (but rights must be safeguarded) |
| Consent (Art. 49) |
All, special situations only |
No |
| Contractual necessity (Art. 49) |
All, special situations only |
No |
Practical Approach: How to Handle Third Country Transfers
To ensure your organisation complies with the rules on third country transfers, we recommend the following steps:
- Map your transfers — Identify every instance where personal data leaves the EU/EEA. Use your Record of Processing Activities and processing activities as your starting point.
- Classify the third country — Check whether the recipient country is adequate or non-adequate using the European Commission's list.
- Select a transfer mechanism — For non-adequate third countries, choose the appropriate mechanism, typically Standard Contractual Clauses (SCCs).
- Carry out a Transfer Impact Assessment — Assess whether the transfer mechanism provides sufficient protection in the recipient country.
- Implement supplementary measures — If the TIA reveals insufficient protection, implement technical measures.
- Document everything — Ensure the transfer mechanism is documented in your Record of Processing Activities.
With a compliance platform like .legal, you can keep track of your third country transfers, transfer mechanisms and TIA assessments in a single system. You can also use vendor management to maintain an overview of which suppliers operate in third countries.
See how .legal can help your organisation with GDPR compliance, or book a demo to see the platform in action.
Summary
When transferring personal data to third countries, you must always have a lawful basis for the transfer, documented in your Record of Processing Activities. Adequate third countries require no additional measures, whilst non-adequate third countries require a specific transfer mechanism, typically SCCs, along with a Transfer Impact Assessment.
Keep in mind that the Article 49 derogations are only available for special situations and cannot be relied upon for recurring business processes. Make sure all transfers and their legal bases are documented in your Record of Processing Activities.
Frequently Asked Questions about Third Country Transfers
.jpg)
.jpeg)
.jpg)
.jpg)
.jpg)
-1.png)
.jpeg)
.jpg)
