Under GDPR Chapter V (Articles 44–50), personal data may leave the EEA only through one of three routes, in priority order: an adequacy decision (Art. 45, such as the EU-US Data Privacy Framework), appropriate safeguards (Art. 46 — chiefly the 2021 Standard Contractual Clauses or Binding Corporate Rules), or narrow Article 49 derogations used as a last resort. The legal duty sits with the EU/UK exporter, not the US importer.
Key takeaways
- GDPR Chapter V ranks the mechanisms. Check adequacy (Art. 45) first, then Art. 46 safeguards (SCCs/BCRs/IDTA), then Art. 49 derogations — which per EDPB Guidelines 2/2018 cannot support routine, large-scale flows.
- SCCs alone are not enough for the US. After Schrems II (CJEU C-311/18), the exporter must run a Transfer Impact Assessment and add supplementary measures — where a SOC 2 Type II report can serve as documented technical/organizational evidence.
- The EU-US DPF removes the SCC/TIA burden — but it is contested. It was upheld in Latombe on 3 September 2025, yet an appeal is now pending before the CJEU (C-703/25 P) and its US foundations are under strain in 2026. Keep SCCs as a live fallback.
- The UK and Switzerland are separate regimes. A US importer's EU DPF certification does not cover UK or Swiss data unless it also joins the UK Extension (Data Bridge, 12 Oct 2023) and the Swiss-US DPF (operative 15 Sep 2024).
What counts as a “restricted transfer” under GDPR Chapter V
Article 44 GDPR sets the general principle: any transfer of personal data to a third country (outside the EEA) or an international organization is prohibited unless the conditions of Chapter V are met. In practice, a restricted transfer occurs whenever an EEA-based controller or processor (the “exporter”) sends, or makes accessible, personal data to an organization in a third country (the “importer”). Remote access from a third country counts — so does storing data on a US-headquartered cloud provider, even if the servers sit in Frankfurt.
This is why virtually every US SaaS and healthtech vendor is caught. When an EU customer uploads employee, patient, or end-user data into your platform, and your engineers, support staff, or subprocessors in the US can access it, a restricted transfer has taken place. The obligation to justify that transfer under Chapter V rests with the EU/UK exporter — your customer — but they will push the compliance burden onto you through the procurement process, security questionnaires, and their data processing agreement.
That distinction matters for how a US firm adds value. You cannot “be compliant” with Chapter V on the exporter's behalf; instead, you help the exporter satisfy its duty by producing the evidence and contractual instruments it needs — a signed Article 28 data processing agreement, the correct SCC module, and independent assurance such as a SOC 2 Type II report to support the exporter's risk assessment. For the broader picture of how US vendors operationalize this, see our guide to GDPR for US SaaS companies.
The five transfer mechanisms, in the order you must consider them
Chapter V is a decision cascade, not a menu of equals. You work down it: only if no adequacy decision applies do you reach for Article 46 safeguards, and only if no safeguard is workable do you consider Article 49 derogations. The table below is the map.
| Mechanism | GDPR Article | When to use it | TIA required? | Regulator approval? | Typical effort |
|---|---|---|---|---|---|
| Adequacy decision | Art. 45 | Importer country (or framework) is on the EU adequacy list | No | No | Low — verify status |
| EU-US DPF self-certification | Art. 45 | US importer is actively self-certified for the relevant data categories | No | No | Low — verify listing |
| Standard Contractual Clauses | Art. 46 | No adequacy route; default for most US transfers | Yes | No | Medium — contract + TIA |
| Binding Corporate Rules | Art. 47 | Intra-group transfers in a large multinational | Yes | Yes — lead DPA approval | High — impractical for startups |
| Codes of conduct / certification | Art. 46 | An approved code or certification scheme exists | Yes | Scheme-dependent | Medium — few schemes exist |
| Article 49 derogations | Art. 49 | Occasional, non-routine transfers only; last resort | N/A | No | Low but high legal risk |
Adequacy decisions (Art. 45)
An adequacy decision is a European Commission finding that a third country ensures an essentially equivalent level of protection. Where one exists, transfers flow freely with no further safeguard. Countries on the list include the UK, Switzerland, Japan, and others. The United States is not adequate as a country — it appears on the list only through the EU-US Data Privacy Framework, and only for organizations that have self-certified under it. That partial, entity-by-entity adequacy is the single most misunderstood point on this topic.
