GDPR

Cross-Border Data Transfers (US, EU, UK): The 2026 Compliance Guide

A CPA firm's plain-English map of GDPR Chapter V — adequacy, the 2021 SCCs, Transfer Impact Assessments, the EU-US Data Privacy Framework and its 2026 fragility, plus the UK and Swiss routes for US-facing transfers.

The short answer

Under GDPR Chapter V (Articles 44–50), personal data may leave the EEA only through one of three routes, in priority order: an adequacy decision (Art. 45, such as the EU-US Data Privacy Framework), appropriate safeguards (Art. 46 — chiefly the 2021 Standard Contractual Clauses or Binding Corporate Rules), or narrow Article 49 derogations used as a last resort. The legal duty sits with the EU/UK exporter, not the US importer.

Key takeaways

  • GDPR Chapter V ranks the mechanisms. Check adequacy (Art. 45) first, then Art. 46 safeguards (SCCs/BCRs/IDTA), then Art. 49 derogations — which per EDPB Guidelines 2/2018 cannot support routine, large-scale flows.
  • SCCs alone are not enough for the US. After Schrems II (CJEU C-311/18), the exporter must run a Transfer Impact Assessment and add supplementary measures — where a SOC 2 Type II report can serve as documented technical/organizational evidence.
  • The EU-US DPF removes the SCC/TIA burden — but it is contested. It was upheld in Latombe on 3 September 2025, yet an appeal is now pending before the CJEU (C-703/25 P) and its US foundations are under strain in 2026. Keep SCCs as a live fallback.
  • The UK and Switzerland are separate regimes. A US importer's EU DPF certification does not cover UK or Swiss data unless it also joins the UK Extension (Data Bridge, 12 Oct 2023) and the Swiss-US DPF (operative 15 Sep 2024).

What counts as a “restricted transfer” under GDPR Chapter V

Article 44 GDPR sets the general principle: any transfer of personal data to a third country (outside the EEA) or an international organization is prohibited unless the conditions of Chapter V are met. In practice, a restricted transfer occurs whenever an EEA-based controller or processor (the “exporter”) sends, or makes accessible, personal data to an organization in a third country (the “importer”). Remote access from a third country counts — so does storing data on a US-headquartered cloud provider, even if the servers sit in Frankfurt.

This is why virtually every US SaaS and healthtech vendor is caught. When an EU customer uploads employee, patient, or end-user data into your platform, and your engineers, support staff, or subprocessors in the US can access it, a restricted transfer has taken place. The obligation to justify that transfer under Chapter V rests with the EU/UK exporter — your customer — but they will push the compliance burden onto you through the procurement process, security questionnaires, and their data processing agreement.

That distinction matters for how a US firm adds value. You cannot “be compliant” with Chapter V on the exporter's behalf; instead, you help the exporter satisfy its duty by producing the evidence and contractual instruments it needs — a signed Article 28 data processing agreement, the correct SCC module, and independent assurance such as a SOC 2 Type II report to support the exporter's risk assessment. For the broader picture of how US vendors operationalize this, see our guide to GDPR for US SaaS companies.

The five transfer mechanisms, in the order you must consider them

Chapter V is a decision cascade, not a menu of equals. You work down it: only if no adequacy decision applies do you reach for Article 46 safeguards, and only if no safeguard is workable do you consider Article 49 derogations. The table below is the map.

GDPR Chapter V transfer-mechanism decision matrix
MechanismGDPR ArticleWhen to use itTIA required?Regulator approval?Typical effort
Adequacy decisionArt. 45Importer country (or framework) is on the EU adequacy listNoNoLow — verify status
EU-US DPF self-certificationArt. 45US importer is actively self-certified for the relevant data categoriesNoNoLow — verify listing
Standard Contractual ClausesArt. 46No adequacy route; default for most US transfersYesNoMedium — contract + TIA
Binding Corporate RulesArt. 47Intra-group transfers in a large multinationalYesYes — lead DPA approvalHigh — impractical for startups
Codes of conduct / certificationArt. 46An approved code or certification scheme existsYesScheme-dependentMedium — few schemes exist
Article 49 derogationsArt. 49Occasional, non-routine transfers only; last resortN/ANoLow but high legal risk

Adequacy decisions (Art. 45)

An adequacy decision is a European Commission finding that a third country ensures an essentially equivalent level of protection. Where one exists, transfers flow freely with no further safeguard. Countries on the list include the UK, Switzerland, Japan, and others. The United States is not adequate as a country — it appears on the list only through the EU-US Data Privacy Framework, and only for organizations that have self-certified under it. That partial, entity-by-entity adequacy is the single most misunderstood point on this topic.

