International data transfer under the GDPR is the transfer of personal data from the EU to outside the EEA. At Musch Legal, we implement SCCs and Data Privacy Framework choices weekly for clients with US suppliers or Asian firms. Since Schrems II (CJEU 2020), international data transfers have changed fundamentally from a legal perspective — a Transfer Impact Assessment is mandatory and complex.

What is the legal issue? (Why is transfer so strict?)

In principle, Article 44 of the GDPR prohibits the transfer of personal data outside the EEA unless adequate protection is ensured. Since the Schrems II ruling, it is clear that SCCs alone are not sufficient — a Transfer Impact Assessment is required plus additional safeguards if necessary. Since 2023, a Data Privacy Framework applies as an alternative for US parties. For other third countries, adequacy is often lacking.

What does the law say? (What instruments are available?)

GDPR Chapter V (Articles 44-49) governs data transfer. Article 45 EC adequacy decisions for countries with an adequate level of protection (including the UK, Switzerland, Japan, South Korea, and since 2023 also the US via DPF). Article 46 appropriate safeguards: SCCs under Implementing Decision (EU) 2021/914 (replaces old 2010 versions), Binding Corporate Rules (BCR), codes of conduct. Article 49 exceptions (incidental transfer).

Schrems II judgment (CJEU 16 July 2020, C-311/18) requires Transfer Impact Assessment plus any additional safeguards.

Country/region

Basis for transfer

Point of attention

UK

Adequacy Decision until 2027

UK GDPR also applies

US (DPF certified)

Data Privacy Framework + Executive Order 14086

Only for DPF participants

US (other)

SCCs + TIA + additional safeguards

Schrems II compliant

China

SCCs + Chinese PIPL compliance

CAC security assessment

Switzerland

Adequacy decision

Separate Swiss data protection law

Country/region

Transfer basis

Point of attention

UK

Adequacy decision until 2027

UK GDPR also applies

US (DPF Certified)

Data Privacy Framework + Executive Order 14086

For DPF participants only

US (other)

SCCs + TIA + additional safeguards

Schrems II compliant

China

SCCs + Chinese PIPL compliance

CAC security assessment

Switzerland

Adequacy decision

Separate Swiss data protection law

What risks do companies face? (What are the risks of non-compliance?)

GDPR fines of up to 4 percent of global turnover under Article 83 GDPR. Supervisory authorities (in the Netherlands, the Dutch Data Protection Authority) prioritize data transfer. Reputational damage in the event of detected violations. Operational disruption in the event of a transfer ban (e.g., no access to US SaaS tools). In the case of a client contract: indemnity claims. In the event of an internal audit or M&A: significant remediation costs.

Practical example from our practice (How did we arrange US cloud transfer?)

Musch Legal advised a Dutch fintech company with cloud infrastructure at AWS US East. Under Schrems II, there were insufficient SCCs. We assessed AWS DPF certification, performed a Transfer Impact Assessment, implemented encryption at rest and in transit as an additional technical safeguard, and concluded a DPA with AWS under new SCCs plus the DPF basis. Compliance status confirmed by the AP audit. Operational continuity ensured without cloud migration.

What can you do? (What steps are you taking?)

Inventory all international data transfers (data mapping). Assess the basis per recipient: adequacy decision, SCCs, DPF, or Article 49 exception. Perform a Transfer Impact Assessment for non-adequacy countries. Implement SCCs under Implementing Decision 2021/914 with DPA. Add technical safeguards (encryption, pseudonymization). Document everything for AP supervision. Engage Musch Legal for TIA package.

International privacy regulations for companies

Cybersecurity and contractual liability

IT contracts with foreign clients