Appropriate safeguards (Art. 46)
Where no adequacy route applies, the exporter turns to Article 46 safeguards. The workhorse is the 2021 Standard Contractual Clauses; alternatives include Binding Corporate Rules (Art. 47), the UK IDTA/Addendum for UK data, and approved codes of conduct or certification mechanisms. Every Article 46 route triggers a Transfer Impact Assessment. Note that BCRs (Art. 47) require approval by a lead supervisory authority and take many months to secure — they are realistic only for large multinationals moving data intra-group, not for a startup contracting with a US vendor.
Derogations (Art. 49)
Article 49 offers a closed list of derogations — explicit consent, necessity for a contract, important reasons of public interest, and a few others. These are a genuine last resort. Per EDPB Guidelines 2/2018, derogations must be interpreted restrictively and most cannot be used for transfers that are repetitive, large-scale, or structural. Routing your ongoing product data flows through “consent” or “contractual necessity” is one of the most common — and most easily challenged — mistakes in this area.
The 2021 EU Standard Contractual Clauses
The modernized SCCs were adopted by the European Commission on 4 June 2021 under Commission Implementing Decision (EU) 2021/914 and entered into force on 27 June 2021. They replaced the old 2001/2010 clauses, which were repealed on 27 September 2021. Contracts concluded on the old SCCs before that date remained valid only until 27 December 2022; after that deadline they can no longer lawfully support a transfer. Importantly, that sunset applied to the legacy clauses only — the 2021 SCCs themselves carry no expiry date and remain the current standard.
The 2021 SCCs are modular: parties select the module matching their respective roles and complete the shared clauses plus the module-specific ones. The Clause 7 “docking clause” then lets additional parties join an existing set of clauses later — useful as your subprocessor chain grows.
| Module | Exporter role | Importer role | Common example | Docking clause? |
|---|---|---|---|---|
| Module 1 (C2C) | Controller | Controller | EU controller shares data with a US controller partner | Yes (Clause 7) |
| Module 2 (C2P) | Controller | Processor | EU customer sends data to a US SaaS vendor | Yes (Clause 7) |
| Module 3 (P2P) | Processor | Processor | US SaaS vendor passes data to a US sub-processor | Yes (Clause 7) |
| Module 4 (P2C) | Processor | Controller | EU processor returns data to a US controller client | Yes (Clause 7) |
Completing the annexes — where most SCCs go wrong
Signing the SCCs is not enough; the annexes carry the substance. Annex I.A names the parties, Annex I.B describes the transfer (data categories, data subjects, purposes, retention), and Annex I.C identifies the competent supervisory authority. Annex II sets out the technical and organizational measures — this is where you attach concrete controls, and where a SOC 2 or ISO 27001 report becomes powerful evidence. Annex III lists the authorized sub-processors. The Clause 14 local-law warranty then requires the parties to assess and document that the importer's local laws do not prevent compliance — the contractual hook for the Transfer Impact Assessment below.
Onward transfers and the sub-processor chain
The hardest real-world SCC problem for SaaS is the onward transfer. When your US platform relies on AWS, an LLM API, or a support tool, those sub-processors receive the same EU data — and Module 3 plus the Clause 9 sub-processor-authorization mechanics require that each link in the chain be covered by its own SCCs (or another Chapter V route). Map your entire sub-processor chain before you promise a customer that transfers are covered; a single uncovered downstream vendor breaks the chain.
Schrems II and the Transfer Impact Assessment
In Schrems II (CJEU Case C-311/18, judgment of 16 July 2020) the Court of Justice invalidated the EU-US Privacy Shield and held that an exporter relying on SCCs must assess the law and practice of the destination country and, where the SCCs alone do not ensure an essentially equivalent level of protection, adopt supplementary measures. That obligation is operationalized through the Transfer Impact Assessment (TIA) — also called a Transfer Risk Assessment (TRA) in the UK.