Appropriate safeguards (Art. 46)

Where no adequacy route applies, the exporter turns to Article 46 safeguards. The workhorse is the 2021 Standard Contractual Clauses; alternatives include Binding Corporate Rules (Art. 47), the UK IDTA/Addendum for UK data, and approved codes of conduct or certification mechanisms. Every Article 46 route triggers a Transfer Impact Assessment. Note that BCRs (Art. 47) require approval by a lead supervisory authority and take many months to secure — they are realistic only for large multinationals moving data intra-group, not for a startup contracting with a US vendor.

Derogations (Art. 49)

Article 49 offers a closed list of derogations — explicit consent, necessity for a contract, important reasons of public interest, and a few others. These are a genuine last resort. Per EDPB Guidelines 2/2018, derogations must be interpreted restrictively and most cannot be used for transfers that are repetitive, large-scale, or structural. Routing your ongoing product data flows through “consent” or “contractual necessity” is one of the most common — and most easily challenged — mistakes in this area.

The 2021 EU Standard Contractual Clauses

The modernized SCCs were adopted by the European Commission on 4 June 2021 under Commission Implementing Decision (EU) 2021/914 and entered into force on 27 June 2021. They replaced the old 2001/2010 clauses, which were repealed on 27 September 2021. Contracts concluded on the old SCCs before that date remained valid only until 27 December 2022; after that deadline they can no longer lawfully support a transfer. Importantly, that sunset applied to the legacy clauses only — the 2021 SCCs themselves carry no expiry date and remain the current standard.

The 2021 SCCs are modular: parties select the module matching their respective roles and complete the shared clauses plus the module-specific ones. The Clause 7 “docking clause” then lets additional parties join an existing set of clauses later — useful as your subprocessor chain grows.

2021 EU SCC module selector (Decision 2021/914)
ModuleExporter roleImporter roleCommon exampleDocking clause?
Module 1 (C2C)ControllerControllerEU controller shares data with a US controller partnerYes (Clause 7)
Module 2 (C2P)ControllerProcessorEU customer sends data to a US SaaS vendorYes (Clause 7)
Module 3 (P2P)ProcessorProcessorUS SaaS vendor passes data to a US sub-processorYes (Clause 7)
Module 4 (P2C)ProcessorControllerEU processor returns data to a US controller clientYes (Clause 7)

Completing the annexes — where most SCCs go wrong

Signing the SCCs is not enough; the annexes carry the substance. Annex I.A names the parties, Annex I.B describes the transfer (data categories, data subjects, purposes, retention), and Annex I.C identifies the competent supervisory authority. Annex II sets out the technical and organizational measures — this is where you attach concrete controls, and where a SOC 2 or ISO 27001 report becomes powerful evidence. Annex III lists the authorized sub-processors. The Clause 14 local-law warranty then requires the parties to assess and document that the importer's local laws do not prevent compliance — the contractual hook for the Transfer Impact Assessment below.

Onward transfers and the sub-processor chain

The hardest real-world SCC problem for SaaS is the onward transfer. When your US platform relies on AWS, an LLM API, or a support tool, those sub-processors receive the same EU data — and Module 3 plus the Clause 9 sub-processor-authorization mechanics require that each link in the chain be covered by its own SCCs (or another Chapter V route). Map your entire sub-processor chain before you promise a customer that transfers are covered; a single uncovered downstream vendor breaks the chain.

Schrems II and the Transfer Impact Assessment

In Schrems II (CJEU Case C-311/18, judgment of 16 July 2020) the Court of Justice invalidated the EU-US Privacy Shield and held that an exporter relying on SCCs must assess the law and practice of the destination country and, where the SCCs alone do not ensure an essentially equivalent level of protection, adopt supplementary measures. That obligation is operationalized through the Transfer Impact Assessment (TIA) — also called a Transfer Risk Assessment (TRA) in the UK.

