GDPR International Data Transfers: Chapter V Rules (2026)

Every time a company routes EU personal data to a server outside the European Economic Area (to a US cloud provider, an Indian outsourcing firm, or a Canadian subsidiary), it triggers a binding legal obligation under GDPR Chapter V. Without a valid transfer mechanism, that movement of data is unlawful regardless of how securely the data is handled at the destination. If you are new to the GDPR framework, start with What Is GDPR? before continuing.

Why GDPR Restricts International Data Transfers

The GDPR's protection of personal data does not stop at the EEA border. Article 44 establishes what practitioners call the anti-loophole principle: "Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers." Without this rule, an organisation could escape GDPR obligations simply by routing data through a non-EU server.

Article 44's second paragraph reinforces the point: "All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined." Protection follows the data. The destination country's own privacy law is irrelevant; what matters is whether the specific mechanism used will maintain GDPR-equivalent protection for EU data subjects after the data leaves the EEA.

The Chapter V rules apply to every controller and every processor, regardless of organisation size or transfer volume. A startup sending customer records to a US payment processor is subject to the same requirements as a multinational routing HR data to Asian subsidiaries.

Tier 1: Transfers to Countries With an Adequacy Decision (Article 45)

Article 45(1) provides the simplest possible transfer mechanism: "A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

In practical terms, a transfer to an adequacy country requires no contract, no risk assessment, and no supervisory-authority involvement. It is treated the same as a transfer within the EU. As of 2026, approximately 17 jurisdictions hold adequacy status. The list includes Andorra, Argentina, Brazil (adequacy granted January 2026), Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom (adequacy renewed December 2025), the United States (commercial organisations under the EU-US Data Privacy Framework, 2023), Uruguay, and the European Patent Organisation (July 2025).

Adequacy decisions are not permanent. Article 45(3) requires the Commission to conduct a periodic review at least every four years and grants the Commission authority to repeal, amend, or suspend a decision if the destination country no longer meets the standard. The UK's adequacy decision, for example, required renewal in December 2025 following post-Brexit legislative changes.

For the complete list of adequate countries, current decision texts, and how the Commission evaluates adequacy, see our dedicated EU Adequacy Decisions page.

Tier 2: Appropriate Safeguards Under Article 46 (SCCs, BCRs, and More)

For the vast majority of destinations worldwide (including China, India, Russia, and uncertified US organisations), no adequacy decision exists. Article 46(1) provides the solution: "In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available."

Article 46(2) enumerates the safeguards that do not require prior supervisory-authority authorisation. The full list includes legally binding instruments between public authorities, Binding Corporate Rules approved under Article 47, standard data protection clauses adopted by the Commission, supervisory-authority-adopted standard clauses approved by the Commission, approved codes of conduct under Article 40, and approved certification mechanisms under Article 42. In practice, the two dominant tools are Standard Contractual Clauses and Binding Corporate Rules.

Standard Contractual Clauses. The Commission's modernised SCCs were adopted on 4 June 2021 in Commission Implementing Decision (EU) 2021/914, published in the Official Journal L 199/31 on 7 June 2021. The 2021 SCCs introduced four transfer modules covering every transfer scenario: Module 1 (controller to controller), Module 2 (controller to processor), Module 3 (processor to processor), and Module 4 (processor to controller). The previous SCCs under Decisions 2001/497/EC and 2010/87/EU were repealed with effect from 27 September 2021, with a transitional deadline of 27 December 2022 for contracts that remained unchanged. After that deadline, the 2021 SCCs became the only valid model. The 2021 SCCs also incorporate a Transfer Impact Assessment requirement directly into their text: Clause 14 requires parties to assess whether destination-country laws and practices will prevent compliance, documenting the specific circumstances of the transfer including transmission channels and the type of recipient.

Binding Corporate Rules. BCRs are legally binding internal data protection codes approved by a lead supervisory authority under Article 47. They are designed for intra-group transfers within a multinational corporate family and can replace SCCs for those transfers. The trade-off is a lengthy EDPB approval process. BCRs are not available for transfers to unrelated third-party processors.

For a full explanation of module selection, mandatory clauses, Clause 14 compliance, and the supplementary-measures framework, see our dedicated Standard Contractual Clauses page.