The EDPB adopted its final Recommendations 01/2020 on 18 June 2021, setting out a six-step methodology. A TIA is a distinct exercise from a DPIA (Article 35): a DPIA assesses risk to data subjects from a processing activity; a TIA assesses whether a specific transfer's safeguards hold up against the destination country's surveillance laws.
| Step | What to do | Evidence / artifact to keep |
|---|---|---|
| 1. Know your transfers | Map every transfer, data category, and importer/sub-processor | Data map / RoPA (Art. 30) transfer register |
| 2. Identify the tool | Confirm the Article 46 instrument relied on (e.g. SCC module) | Executed SCCs with completed annexes |
| 3. Assess effectiveness | Evaluate destination-country law and practice (e.g. FISA 702, EO 12333) | Country-law analysis; importer's transparency report |
| 4. Adopt supplementary measures | Add technical, contractual, and organizational measures where needed | Encryption design; SOC 2 / ISO 27001 report |
| 5. Take procedural steps | Formalize measures, amend contracts, consult DPA if required | Signed amendments; internal approval record |
| 6. Re-evaluate at intervals | Monitor for legal change and re-run periodically | Dated review log; re-assessment schedule |
The supplementary measures menu
Supplementary measures fall into three families. Technical measures are the strongest because they can neutralize government access regardless of contract; contractual and organizational measures reinforce them but cannot cure a legal gap on their own.
| Type | Example measure | Effective against | Auditor evidence |
|---|---|---|---|
| Technical | Strong encryption in transit and at rest, pseudonymization, split or multi-party processing, importer-inaccessible keys | Government access to intelligible data | SOC 2 Type II / ISO 27001 controls, key-management config |
| Contractual | Transparency obligations, warranty to challenge unlawful government access, audit rights, notification duties | Undisclosed or unlawful access requests | Executed SCC annexes, side-letter commitments |
| Organizational | Access-minimization policy, government-request handling procedure, periodic transparency reporting | Over-broad internal and external access | Policy documents, access reviews, transparency report |
How a SOC 2 Type II or ISO 27001 report supports the TIA
This is where a US importer's assurance program becomes directly useful to its EU customers. When the exporter documents the technical and organizational supplementary measures at Step 4, it can point to your independent SOC 2 Type II report or ISO 27001 certificate as auditor-tested evidence that encryption, access control, and change management actually operate. For non-US importers, ISAE 3000 assurance can address privacy and data-protection subject matter directly. Teams already maintaining multiple frameworks can map SOC 2 and GDPR controls once and reuse the evidence across TIAs.
The EU-US Data Privacy Framework
The European Commission adopted the EU-US Data Privacy Framework (DPF) adequacy decision on 10 July 2023. Where a US importer is self-certified under the DPF for the relevant data categories, the EEA exporter's transfer relies on that adequacy decision and needs no SCCs, BCRs, or TIA. The framework rests on US Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”) and a new two-layer redress mechanism culminating in the Data Protection Review Court (DPRC).
US organizations self-certify with the U.S. Department of Commerce at dataprivacyframework.gov, publicly committing to the DPF Principles. Crucially, certification is not a set-and-forget badge. Before an EU exporter relies on it, it should verify on the official list that the importer's status is “active” (not “inactive” or withdrawn) and that the certification covers the right data categories — note the distinction between HR data and non-HR data, which are certified separately. A vendor certified only for non-HR data cannot receive EU employee data under the DPF.
DPF vs SCCs+TIA — which to rely on
For an EEA exporter sending data to a US importer, the choice is straightforward on paper but shaped by risk appetite in practice.
| Question | If YES | If NO |
|---|---|---|
| Is the US importer DPF-certified “active” for the relevant categories (HR vs non-HR)? | Rely on adequacy; no SCCs/TIA legally required | Use 2021 SCCs + TIA |
| Do you also transfer UK data? | Importer must also join the UK Extension (Data Bridge) | DPF/UK issue does not arise |
| Do you also transfer Swiss data? | Importer must also join the Swiss-US DPF | Swiss issue does not arise |
| Do you want a fallback if the DPF is invalidated? | Sign SCCs alongside DPF reliance and keep a TIA on file | Rely on DPF alone (higher exposure) |
Regulatory status of the DPF as of July 2026
The EU-US DPF adequacy decision remains legally in force in July 2026 and can be relied on. But its stability is genuinely contested: the EU General Court's Latombe ruling is under appeal, and several of the US mechanisms the decision depends on are under strain. Treat the DPF as usable with a documented SCC fallback, not as a settled foundation.
