GDPR › Data Processors

Third Country Transfers of Personal Data: Complete Guide to the GDPR Rules

When you transfer personal data to countries outside the EU/EEA, you must comply with the GDPR rules on third country transfers. Get a full overview of adequate and non-adequate countries, transfer mechanisms and practical requirements.

Illustration of a globe divided into an EU zone and a third country zone, with a document and arrow crossing the border — symbolising the transfer of personal data to third countries under GDPR.

In a globalised world, working with organisations in other countries is unavoidable, both within and outside the EU. But when that collaboration involves personal data, the GDPR imposes specific rules on transfers to countries outside the EU/EEA, known as third country transfers.

In this guide, we walk through what a third country transfer is, when the rules are triggered, and which transfer mechanisms you can use to ensure lawful handling of personal data across borders.

What Is a Third Country Transfer?

A third country, in the context of the GDPR, is any country that is not a member of the EU/EEA. If you wish to transfer personal data to such third countries, you must comply with the GDPR's provisions on third country transfers.

A transfer to a third country occurs, for example, when:

You use a data processor based in a third country.
You use a data processor based in the EU/EEA that has sub-processors based in a third country.
You have a call centre in a third country that handles customer calls.
An IT consultant in a third country gains access to a database containing customer data.

Any physical storage, viewing or remote access to personal data from an area outside the EU/EEA triggers the rules on third country transfers.

Why Are There Special Rules for Third Country Transfers?

The special requirements for third country transfers exist because the rights of EU citizens must not be undermined by a data controller "exporting" the processing of personal data to a third country. It should not be possible to simply outsource data processing and, in doing so, bypass the rules and leave data subjects worse off.

An EU shield with a ring of stars represents GDPR data protection, while an arrow points toward a globe marked with a warning badge — illustrating the risks of transferring data to countries with a lower level of protection.

In many countries, citizens do not enjoy the same level of data protection as in the EU. Some countries also have intelligence laws that allow third-country authorities to access foreigners' data.

That is why Articles 44–50 of the GDPR set out the requirements for transferring personal data to third countries. The purpose is to ensure that the EU's data protection standards follow personal data throughout the entire processing lifecycle, even when processing takes place outside the EU.

Requirements for Third Country Transfers

All transfers of personal data to third countries must comply with the GDPR. Broadly speaking, there are two categories of third countries to consider: adequate and non-adequate countries.

Adequate third countries

The European Commission has determined that certain third countries offer an "adequate" level of data protection. This means personal data can be processed in these countries without diminishing EU citizens' rights. Consequently, no additional authorisation or approval under the GDPR is required to use, for instance, data processors in adequate third countries.

You can find an up-to-date list of adequate third countries on the European Commission's website.

Non-adequate third countries

All countries outside the EU/EEA that are not on the EU's list of adequate third countries are considered non-adequate. Transfers of personal data to these countries can only take place on the basis of a specific transfer mechanism under the GDPR.

Transfer Mechanisms for Non-Adequate Third Countries

If you wish to transfer personal data to a non-adequate third country, the transfer must be "subject to appropriate safeguards." This means it must comply with one of the transfer mechanisms set out in Article 46 of the GDPR.

When assessing which transfer mechanism is best suited for your organisation, you can take into account whether you are a private or public body, whether you are part of a corporate group, and when the transfer mechanism needs to be applied.

Standard Contractual Clauses (SCCs)

The most commonly used transfer mechanism for non-adequate third countries is the European Commission's Standard Contractual Clauses (SCCs). These are contract templates developed by the authorities that govern how personal data must be handled in connection with the transfer to the third country.

A white document card with ticked contract clauses and a circular SCC stamp — illustrating the use of Standard Contractual Clauses as a transfer mechanism for third country transfers.

When you use SCCs as your transfer mechanism, you do not need prior approval from a supervisory authority. This does, however, require that you apply the SCCs correctly and that all parties are able to fulfil the requirements they set out.

When you are a data controller using SCCs for a transfer to a data processor, the clauses also serve as a data processing agreement, provided you use the relevant modules included in the SCCs.

Ad hoc contracts

If you need to transfer data to a non-adequate third country and require adjustments to the content of the SCCs, the result is an ad hoc contract. Ad hoc contracts must be approved by the relevant supervisory authority, which must also obtain an opinion from the European Data Protection Board (EDPB). This can take considerably more time compared with using SCCs.

Binding Corporate Rules (BCRs)

For corporate groups that need to transfer personal data between group companies in non-adequate third countries, Binding Corporate Rules (BCRs) can be used as a transfer mechanism.

The advantage of BCRs is that a corporate group can establish a single, unified transfer mechanism covering all of the group's transfers to non-adequate third countries, rather than having to set up a separate mechanism for each individual transfer.

