Skip to main content
Datenschutz / DSGVO

Third Country Transfer

The transfer of personal data to countries outside the EEA, which requires specific safeguards under Art. 44–49 GDPR.

A third country transfer occurs when personal data is transmitted to a country that is not part of the European Economic Area (EEA) — comprising the EU member states plus Iceland, Liechtenstein, and Norway. Since data protection standards outside the EEA are not uniform, the GDPR requires specific safeguards under Art. 44 et seq. to ensure that the level of protection guaranteed within the EU is not undermined. A transfer is only permissible if one of these safeguards is in place.

The main transfer mechanisms are: first, an adequacy decision by the European Commission (Art. 45 GDPR), recognising that a given third country offers an adequate level of protection — current decisions include the USA (EU-US Data Privacy Framework), the United Kingdom, Japan, and Switzerland; second, Standard Contractual Clauses (SCCs) issued by the European Commission and agreed between the data exporter and importer (Art. 46(2)(c) GDPR); and third, Binding Corporate Rules (BCRs) for intra-group transfers within multinational organisations.

For compliance officers, third country transfers are a day-to-day challenge, as many widely used cloud services — particularly those from the US — trigger such transfers. Whenever a new vendor is onboarded, you must assess which countries will receive data and which transfer mechanism applies. Since the CJEU's Schrems II ruling (2020), organisations relying on SCCs must also conduct Transfer Impact Assessments (TIAs) to concretely evaluate the level of protection in the recipient country.

Legal Basis

Art. 44–49 GDPR

Practical Example

Your organisation is introducing a US-based CRM system that processes customer data on servers located in the United States. As compliance officer, you first check whether the vendor is certified under the EU-US Data Privacy Framework (DPF) — which would allow the transfer on the basis of an adequacy decision. You confirm that the vendor is DPF-certified and document this as the transfer mechanism in the ROPA. You also flag that DPF certification must be renewed annually and should be contractually secured in the DPA. You set a reminder to verify the certification status the following year.

FAQ

A third country transfer occurs whenever personal data is transmitted to a country outside the European Economic Area (EEA). This includes indirect transfers — for example, when an EU-based cloud provider processes data on servers located in the US.
The main safeguards are: adequacy decisions by the European Commission for specific countries (e.g. USA, UK), Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs) for intra-group transfers. A Transfer Impact Assessment must be conducted for each transfer mechanism.
The EU-US Data Privacy Framework (DPF) is an adequacy decision adopted by the European Commission in 2023, permitting transfers of personal data to certified US organisations. US providers must voluntarily certify and renew their certification annually. The DPF is the successor to the invalidated Privacy Shield.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Data Processing Agreement (DPA) Technical and Organisational Measures (TOMs) Personal Data Data Protection Impact Assessment (DPIA) Accountability
Back to Glossary