The relevant developments, each grounded in primary or authoritative reporting:
- Latombe on appeal. On 3 September 2025 the EU General Court dismissed the Latombe v Commission action and confirmed the DPF's adequacy. That is not the end: an appeal to the Court of Justice has been filed and is pending as Case C-703/25 P (lodged 31 October 2025). Describing the position as merely “an appeal is possible” is out of date.
- PCLOB quorum loss. Removals at the US Privacy and Civil Liberties Oversight Board in January 2025 left the board without a quorum, disrupting the independent oversight and the mandatory annual review of EO 14086 safeguards that the Commission's adequacy finding relies on.
- FTC independence. The US Supreme Court's June 2026 decision in Trump v. Slaughter bears on the independence of the Federal Trade Commission, which the DPF leans on as its EU-facing enforcement authority.
- Withdrawal pressure. The advocacy group noyb has formally demanded that the Commission withdraw the DPF and has signalled a potential “Schrems III” challenge, while some EU data-protection authorities have advised organizations to prepare transfer “exit strategies.”
None of this makes the DPF unlawful today — but it is exactly why the “keep SCCs as a fallback” advice is not boilerplate. An exporter that signs SCCs and files a TIA alongside its DPF reliance can switch instruments overnight if the framework falls, avoiding a repeat of the Privacy Shield scramble in 2020.
UK transfers — UK GDPR, the IDTA, and the Data Bridge
After Brexit the UK retained its own UK GDPR alongside the Data Protection Act 2018. Its Chapter V equivalent offers the same cascade, but with UK-specific Article 46 tools. The UK International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs both came into force on 21 March 2022. The IDTA is a standalone UK contract; the Addendum bolts onto executed EU 2021 SCCs so a single contract can cover both EEA and UK data — the practical choice for most transatlantic SaaS deals.
A critical trap: unlike the EU SCCs, the IDTA is not an Article 28 processing agreement. It governs the transfer, not the controller-processor relationship, so it must be paired with a separate Article 28 data processing agreement — referenced in the IDTA as a “Linked Agreement.” The UK's ICO also publishes a Transfer Risk Assessment (TRA) tool as the UK's equivalent of the EDPB six-step method.
| Dimension | UK IDTA | UK Addendum to EU SCCs |
|---|---|---|
| Format | Standalone UK contract | Add-on to executed EU 2021 SCCs |
| Best when | You transfer UK data only | You also transfer EEA data (one contract covers both) |
| Is it an Art. 28 DPA? | No | No (the underlying SCCs are not either) |
| Needs a Linked Agreement / DPA? | Yes — a separate DPA | Yes — a separate DPA |
| Issued by | ICO | ICO (references EU Decision 2021/914) |
| In force | 21 March 2022 | 21 March 2022 |
For adequacy, the UK operates its own version of the DPF: the UK-US Data Bridge (the UK Extension to the DPF) came into force on 12 October 2023 via the Data Protection (Adequacy) (United States of America) Regulations 2023. It lets UK organizations transfer to US importers participating in the UK Extension without additional safeguards — but a US importer must specifically join the UK Extension; EU DPF certification alone does not cover UK data.
Switzerland — the revFADP and the Swiss-US DPF
Switzerland sits outside the EEA and runs its own regime under the revised Federal Act on Data Protection (revFADP), in force since 1 September 2023, supervised by the Federal Data Protection and Information Commissioner (FDPIC). Its transfer rules closely track GDPR Chapter V — adequacy, contractual safeguards (the Swiss FDPIC recognizes the EU SCCs with Swiss-specific adaptations), and derogations — but they are legally distinct.