The EDPB adopted its final Recommendations 01/2020 on 18 June 2021, setting out a six-step methodology. A TIA is a distinct exercise from a DPIA (Article 35): a DPIA assesses risk to data subjects from a processing activity; a TIA assesses whether a specific transfer's safeguards hold up against the destination country's surveillance laws.

Transfer Impact Assessment six-step worksheet (EDPB Recommendations 01/2020)
StepWhat to doEvidence / artifact to keep
1. Know your transfersMap every transfer, data category, and importer/sub-processorData map / RoPA (Art. 30) transfer register
2. Identify the toolConfirm the Article 46 instrument relied on (e.g. SCC module)Executed SCCs with completed annexes
3. Assess effectivenessEvaluate destination-country law and practice (e.g. FISA 702, EO 12333)Country-law analysis; importer's transparency report
4. Adopt supplementary measuresAdd technical, contractual, and organizational measures where neededEncryption design; SOC 2 / ISO 27001 report
5. Take procedural stepsFormalize measures, amend contracts, consult DPA if requiredSigned amendments; internal approval record
6. Re-evaluate at intervalsMonitor for legal change and re-run periodicallyDated review log; re-assessment schedule

The supplementary measures menu

Supplementary measures fall into three families. Technical measures are the strongest because they can neutralize government access regardless of contract; contractual and organizational measures reinforce them but cannot cure a legal gap on their own.

Supplementary measures menu (post-Schrems II)
TypeExample measureEffective againstAuditor evidence
TechnicalStrong encryption in transit and at rest, pseudonymization, split or multi-party processing, importer-inaccessible keysGovernment access to intelligible dataSOC 2 Type II / ISO 27001 controls, key-management config
ContractualTransparency obligations, warranty to challenge unlawful government access, audit rights, notification dutiesUndisclosed or unlawful access requestsExecuted SCC annexes, side-letter commitments
OrganizationalAccess-minimization policy, government-request handling procedure, periodic transparency reportingOver-broad internal and external accessPolicy documents, access reviews, transparency report

How a SOC 2 Type II or ISO 27001 report supports the TIA

This is where a US importer's assurance program becomes directly useful to its EU customers. When the exporter documents the technical and organizational supplementary measures at Step 4, it can point to your independent SOC 2 Type II report or ISO 27001 certificate as auditor-tested evidence that encryption, access control, and change management actually operate. For non-US importers, ISAE 3000 assurance can address privacy and data-protection subject matter directly. Teams already maintaining multiple frameworks can map SOC 2 and GDPR controls once and reuse the evidence across TIAs.

The EU-US Data Privacy Framework

The European Commission adopted the EU-US Data Privacy Framework (DPF) adequacy decision on 10 July 2023. Where a US importer is self-certified under the DPF for the relevant data categories, the EEA exporter's transfer relies on that adequacy decision and needs no SCCs, BCRs, or TIA. The framework rests on US Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”) and a new two-layer redress mechanism culminating in the Data Protection Review Court (DPRC).

US organizations self-certify with the U.S. Department of Commerce at dataprivacyframework.gov, publicly committing to the DPF Principles. Crucially, certification is not a set-and-forget badge. Before an EU exporter relies on it, it should verify on the official list that the importer's status is “active” (not “inactive” or withdrawn) and that the certification covers the right data categories — note the distinction between HR data and non-HR data, which are certified separately. A vendor certified only for non-HR data cannot receive EU employee data under the DPF.

DPF vs SCCs+TIA — which to rely on

For an EEA exporter sending data to a US importer, the choice is straightforward on paper but shaped by risk appetite in practice.

DPF vs SCCs+TIA decision for a US importer
QuestionIf YESIf NO
Is the US importer DPF-certified “active” for the relevant categories (HR vs non-HR)?Rely on adequacy; no SCCs/TIA legally requiredUse 2021 SCCs + TIA
Do you also transfer UK data?Importer must also join the UK Extension (Data Bridge)DPF/UK issue does not arise
Do you also transfer Swiss data?Importer must also join the Swiss-US DPFSwiss issue does not arise
Do you want a fallback if the DPF is invalidated?Sign SCCs alongside DPF reliance and keep a TIA on fileRely on DPF alone (higher exposure)

Regulatory status of the DPF as of July 2026

Status snapshot

The EU-US DPF adequacy decision remains legally in force in July 2026 and can be relied on. But its stability is genuinely contested: the EU General Court's Latombe ruling is under appeal, and several of the US mechanisms the decision depends on are under strain. Treat the DPF as usable with a documented SCC fallback, not as a settled foundation.