Schrems II: What Changed for Every International Transfer

The July 2020 CJEU ruling in Case C-311/18 (Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems) reshaped international data transfer compliance in two distinct ways.

First, the Court invalidated Commission Decision 2016/1250, which had established the EU-US Privacy Shield framework. The Court found that US surveillance law did not offer EU data subjects protection essentially equivalent to that guaranteed within the EU, and that data subjects lacked effective judicial redress against US intelligence agencies. Privacy Shield transfers to the United States became unlawful immediately on 16 July 2020.

Second, and more broadly, the Court upheld the validity of SCCs as a transfer mechanism but imposed an ongoing conditional obligation. Before relying on SCCs, the data exporter and importer must verify in practice that the destination country's law will not prevent the importer from honouring the SCC obligations. Where that verification fails, supervisory authorities must suspend or prohibit the transfer.

The EDPB operationalised this obligation in Recommendations 01/2020 v2.0, adopted 18 June 2021. The Recommendations set out a six-step roadmap for exporters: (1) map transfers and identify the tools used; (2) identify the transfer mechanism relied upon; (3) assess whether the mechanism is effective in practice; (4) adopt supplementary measures if needed; (5) take procedural steps required for the supplementary measures; (6) re-evaluate at appropriate intervals. The EDPB document specifies that technical, contractual, and organisational supplementary measures can collectively bridge gaps where no single measure alone is sufficient.

The practical consequence is that signing SCCs no longer completes the compliance analysis. A Transfer Impact Assessment documenting that assessment, the conclusion, and any supplementary measures adopted is now a required step before any SCC-based transfer proceeds.

The EU-US Data Privacy Framework: Current Status

The history of EU-US data transfers is a history of frameworks built on political negotiation and repeatedly tested by the courts. The original Safe Harbor arrangement was invalidated by the CJEU in Case C-362/14 (Schrems I, 6 October 2015). Its replacement, Privacy Shield, was invalidated in Case C-311/18 (Schrems II, 16 July 2020). Each collapse left thousands of US-EU business relationships in legal uncertainty until a replacement mechanism was agreed.

On 10 July 2023, the European Commission adopted Commission Implementing Decision (EU) 2023/1795, finding that the United States ensures an adequate level of protection under the EU-US Data Privacy Framework. The legal foundation for the adequacy finding is US Executive Order 14086 of 7 October 2022 ("Enhancing Safeguards for US Signals Intelligence Activities"), which the Commission found introduced binding, proportionate safeguards for US signals intelligence activities and established an independent Data Protection Review Court to adjudicate EU data-subject complaints against US intelligence agencies.

The DPF adequacy decision applies only to specific transfers. It covers personal data transferred to US organisations that have self-certified to the DPF Principles and that are subject to the jurisdiction of the Federal Trade Commission or the US Department of Transportation. Organisations that do not certify, or that fall outside FTC and DoT jurisdiction, cannot rely on the DPF adequacy decision and must use SCCs or another Article 46 mechanism instead. The DPF provides multiple redress avenues for EU data subjects: direct complaints to the certified organisation (with a 45-day response requirement), independent dispute resolution bodies, national data protection authorities, US enforcement authorities, binding arbitration through the EU-US DPF Panel, and US judicial remedies.

The DPF's legal durability remains uncertain. The framework has already been challenged before the European Parliament, and civil-liberties organisations have signalled intent to test it before the CJEU. Organisations relying on the DPF should monitor developments and maintain SCC fallback arrangements as a contingency.

For the complete DPF self-certification process, covered data categories, and current list of certified US organisations, see our dedicated EU-US Data Privacy Framework page.

Tier 3: Derogations Under Article 49 (Use Sparingly)

Article 49(1) provides a third and final tier of transfer bases for situations where neither an adequacy decision nor Article 46 safeguards are available or feasible. The seven derogations are: (a) explicit data-subject consent after being informed of the risks of the proposed transfer; (b) necessity for the performance of a contract between the data subject and the controller; (c) necessity for a contract concluded in the data subject's interest; (d) reasons of important public interest; (e) the establishment, exercise, or defence of legal claims; (f) protection of vital interests where the data subject is physically or legally incapable of consenting; and (g) transfer from a public register.