For US transfers, Switzerland has the Swiss-US Data Privacy Framework. US organizations may receive personal data from Switzerland in reliance on the Swiss-US DPF from its operative date of 15 September 2024, when the Swiss Federal Council's adequacy recognition took effect (distinct from the 17 July 2023 effective date of the DPF Principles themselves). As with the UK, a US importer must certify separately for the Swiss-US DPF — the EU, UK, and Swiss programs are three distinct certifications on dataprivacyframework.gov. As a US and Swiss-licensed CPA firm, Auditsuisse is positioned precisely at this intersection: helping US importers produce the assurance evidence Swiss and EU exporters need.
Putting it together: a transfer-governance workflow
A US-first company selling into the EU and UK should build one governance workflow that spans all three regimes rather than three parallel efforts. The regime toolkit below shows what changes by jurisdiction.
| Regime | Governing law | Contractual tool | US adequacy route | Assessment name & tool | In-force date |
|---|---|---|---|---|---|
| EU / EEA | GDPR Chapter V | 2021 EU SCCs (Decision 2021/914) | EU-US DPF | TIA (EDPB Rec. 01/2020) | SCCs: 27 Jun 2021 |
| UK | UK GDPR + DPA 2018 | UK IDTA or UK Addendum | UK-US Data Bridge | TRA (ICO tool) | IDTA/Addendum: 21 Mar 2022 |
| Switzerland | revFADP | EU SCCs with Swiss adaptations | Swiss-US DPF | Transfer assessment (FDPIC guidance) | Swiss-US DPF: 15 Sep 2024 |
Data mapping, RoPA (Art. 30), and a transfer register
Everything above depends on knowing your transfers — TIA Step 1. Build a transfer register on top of your Article 30 Record of Processing Activities (RoPA): for each flow, record the data categories, the exporter and importer roles, the destination country, the Chapter V mechanism relied on, the sub-processor chain, and the date of the last TIA. Also weigh no-transfer alternatives that enterprise buyers increasingly demand: EU data residency, regional-only processing, or EU-only enclaves that keep data inside the EEA and remove the Chapter V question entirely. Our EU and EMEA data protection support covers these architectural options in more depth.
Common cross-border transfer mistakes
Still relying on Privacy Shield. Privacy Shield was invalidated by Schrems II in 2020; any DPA or policy that still cites it is out of date and provides no valid basis. Migrate to the DPF or SCCs.
Signing SCCs with no TIA. Post-Schrems II, SCCs without a documented Transfer Impact Assessment and supplementary measures are incomplete. A signed contract in a drawer is not compliance.
Assuming the EU DPF covers the UK or Switzerland. It does not. Each requires a separate certification (UK Extension; Swiss-US DPF). Confirm which programs your importer is actually listed under.
Using Article 49 derogations for routine flows. Consent and “contractual necessity” cannot lawfully carry structural, ongoing product transfers under EDPB Guidelines 2/2018.
Ignoring the sub-processor chain. A DPF-certified vendor that ships data onward to an uncertified sub-processor without SCCs breaks the chain. Map every downstream recipient.
The stakes are concrete. Under Article 83(5) GDPR, infringements of the Chapter V transfer provisions sit in the top penalty tier — up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Article 83(5)(c) names transfers under Articles 44–49 explicitly. The point is not abstract: in May 2023 the Irish Data Protection Commission fined Meta €1.2 billion for continuing EU-US transfers on SCCs without adequate supplementary measures — the largest GDPR fine to date and a direct product of a Chapter V failure.
Glossary of transfer terms
- Restricted transfer
- Any transfer of personal data from the EEA (or UK/Switzerland) to a third country or international organization, triggering Chapter V.
- Adequacy
- A Commission finding (Art. 45) that a third country or framework ensures essentially equivalent protection, allowing free transfers.
- SCC
- Standard Contractual Clauses — pre-approved contract terms (2021 EU version, Decision 2021/914) that provide Article 46 safeguards.
- TIA / TRA
- Transfer Impact Assessment (EU) / Transfer Risk Assessment (UK) — the Schrems II analysis of destination-country law and supplementary measures.
- Supplementary measures
- Technical, contractual, and organizational measures added to Article 46 tools where those tools alone are insufficient.
- IDTA
- UK International Data Transfer Agreement — a standalone UK Article 46 contract for restricted transfers (in force 21 Mar 2022).