The relevant developments, each grounded in primary or authoritative reporting:

  • Latombe on appeal. On 3 September 2025 the EU General Court dismissed the Latombe v Commission action and confirmed the DPF's adequacy. That is not the end: an appeal to the Court of Justice has been filed and is pending as Case C-703/25 P (lodged 31 October 2025). Describing the position as merely “an appeal is possible” is out of date.
  • PCLOB quorum loss. Removals at the US Privacy and Civil Liberties Oversight Board in January 2025 left the board without a quorum, disrupting the independent oversight and the mandatory annual review of EO 14086 safeguards that the Commission's adequacy finding relies on.
  • FTC independence. The US Supreme Court's June 2026 decision in Trump v. Slaughter bears on the independence of the Federal Trade Commission, which the DPF leans on as its EU-facing enforcement authority.
  • Withdrawal pressure. The advocacy group noyb has formally demanded that the Commission withdraw the DPF and has signalled a potential “Schrems III” challenge, while some EU data-protection authorities have advised organizations to prepare transfer “exit strategies.”

None of this makes the DPF unlawful today — but it is exactly why the “keep SCCs as a fallback” advice is not boilerplate. An exporter that signs SCCs and files a TIA alongside its DPF reliance can switch instruments overnight if the framework falls, avoiding a repeat of the Privacy Shield scramble in 2020.

UK transfers — UK GDPR, the IDTA, and the Data Bridge

After Brexit the UK retained its own UK GDPR alongside the Data Protection Act 2018. Its Chapter V equivalent offers the same cascade, but with UK-specific Article 46 tools. The UK International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs both came into force on 21 March 2022. The IDTA is a standalone UK contract; the Addendum bolts onto executed EU 2021 SCCs so a single contract can cover both EEA and UK data — the practical choice for most transatlantic SaaS deals.

A critical trap: unlike the EU SCCs, the IDTA is not an Article 28 processing agreement. It governs the transfer, not the controller-processor relationship, so it must be paired with a separate Article 28 data processing agreement — referenced in the IDTA as a “Linked Agreement.” The UK's ICO also publishes a Transfer Risk Assessment (TRA) tool as the UK's equivalent of the EDPB six-step method.

UK IDTA vs UK Addendum to the EU SCCs
DimensionUK IDTAUK Addendum to EU SCCs
FormatStandalone UK contractAdd-on to executed EU 2021 SCCs
Best whenYou transfer UK data onlyYou also transfer EEA data (one contract covers both)
Is it an Art. 28 DPA?NoNo (the underlying SCCs are not either)
Needs a Linked Agreement / DPA?Yes — a separate DPAYes — a separate DPA
Issued byICOICO (references EU Decision 2021/914)
In force21 March 202221 March 2022

For adequacy, the UK operates its own version of the DPF: the UK-US Data Bridge (the UK Extension to the DPF) came into force on 12 October 2023 via the Data Protection (Adequacy) (United States of America) Regulations 2023. It lets UK organizations transfer to US importers participating in the UK Extension without additional safeguards — but a US importer must specifically join the UK Extension; EU DPF certification alone does not cover UK data.

Switzerland — the revFADP and the Swiss-US DPF

Switzerland sits outside the EEA and runs its own regime under the revised Federal Act on Data Protection (revFADP), in force since 1 September 2023, supervised by the Federal Data Protection and Information Commissioner (FDPIC). Its transfer rules closely track GDPR Chapter V — adequacy, contractual safeguards (the Swiss FDPIC recognizes the EU SCCs with Swiss-specific adaptations), and derogations — but they are legally distinct.

