SimpleAct Logo
GDPR · Art. 44–49

Third-Country Transfers & Standard Contractual Clauses

As soon as personal data leaves the EU – for example via US cloud services – special requirements under Chapter V of the GDPR apply. SimpleAct documents transfers, safeguards and transfer impact assessments in one place.

Start for free View GDPR compliance

What is a third-country transfer?

A third-country transfer occurs when personal data is transferred to a country outside the EU/EEA or to an international organisation. In practice this affects almost every company that uses common cloud, marketing or analytics tools from US providers. Under Art. 44 et seq. GDPR, such a transfer is only permitted if an adequate level of data protection is ensured through appropriate safeguards.

Permitted transfer mechanisms

Adequacy decision (Art. 45)
For countries with a recognised adequate level of protection – e.g. via the EU-US Data Privacy Framework for certified US companies.
Standard Contractual Clauses (Art. 46)
The SCC provided by the EU Commission are the most common instrument for transfers to countries without an adequacy decision.
Transfer Impact Assessment
In addition to the SCC, you must assess whether the law of the destination country undermines the level of protection in practice – and whether supplementary measures are needed.
Binding Corporate Rules (Art. 47)
Binding internal data protection rules for transfers within a group of companies, approved by the supervisory authority.

Secure third-country transfers under the GDPR

  • Identify and record all data flows to third countries
  • Define the appropriate mechanism per transfer (SCC, adequacy …)
  • Conclude and version the standard contractual clauses
  • Carry out and document a transfer impact assessment (TIA)
  • Define required supplementary measures (e.g. encryption)
  • Note transfers in the records of processing
  • Review mechanisms regularly to keep them up to date

Frequently asked questions about third-country transfers

Is using US cloud services allowed?

Yes, if a valid transfer mechanism applies. US providers certified under the EU-US Data Privacy Framework benefit from an adequacy decision; otherwise SCC plus a TIA are required.

What are Standard Contractual Clauses (SCC)?

Pre-formulated contractual clauses provided by the EU Commission that contractually ensure an adequate level of protection. They must be adopted unchanged and supplemented with specific details.

Do I need a TIA in addition to SCC?

Usually yes. Since the Schrems II ruling, you must assess whether the law of the destination country effectively undermines the safeguards of the SCC – and whether supplementary measures are needed.

Does remote access already count as a transfer?

Yes. Even access to data stored in the EU from a third country – for example by a support provider – is considered a transfer within the meaning of the GDPR.

Manage third-country transfers with SimpleAct

Document transfers, standard contractual clauses and transfer impact assessments centrally – ready to respond to supervisory authorities.

Start for free

Related topics

GDPR complianceData Protection Impact AssessmentRecords of ProcessingGDPR module
Yannick Heisler

Yannick Heisler

Sales · Personal consultation

Third-Country Transfers & Standard Contractual Clauses (GDPR) | SimpleAct | SimpleAct