- Data Bridge
- The UK Extension to the EU-US DPF (in force 12 Oct 2023), providing a UK adequacy route to certified US importers.
- DPF
- EU-US Data Privacy Framework — the adequacy program (adopted 10 Jul 2023) for self-certified US organizations.
- BCR
- Binding Corporate Rules (Art. 47) — intra-group transfer rules requiring lead-DPA approval; impractical for most startups.
- Derogation
- An Article 49 exception (e.g. explicit consent) permitting a transfer as a restrictively-interpreted last resort.
Frequently asked questions
What are the GDPR mechanisms for cross-border data transfers?
GDPR Chapter V allows transfers outside the EEA only via, in order: an adequacy decision (Art. 45, e.g. the EU-US Data Privacy Framework), appropriate safeguards (Art. 46, mainly the 2021 Standard Contractual Clauses or Binding Corporate Rules), or narrow Article 49 derogations used as a last resort.
Do I still need Standard Contractual Clauses if my US vendor is DPF-certified?
If the US importer is self-certified under the EU-US Data Privacy Framework for the relevant data categories, the EU exporter's transfer relies on the adequacy decision and needs no SCCs, BCRs, or transfer impact assessment. Many exporters still keep SCCs as a contractual fallback in case the DPF is challenged or invalidated.
Is a Transfer Impact Assessment (TIA) mandatory?
A TIA is required whenever the exporter relies on Article 46 safeguards such as SCCs or the UK IDTA. Following Schrems II and EDPB Recommendations 01/2020, the exporter must assess the destination country's laws and add supplementary measures where needed. A TIA is not required when the transfer relies on an adequacy decision like the DPF.
What is the difference between the UK IDTA and the UK Addendum?
The UK IDTA is a standalone contract for UK-only transfers; the UK Addendum bolts onto the EU 2021 SCCs so one contract covers both EEA and UK data. Both took effect 21 March 2022 under Article 46 UK GDPR. Unlike the EU SCCs, the IDTA is not an Article 28 processing agreement and needs a separate Linked Agreement.
Does the EU-US Data Privacy Framework cover the UK and Switzerland?
No, not automatically. DPF certification covers EU transfers only. To receive UK data a US organization must also join the UK Extension (the UK-US Data Bridge, in force 12 October 2023); to receive Swiss data it must join the Swiss-US DPF (operative 15 September 2024). Each program is certified separately on dataprivacyframework.gov.
What are the four modules of the 2021 Standard Contractual Clauses?
The 2021 EU SCCs (Decision 2021/914) have four modules: Module 1 controller-to-controller, Module 2 controller-to-processor, Module 3 processor-to-processor, and Module 4 processor-to-controller. Parties pick the module matching their roles and can add new parties later via the Clause 7 docking option.
Is the EU-US Data Privacy Framework still valid in 2026?
Yes. The DPF adequacy decision (10 July 2023) remains in force and the EU General Court upheld it on 3 September 2025 in Latombe. But an appeal is now filed and pending before the CJEU (Case C-703/25 P, 31 October 2025), and separate 2026 pressures on its US foundations mean prudent exporters keep SCCs plus a TIA as a documented fallback.
When can I use Article 49 derogations for a transfer?
Article 49 derogations (such as explicit consent or contract necessity) are a last resort, interpreted restrictively. Per EDPB Guidelines 2/2018 most cannot support repetitive, large-scale, or structural transfers and are only appropriate for occasional, non-routine flows.
Sources & further reading
- European Commission — Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses).
- EDPB — Recommendations 01/2020 on measures that supplement transfer tools (six-step methodology).
- European Commission — EU-US data transfers & the Data Privacy Framework adequacy decision.
- ICO — International transfers, the UK IDTA and the Addendum; and GDPR Article 83 (administrative fines).
Building a defensible transfer program?
Auditsuisse is a US & Swiss licensed CPA firm. We help US importers produce the SOC 2 Type II and ISO 27001 evidence EU and UK exporters need for their TIAs, and align your controls through a GDPR audit services engagement or GDPR readiness assessment. Book a scoping call to map your transfers.
Request Consultation