International data transfer under the GDPR is the transfer of personal data from the EU to outside the EEA. At Musch Legal, we implement SCCs and Data Privacy Framework choices weekly for clients with US suppliers or Asian firms. Since Schrems II (CJEU 2020), international data transfers have changed fundamentally from a legal perspective — a Transfer Impact Assessment is mandatory and complex.
What is the legal issue? (Why is transfer so strict?)
In principle, Article 44 of the GDPR prohibits the transfer of personal data outside the EEA unless adequate protection is ensured. Since the Schrems II ruling, it is clear that SCCs alone are not sufficient — a Transfer Impact Assessment is required plus additional safeguards if necessary. Since 2023, a Data Privacy Framework applies as an alternative for US parties. For other third countries, adequacy is often lacking.
What does the law say? (What instruments are available?)
GDPR Chapter V (Articles 44-49) governs data transfer. Article 45 EC adequacy decisions for countries with an adequate level of protection (including the UK, Switzerland, Japan, South Korea, and since 2023 also the US via DPF). Article 46 appropriate safeguards: SCCs under Implementing Decision (EU) 2021/914 (replaces old 2010 versions), Binding Corporate Rules (BCR), codes of conduct. Article 49 exceptions (incidental transfer).
Schrems II judgment (CJEU 16 July 2020, C-311/18) requires Transfer Impact Assessment plus any additional safeguards.
Country/region
Basis for transfer
Point of attention
UK
Adequacy Decision until 2027
UK GDPR also applies
US (DPF certified)
Data Privacy Framework + Executive Order 14086
Only for DPF participants
US (other)
SCCs + TIA + additional safeguards
Schrems II compliant
China
SCCs + Chinese PIPL compliance
CAC security assessment
Switzerland
Adequacy decision
Separate Swiss data protection law
Country/region
Transfer basis
Point of attention
UK
Adequacy decision until 2027
UK GDPR also applies
US (DPF Certified)
Data Privacy Framework + Executive Order 14086
For DPF participants only
US (other)
SCCs + TIA + additional safeguards
Schrems II compliant
China
SCCs + Chinese PIPL compliance
CAC security assessment
Switzerland
Adequacy decision
Separate Swiss data protection law
What risks do companies face? (What are the risks of non-compliance?)
GDPR fines of up to 4 percent of global turnover under Article 83 GDPR. Supervisory authorities (in the Netherlands, the Dutch Data Protection Authority) prioritize data transfer. Reputational damage in the event of detected violations. Operational disruption in the event of a transfer ban (e.g., no access to US SaaS tools). In the case of a client contract: indemnity claims. In the event of an internal audit or M&A: significant remediation costs.
Practical example from our practice (How did we arrange US cloud transfer?)
Musch Legal advised a Dutch fintech company with cloud infrastructure at AWS US East. Under Schrems II, there were insufficient SCCs. We assessed AWS DPF certification, performed a Transfer Impact Assessment, implemented encryption at rest and in transit as an additional technical safeguard, and concluded a DPA with AWS under new SCCs plus the DPF basis. Compliance status confirmed by the AP audit. Operational continuity ensured without cloud migration.
What can you do? (What steps are you taking?)
Inventory all international data transfers (data mapping). Assess the basis per recipient: adequacy decision, SCCs, DPF, or Article 49 exception. Perform a Transfer Impact Assessment for non-adequacy countries. Implement SCCs under Implementing Decision 2021/914 with DPA. Add technical safeguards (encryption, pseudonymization). Document everything for AP supervision. Engage Musch Legal for TIA package.
International privacy regulations for companies