Several critical limitations apply. Explicit consent under Article 49(1)(a) must be specific to the international transfer and its risks. It cannot be buried in general terms of service or a blanket privacy notice. Contract necessity under Article 49(1)(b) and (c) is interpreted narrowly: the transfer must be objectively necessary for the specific contract, not merely convenient or efficient. Regulators have repeatedly rejected attempts to characterise routine business transfers as "necessary" for a contract.

Most importantly, Article 49 derogations are a last resort, not an alternative compliance route. Supervisory authorities across the EU consistently interpret Article 49 as applying to occasional, non-repetitive, and exceptional transfers only. An organisation transferring employee HR data to a US parent company on an ongoing basis cannot rely on employee consent as a transfer basis. The scale and repetition of the processing means Article 46 safeguards are required.

Penalties for Unlawful International Transfers

Routing EU personal data abroad without a valid Chapter V basis is treated as a top-tier GDPR violation. Article 83(5) expressly lists breaches of Chapter V among the infringements subject to the maximum administrative fine: up to EUR 20,000,000 or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. This places transfer violations in the same penalty bracket as violations of the fundamental processing principles in Articles 5 and 6 and breaches of consent requirements under Article 7.

Fines are not the only regulatory tool. Supervisory authorities have authority under Article 58(2) to impose temporary or permanent bans on processing, including transfers. A transfer ban can halt business operations more effectively than any financial penalty, particularly for organisations that depend on cloud infrastructure or offshore processing capacity.

The combination of maximum fines plus transfer-ban authority means that incomplete Transfer Impact Assessments, expired SCCs, or transfers to uncertified US organisations outside the DPF carry genuine operational risk, not just legal risk. Building a documented transfer mapping exercise into annual compliance reviews is the standard approach recommended by supervisory authorities.

How to Choose the Right Transfer Mechanism

The decision tree is straightforward when applied sequentially. First, identify the destination country and check whether the European Commission has issued an adequacy decision. If yes, no further mechanism is required and the transfer proceeds as if it were intra-EU. The EU Adequacy Decisions page provides the current list.

If no adequacy decision covers your destination, move to Article 46. For transfers to unrelated third parties, the 2021 SCCs are the standard tool. For intra-group transfers within a multinational, BCRs are the preferable long-term solution, though SCCs can bridge the gap while BCRs are approved. Before executing either mechanism, complete a Transfer Impact Assessment under EDPB Recommendations 01/2020. The Standard Contractual Clauses page walks through module selection and Clause 14 compliance in detail.

For transfers to the United States, check whether the US recipient is certified under the EU-US Data Privacy Framework. If yes, the DPF adequacy decision applies and no SCCs are needed. If not, Module 2 SCCs (controller to processor) cover the typical cloud-provider scenario, combined with a TIA focused on US surveillance law. The EU-US Data Privacy Framework page explains the certification process and currently certified organisations.

Article 49 derogations should be considered only after confirming that Tier 1 and Tier 2 options are genuinely unavailable, and even then only for transfers that are occasional, non-repetitive, and individually justified.

The EU Data Privacy Laws hub provides context on the broader GDPR framework, including the roles of the EDPB and national supervisory authorities that enforce these rules.

Related guides

• GDPR Right to Be Forgotten (Article 17) Explained
• Does GDPR Apply to US Companies? A Compliance Guide
• EU AI Act and Data Privacy: GDPR Intersection Explained
• EU Data Privacy Laws: GDPR, AI Act & the 2025-2026 Digital Reforms
• What Is GDPR? Complete Guide to EU Data Protection (2026)

Sources

• GDPR Regulation (EU) 2016/679, Articles 44-46, 49, and 83. European Parliament and Council, Official Journal L 119, 4 May 2016.
• Commission Implementing Decision (EU) 2021/914, Standard Contractual Clauses. European Commission, Official Journal L 199/31, 7 June 2021.
• Commission Implementing Decision (EU) 2023/1795, EU-US Data Privacy Framework. European Commission, Official Journal L 231, 20 September 2023.
• CJEU Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II). Court of Justice of the EU, judgment 16 July 2020, ECLI:EU:C:2020:559.
• EDPB Recommendations 01/2020 v2.0 on Measures to Supplement Transfer Tools. European Data Protection Board, adopted 18 June 2021.
• European Commission Adequacy Decisions. European Commission, current list of adequate countries.
• European Commission, EU-US Data Transfers History. European Commission, Safe Harbor to DPF timeline.