Third-Country Transfers

A third-country transfer occurs when personal data is sent from the EU/EEA to a country outside this area. GDPR Chapter V requires a valid transfer mechanism that ensures data is protected at a level essentially equivalent to that in the EU.

Back to Dictionary

What is a third-country transfer?

A third country is any country outside the EU and EEA. When you send personal data to a third country, or give a supplier in a third country access to data, you are carrying out a transfer within the meaning of the GDPR.

Transfers happen more often than many organisations realise. If you use an American cloud service, send newsletters via a global platform, or have support in India, you are likely transferring personal data to third countries.

GDPR Chapter V (Articles 44-49) governs these transfers. The purpose is to ensure that the high level of protection in the EU is not undermined by transferring data to countries with weaker data protection.

Transfer mechanisms

You have several options for lawfully transferring data:

Adequacy decision (Article 45): The European Commission has determined that the receiving country provides an adequate level of protection. Data can flow freely. Examples: Japan, South Korea, the United Kingdom, the United States (via the EU-US Data Privacy Framework).
Standard contractual clauses (Article 46(2)(c)): Contractual clauses adopted by the European Commission. The most widely used mechanism.
Binding corporate rules (Article 47): Internal rules for corporate groups, approved by supervisory authorities.
Derogations (Article 49): In specific situations, e.g. explicit consent or performance of a contract. Only for occasional transfers.

In addition to the transfer mechanism itself, you must still have a valid legal basis under Article 6. The two requirements apply in parallel.

Standard contractual clauses

Standard contractual clauses (SCCs) are the most widely used transfer mechanism. The European Commission adopted new SCCs in June 2021 covering four scenarios:

Controller to controller (C2C)
Controller to processor (C2P)
Processor to processor (P2P)
Processor to controller (P2C)

When using SCCs, you must carry out a Transfer Impact Assessment (TIA): an assessment of whether the legislation in the receiving country in practice respects the safeguards provided by the SCCs. If the TIA shows that the receiving country\’s legislation undermines the protection, you must implement supplementary measures (e.g. encryption) or cease the transfer.

Transfers in practice

For most Danish organisations, third-country transfers primarily involve American cloud services and SaaS solutions. Here is how to handle them:

Map all suppliers and sub-processors that have access to data from third countries
Identify the transfer mechanism for each supplier
Carry out a TIA for transfers based on SCCs
Ensure that transfers are recorded in your record of processing activities
Inform data subjects via your privacy policy (duty to inform)
Ensure your data processing agreements address transfers

Failure to have a valid transfer mechanism can result in orders to cease the transfer and significant fines.

Frequently Asked Questions about Third-Country Transfers

What is a third-country transfer?

A third-country transfer occurs when personal data is sent from the EU/EEA to a country outside this area. GDPR Chapter V requires a valid mechanism for the transfer, such as an adequacy decision, standard contractual clauses or binding corporate rules.

What is an adequacy decision?

An adequacy decision is the European Commission's assessment that a third country provides a level of protection essentially equivalent to that of the EU. Data can be transferred to these countries without further safeguards. Examples include Japan, South Korea, the United Kingdom and the United States (via the EU-US Data Privacy Framework).

When should you use standard contractual clauses?

Standard contractual clauses (SCCs) are used when you transfer data to a third country that does not have an adequacy decision. They are contractual clauses adopted by the European Commission that ensure appropriate safeguards for the protection of personal data.

What is a Transfer Impact Assessment?

A Transfer Impact Assessment (TIA) is an assessment of whether the legislation in the receiving country in practice respects the safeguards provided by the transfer mechanism. You must carry out a TIA before transferring data based on standard contractual clauses or other safeguards.