For US transfers, Switzerland has the Swiss-US Data Privacy Framework. US organizations may receive personal data from Switzerland in reliance on the Swiss-US DPF from its operative date of 15 September 2024, when the Swiss Federal Council's adequacy recognition took effect (distinct from the 17 July 2023 effective date of the DPF Principles themselves). As with the UK, a US importer must certify separately for the Swiss-US DPF — the EU, UK, and Swiss programs are three distinct certifications on dataprivacyframework.gov. As a US and Swiss-licensed CPA firm, Auditsuisse is positioned precisely at this intersection: helping US importers produce the assurance evidence Swiss and EU exporters need.

Putting it together: a transfer-governance workflow

A US-first company selling into the EU and UK should build one governance workflow that spans all three regimes rather than three parallel efforts. The regime toolkit below shows what changes by jurisdiction.

EU vs UK vs Switzerland transfer toolkit
RegimeGoverning lawContractual toolUS adequacy routeAssessment name & toolIn-force date
EU / EEAGDPR Chapter V2021 EU SCCs (Decision 2021/914)EU-US DPFTIA (EDPB Rec. 01/2020)SCCs: 27 Jun 2021
UKUK GDPR + DPA 2018UK IDTA or UK AddendumUK-US Data BridgeTRA (ICO tool)IDTA/Addendum: 21 Mar 2022
SwitzerlandrevFADPEU SCCs with Swiss adaptationsSwiss-US DPFTransfer assessment (FDPIC guidance)Swiss-US DPF: 15 Sep 2024

Data mapping, RoPA (Art. 30), and a transfer register

Everything above depends on knowing your transfers — TIA Step 1. Build a transfer register on top of your Article 30 Record of Processing Activities (RoPA): for each flow, record the data categories, the exporter and importer roles, the destination country, the Chapter V mechanism relied on, the sub-processor chain, and the date of the last TIA. Also weigh no-transfer alternatives that enterprise buyers increasingly demand: EU data residency, regional-only processing, or EU-only enclaves that keep data inside the EEA and remove the Chapter V question entirely. Our EU and EMEA data protection support covers these architectural options in more depth.

Common cross-border transfer mistakes

Still relying on Privacy Shield. Privacy Shield was invalidated by Schrems II in 2020; any DPA or policy that still cites it is out of date and provides no valid basis. Migrate to the DPF or SCCs.

Signing SCCs with no TIA. Post-Schrems II, SCCs without a documented Transfer Impact Assessment and supplementary measures are incomplete. A signed contract in a drawer is not compliance.

Assuming the EU DPF covers the UK or Switzerland. It does not. Each requires a separate certification (UK Extension; Swiss-US DPF). Confirm which programs your importer is actually listed under.

Using Article 49 derogations for routine flows. Consent and “contractual necessity” cannot lawfully carry structural, ongoing product transfers under EDPB Guidelines 2/2018.

Ignoring the sub-processor chain. A DPF-certified vendor that ships data onward to an uncertified sub-processor without SCCs breaks the chain. Map every downstream recipient.

The stakes are concrete. Under Article 83(5) GDPR, infringements of the Chapter V transfer provisions sit in the top penalty tier — up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Article 83(5)(c) names transfers under Articles 44–49 explicitly. The point is not abstract: in May 2023 the Irish Data Protection Commission fined Meta €1.2 billion for continuing EU-US transfers on SCCs without adequate supplementary measures — the largest GDPR fine to date and a direct product of a Chapter V failure.

Glossary of transfer terms

Restricted transfer
Any transfer of personal data from the EEA (or UK/Switzerland) to a third country or international organization, triggering Chapter V.
Adequacy
A Commission finding (Art. 45) that a third country or framework ensures essentially equivalent protection, allowing free transfers.
SCC
Standard Contractual Clauses — pre-approved contract terms (2021 EU version, Decision 2021/914) that provide Article 46 safeguards.
TIA / TRA
Transfer Impact Assessment (EU) / Transfer Risk Assessment (UK) — the Schrems II analysis of destination-country law and supplementary measures.
Supplementary measures
Technical, contractual, and organizational measures added to Article 46 tools where those tools alone are insufficient.
IDTA
UK International Data Transfer Agreement — a standalone UK Article 46 contract for restricted transfers (in force 21 Mar 2022).
Data Bridge
The UK Extension to the EU-US DPF (in force 12 Oct 2023), providing a UK adequacy route to certified US importers.
DPF
EU-US Data Privacy Framework — the adequacy program (adopted 10 Jul 2023) for self-certified US organizations.
BCR
Binding Corporate Rules (Art. 47) — intra-group transfer rules requiring lead-DPA approval; impractical for most startups.
Derogation
An Article 49 exception (e.g. explicit consent) permitting a transfer as a restrictively-interpreted last resort.