In practice, the group would need to embed these rules in its data protection policy across the organisation to ensure that processing aligns with the transfer mechanism. BCRs must be approved by the relevant supervisory authority and the EDPB, which can take some time.

Legally binding instruments

Public authorities can transfer personal data to authorities in a third country if this is required by an international treaty or convention that is legally binding and enforceable in that country. Private organisations may also rely on these instruments if the agreement provides for it.

Administrative arrangements between public authorities

A public authority may also transfer personal data to a third-country authority if this is set out in an administrative arrangement. The arrangement must, however, still safeguard data subjects' rights and ensure they are enforceable.

Codes of conduct and certification mechanisms

Codes of conduct and certification mechanisms can also serve as transfer mechanisms for third country transfers, but in practice these are not currently in use and are therefore unlikely to be relevant. It would typically fall to industry associations or similar bodies to develop these for the benefit of their members within a given sector.

Supplementary Measures for Third Country Transfers

The Court of Justice of the EU (CJEU) has determined that a valid transfer mechanism alone is not sufficient for transfers to non-adequate third countries. Before any transfer takes place, you must ensure that appropriate safeguards are in place.

This means you must carry out a Transfer Impact Assessment (TIA) before transferring data to a third country. The TIA evaluates conditions in the recipient country to determine whether the transfer mechanism provides data subjects with adequate protection.

If the assessment reveals that protection is insufficient, you must implement supplementary measures to safeguard the data subjects' information.

When preparing your Transfer Impact Assessment, you can also draw on your risk assessment for the processing activity that underpins the transfer.

The EDPB's guidance provides further detail on the supplementary measures you can pair with your transfer mechanism. In this context, technical measures are always required, meaning organisational and contractual measures cannot stand alone.

Derogations: Special Situations for Third Country Transfers

In exceptional cases, you may transfer personal data to a non-adequate third country without one of the transfer mechanisms mentioned above, as set out in Article 49 of the GDPR. These derogations are only available in "special situations." If you require a transfer mechanism for an established, recurring business process, you should not rely on these derogations.

A document card featuring a pink exception badge and an "Art. 49" label — illustrating the special derogations that, in exceptional circumstances, permit the transfer of personal data to third countries without a standard transfer mechanism.

Explicit consent to the transfer

You may, as an exception, request the data subject's explicit consent to the transfer, provided you also specifically inform them of the risks involved in transferring their data to the non-adequate third country.

Contractual relationship with the data subject

You may, as an exception, transfer a data subject's personal data if it is necessary for the performance or conclusion of a contract with them. You may also rely on this derogation if the transfer is necessary to carry out pre-contractual measures at the data subject's request.

Contractual relationship with a party other than the data subject

As an exception, you may transfer personal data about a third party to a non-adequate third country if it is necessary for the conclusion or performance of a contract that is in the data subject's interest and has been entered into between you and another party.

Public interest

As an exception, you may transfer personal data to a non-adequate third country if it is necessary for important reasons of public interest. These interests must, however, be recognised in national or EU legislation.

Legal claims

You may, as an exception, transfer personal data to a non-adequate third country if it is necessary for the establishment, exercise or defence of legal claims, for example in connection with litigation or a dispute. You must ensure that the transfer is genuinely necessary for the legal claim.

Vital interests

If a person's life or health is at risk and they are unable to give consent, you may, as an exception, transfer personal data to a non-adequate third country to protect their vital interests.

Transfer from a public register

If personal data forms part of a publicly accessible register and a transfer to a non-adequate third country complies with the rules governing access to that register, you may carry out the transfer as an exception, but only on a case-by-case basis and not for the entire register or large volumes of data.

Compelling legitimate interests

If none of the other derogations apply, you may, in very limited circumstances, transfer data to a non-adequate third country. This is only permitted on an occasional basis, for a limited number of data subjects, and where the transfer is necessary for a compelling legitimate interest. You must assess the risks, implement appropriate safeguards, and inform both the supervisory authority and the data subject.

Your assessment and the safeguards for this transfer must also be documented in your Record of Processing Activities (RoPA).

