Chapter V of the General Data Protection Regulation (GDPR) prohibits transfers of personal data to third countries (countries outside the European Economic Area) unless an appropriate safeguard ensures that the level of protection essentially equivalent to that within the EEA is maintained. The prohibition applies to any international transfer, including routine HR data flows such as employee records sent to a parent company in the United States or payroll data processed by a provider in India.
The three main transfer mechanisms are adequacy decisions issued by the European Commission, standard contractual clauses (SCCs) concluded between the exporter and importer, and binding corporate rules (BCRs) approved by a lead supervisory authority. In practice, SCCs are the most widely used mechanism, particularly following the European Commission's 2021 update which replaced the 2010 versions. Transfer impact assessments are now required alongside SCCs to evaluate whether the legal framework of the recipient country undermines the contractual protections.
The EU-US Data Privacy Framework, adopted in July 2023, restored an adequacy finding for transfers to certified US organisations following the invalidation of Privacy Shield by the Court of Justice of the EU in Schrems II. However, its long-term stability remains uncertain, and companies relying on it should maintain parallel SCC documentation as a contingency.