Frequently asked questions

What are the GDPR mechanisms for cross-border data transfers?

GDPR Chapter V allows transfers outside the EEA only via, in order: an adequacy decision (Art. 45, e.g. the EU-US Data Privacy Framework), appropriate safeguards (Art. 46, mainly the 2021 Standard Contractual Clauses or Binding Corporate Rules), or narrow Article 49 derogations used as a last resort.

Do I still need Standard Contractual Clauses if my US vendor is DPF-certified?

If the US importer is self-certified under the EU-US Data Privacy Framework for the relevant data categories, the EU exporter's transfer relies on the adequacy decision and needs no SCCs, BCRs, or transfer impact assessment. Many exporters still keep SCCs as a contractual fallback in case the DPF is challenged or invalidated.

Is a Transfer Impact Assessment (TIA) mandatory?

A TIA is required whenever the exporter relies on Article 46 safeguards such as SCCs or the UK IDTA. Following Schrems II and EDPB Recommendations 01/2020, the exporter must assess the destination country's laws and add supplementary measures where needed. A TIA is not required when the transfer relies on an adequacy decision like the DPF.

What is the difference between the UK IDTA and the UK Addendum?

The UK IDTA is a standalone contract for UK-only transfers; the UK Addendum bolts onto the EU 2021 SCCs so one contract covers both EEA and UK data. Both took effect 21 March 2022 under Article 46 UK GDPR. Unlike the EU SCCs, the IDTA is not an Article 28 processing agreement and needs a separate Linked Agreement.

Does the EU-US Data Privacy Framework cover the UK and Switzerland?

No, not automatically. DPF certification covers EU transfers only. To receive UK data a US organization must also join the UK Extension (the UK-US Data Bridge, in force 12 October 2023); to receive Swiss data it must join the Swiss-US DPF (operative 15 September 2024). Each program is certified separately on dataprivacyframework.gov.

What are the four modules of the 2021 Standard Contractual Clauses?

The 2021 EU SCCs (Decision 2021/914) have four modules: Module 1 controller-to-controller, Module 2 controller-to-processor, Module 3 processor-to-processor, and Module 4 processor-to-controller. Parties pick the module matching their roles and can add new parties later via the Clause 7 docking option.

Is the EU-US Data Privacy Framework still valid in 2026?

Yes. The DPF adequacy decision (10 July 2023) remains in force and the EU General Court upheld it on 3 September 2025 in Latombe. But an appeal is now filed and pending before the CJEU (Case C-703/25 P, 31 October 2025), and separate 2026 pressures on its US foundations mean prudent exporters keep SCCs plus a TIA as a documented fallback.

When can I use Article 49 derogations for a transfer?

Article 49 derogations (such as explicit consent or contract necessity) are a last resort, interpreted restrictively. Per EDPB Guidelines 2/2018 most cannot support repetitive, large-scale, or structural transfers and are only appropriate for occasional, non-routine flows.

Sources & further reading

  1. European Commission — Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses).
  2. EDPB — Recommendations 01/2020 on measures that supplement transfer tools (six-step methodology).
  3. European Commission — EU-US data transfers & the Data Privacy Framework adequacy decision.
  4. ICO — International transfers, the UK IDTA and the Addendum; and GDPR Article 83 (administrative fines).
Sébastien Ruosch Reviewed by Sébastien Ruosch, CPA (US & Swiss licensed), Director of Audits at Auditsuisse. This is audit and assurance guidance; legal positions cite primary law and you should confirm specific transfers with qualified counsel. Last reviewed July 1, 2026.

Building a defensible transfer program?

Auditsuisse is a US & Swiss licensed CPA firm. We help US importers produce the SOC 2 Type II and ISO 27001 evidence EU and UK exporters need for their TIAs, and align your controls through a GDPR audit services engagement or GDPR readiness assessment. Book a scoping call to map your transfers.

Request Consultation
Back to top ↑