Why Not All International Data Transfers Are Banned

A widespread misconception suggests that the GDPR prohibits all personal data transfers to countries outside the EU or EEA. This belief is not only incorrect but potentially harmful to organizations managing global data flows.

The GDPR does restrict cross-border transfers, but it also provides a clear legal framework for making them lawful. These mechanisms are essential for business operations, cloud services, HR data flows, and global marketing activities.

For privacy professionals preparing for the CIPP/E exam, understanding how to legally transfer data internationally is critical. Chapter V of the GDPR is frequently tested, especially in scenarios involving adequacy decisions, Standard Contractual Clauses (SCCs), and risk-based assessments.

Introduction to the GDPR’s Approach to International Data Transfers

The GDPR recognizes the need for cross-border data flows in today’s interconnected world. However, it requires that any personal data transferred to a “third country” (i.e., outside the EU/EEA) continues to benefit from a level of protection essentially equivalent to that provided in Europe.

These rules, established in Chapter V of the GDPR, do not constitute a ban—but a system of controls. Transfers are allowed if certain legal conditions are met, ensuring the rights of data subjects are not undermined.

As outlined by the Dutch DPA, there are three main legal pathways for international transfers: adequacy decisions, appropriate safeguards (such as SCCs or BCRs), and specific derogations for exceptional cases.

The GDPR’s Transfer Provisions Explained (Chapter V)

Chapter V of the GDPR establishes the rules for restricted transfers—any movement of personal data from the EU to a third country or international organization. These transfers can only occur if the receiving country or organization ensures a level of protection equivalent to the GDPR.

The law doesn’t stop transfers outright but requires that they are justified under one of several legal mechanisms. These include adequacy decisions granted by the European Commission, appropriate safeguards such as SCCs or BCRs, and, in limited situations, derogations under Article 49.

The European Data Protection Supervisor emphasizes that controllers must also conduct Transfer Impact Assessments (TIAs) to evaluate whether third-country laws compromise the protection afforded by GDPR—especially after the Schrems II ruling.

Transfers to Countries with Adequacy Decisions

Adequacy decisions are issued by the European Commission when it determines that a third country ensures a level of data protection essentially equivalent to that of the EU.

As of 2024, the list includes countries like Japan, the United Kingdom, Israel, Switzerland, and Canada (for commercial organizations). Transfers to these countries do not require additional safeguards.

This mechanism offers a straightforward path for compliant international transfers, and CIPP/E candidates should know how to identify and apply it in both exam and professional scenarios.

Transfers with Appropriate Safeguards (SCCs, BCRs, etc.)

When no adequacy decision exists, organizations must implement appropriate safeguards to ensure data protection continuity. The most commonly used mechanisms include:

• Standard Contractual Clauses (SCCs): Pre-approved contractual terms ensuring GDPR-compliant protection.
• Binding Corporate Rules (BCRs): Internal policies for multinational groups, approved by data protection authorities.
• Codes of Conduct and Certification Mechanisms: Emerging tools that may offer alternatives in specific contexts.

Since Schrems II, SCCs require the use of Transfer Impact Assessments to evaluate third-country surveillance laws and assess whether supplementary safeguards are needed. As Pinsent Masons explains, organizations cannot rely solely on the SCC text—they must also monitor local legal risks and adapt accordingly.

Using Derogations When No Safeguards Are Available

If neither adequacy nor appropriate safeguards are feasible, organizations may rely on derogations under Article 49. These are limited-use exceptions for specific, non-routine transfers.

Examples include:

• The data subject has explicitly consented to the transfer.
• The transfer is necessary for contract performance.
• The transfer is required for important public interest reasons.

However, as the Irish DPC and the EDPB emphasize, derogations must be narrowly interpreted. They are not suitable for ongoing or large-scale transfers and should be used only when all other safeguards are unavailable.

Recent Developments: Schrems Decisions and the EU-US Framework

Two pivotal court cases—Schrems I and Schrems II—significantly reshaped international data transfer practices. The first invalidated the Safe Harbor agreement, while the second struck down the Privacy Shield between the EU and the United States, citing inadequate protection against U.S. surveillance.

In response, the EU-US Data Privacy Framework was introduced in 2023 and recognized as adequate in 2024. While it restores a mechanism for transatlantic data flows, organizations using it must verify whether their data importer is certified under the framework.

For CIPP/E candidates, staying updated on legal frameworks and the evolving jurisprudence is essential. The legality of international transfers remains a dynamic topic, shaped by court rulings and regulatory developments.

Practical Steps for Organizations Making International Transfers

Organizations planning to transfer personal data outside the EU should follow a clear, structured approach:

1. Inventory international data flows and identify destinations and processing activities.
2. Determine the appropriate transfer mechanism, such as adequacy, SCCs, or BCRs.
3. Conduct Transfer Impact Assessments (TIAs) for non-adequate jurisdictions.
4. Implement supplementary measures, if necessary, based on the TIA findings.
5. Document decisions and maintain clear records for accountability purposes.
6. Monitor changes in third-country laws that could affect ongoing transfers.

The ICO offers a step-by-step guide to help organizations navigate post-Brexit and EU transfer requirements.

CIPP/E Exam Relevance and Strategic Takeaways

Chapter V is a major part of the CIPP/E Body of Knowledge, and questions frequently test candidates on how to legally structure cross-border transfers. Understanding the differences between adequacy, SCCs, BCRs, and derogations is essential for selecting the correct mechanism in both hypothetical and real-world scenarios.

Candidates should also know the implications of Schrems II, how to conduct a basic TIA, and the factors regulators expect when reviewing transfer decisions.

Strategically, professionals should build international data transfer programs that are scalable, documented, and aligned with current legal interpretations. Compliance is not about avoiding transfers—it’s about doing them lawfully.

International Transfers Require Safeguards—Not a Full Stop

Despite popular belief, the GDPR does not prohibit international data transfers. Instead, it provides a framework that balances global data movement with strong protections for data subjects.

With tools like adequacy decisions, SCCs, BCRs, and limited-use derogations, organizations can legally transfer data beyond the EU’s borders—if they do so carefully and transparently.

CIPP/E candidates must understand these tools and how they apply in various scenarios. With rapid legal developments and new frameworks emerging, keeping up to date is just as important as mastering the foundations of Chapter V.