Overview: Transfer Mechanisms for Third Country Transfers

Transfer mechanism	Who can use it?	Requires approval?
Adequate third countries	All organisations	No
Standard Contractual Clauses (SCCs)	All organisations	No (but correct use is required)
Ad hoc contracts	All organisations	Yes, by supervisory authority + EDPB
Binding Corporate Rules (BCRs)	Corporate groups	Yes, by supervisory authority + EDPB
Legally binding instruments	Primarily public authorities	No
Administrative arrangements	Public authorities	No (but rights must be safeguarded)
Consent (Art. 49)	All, special situations only	No
Contractual necessity (Art. 49)	All, special situations only	No

Practical Approach: How to Handle Third Country Transfers

To ensure your organisation complies with the rules on third country transfers, we recommend the following steps:

Map your transfers — Identify every instance where personal data leaves the EU/EEA. Use your Record of Processing Activities and processing activities as your starting point.
Classify the third country — Check whether the recipient country is adequate or non-adequate using the European Commission's list.
Select a transfer mechanism — For non-adequate third countries, choose the appropriate mechanism, typically Standard Contractual Clauses (SCCs).
Carry out a Transfer Impact Assessment — Assess whether the transfer mechanism provides sufficient protection in the recipient country.
Implement supplementary measures — If the TIA reveals insufficient protection, implement technical measures.
Document everything — Ensure the transfer mechanism is documented in your Record of Processing Activities.

With a compliance platform like .legal, you can keep track of your third country transfers, transfer mechanisms and TIA assessments in a single system. You can also use vendor management to maintain an overview of which suppliers operate in third countries.

See how .legal can help your organisation with GDPR compliance, or book a demo to see the platform in action.

Summary

When transferring personal data to third countries, you must always have a lawful basis for the transfer, documented in your Record of Processing Activities. Adequate third countries require no additional measures, whilst non-adequate third countries require a specific transfer mechanism, typically SCCs, along with a Transfer Impact Assessment.

Keep in mind that the Article 49 derogations are only available for special situations and cannot be relied upon for recurring business processes. Make sure all transfers and their legal bases are documented in your Record of Processing Activities.

Frequently Asked Questions about Third Country Transfers

What is a third country transfer under the GDPR?

A third country transfer occurs when personal data is transferred to a country outside the EU/EEA. This includes physical storage, viewing or remote access to personal data from a third country, for example when using a data processor or sub-processor based outside the EU/EEA.

What is an adequate third country?

An adequate third country is a country outside the EU/EEA that the European Commission has determined provides a sufficient level of data protection. Transfers to adequate third countries do not require additional transfer mechanisms. The up-to-date list is maintained by the European Commission.

What are Standard Contractual Clauses (SCCs)?

Standard Contractual Clauses (SCCs) are standardised contract templates issued by the European Commission for transferring personal data to non-adequate third countries. They are the most widely used transfer mechanism and do not require prior approval from a supervisory authority, provided they are applied correctly.

Do I need to carry out a Transfer Impact Assessment (TIA)?

Yes. The Court of Justice of the EU has established that a valid transfer mechanism such as SCCs is not sufficient on its own. You must carry out a Transfer Impact Assessment that evaluates conditions in the recipient third country before the transfer can proceed. If protection is found to be insufficient, supplementary measures must be implemented.

What is the difference between SCCs and an ad hoc contract?

SCCs are standardised contracts from the European Commission that can be used directly without approval. Ad hoc contracts are customised agreements that deviate from the standard clauses and require prior approval from the relevant supervisory authority as well as an opinion from the European Data Protection Board (EDPB).

What are Binding Corporate Rules (BCRs)?

Binding Corporate Rules (BCRs) are a transfer mechanism that allows corporate groups to establish a single, unified basis for all transfers between group companies in non-adequate third countries. BCRs must be approved by the relevant supervisory authority and the EDPB, and the rules must be embedded in the group's data protection policies.

Can I transfer personal data to the US under the GDPR?

The US has been granted adequacy status under the EU-US Data Privacy Framework. Organisations certified under this framework can receive personal data from the EU without additional transfer mechanisms. For non-certified US organisations, you must use a transfer mechanism such as SCCs and carry out a Transfer Impact Assessment.

When can I rely on the Article 49 derogations?

The Article 49 derogations may only be used in special situations and cannot be relied upon for established, recurring business processes. They cover explicit consent, contractual necessity, legal claims, vital interests and important reasons of public interest. They are intended as a last resort.

What are supplementary measures for third country transfers?

Supplementary measures are additional safeguards implemented when the transfer mechanism alone does not provide adequate protection. These can include technical measures such as encryption, organisational measures such as policies, and contractual measures. Technical measures are always required and cannot be replaced by organisational measures alone.

How do I document my third country transfers?

You must document all third country transfers in your Record of Processing Activities (RoPA). This includes the recipient country, the transfer mechanism, any supplementary measures and your Transfer Impact Assessment. A compliance platform like .legal can help you manage this documentation systematically.

Still unsure?

Ask Johannes directly, he runs most demos personally

Book him here

.legal compliance platform Manage third country transfers compliantly

Use .legal to document and monitor all your international data transfers, conduct Transfer Impact Assessments, and ensure proper safeguards are in place.