4.3 International Transfer Fundamentals (Ch. V)
Key Takeaways
- GDPR Chapter V (Articles 44-50) prohibits transfers to a third country or international organisation unless a valid transfer tool is in place
- A 'transfer' typically involves a controller or processor (exporter) making personal data available to a recipient (importer) outside the EEA; the EDPB reads it broadly
- Article 45 adequacy decisions let data flow freely to a country, territory, or sector the European Commission has found to ensure an essentially equivalent level of protection
- Onward transfers must remain protected, so an importer cannot defeat Chapter V by re-exporting data without safeguards
- Adequacy decisions are reviewed at least every four years and can be amended, suspended, or repealed if protection no longer holds
The Transfer Prohibition
Chapter V of the GDPR (Articles 44 to 50) governs transfers of personal data to third countries (outside the European Economic Area / EEA — the 27 EU states plus Iceland, Liechtenstein, and Norway) and to international organisations. The default rule in Article 44 (the "general principle for transfers") is a prohibition: a transfer may happen only if the exporter relies on a valid Chapter V transfer tool and complies with all the other GDPR obligations (lawful basis, principles, data subject rights).
The stated goal of Article 44 is that the high level of protection guaranteed inside the EEA is not undermined when data leaves it. Article 44 also makes clear these conditions apply to onward transfers — from the importer to a further recipient in another third country — so a chain of transfers each needs protection.
The exam tests Chapter V as a strict gatekeeping regime layered on top of, not instead of, the rest of the GDPR. A common trap: a transfer can have a perfectly good Article 6 lawful basis (say contract) and still be unlawful because no Chapter V tool covers it. Both questions — "is there a lawful basis?" and "is there a valid transfer tool?" — must be answered yes.
What Counts as a Transfer
The GDPR does not define "transfer," so the EDPB Guidelines 05/2021 set out three cumulative criteria for a restricted transfer:
- A controller or processor (the exporter) is subject to the GDPR for the relevant processing.
- The exporter discloses by transmission or otherwise makes personal data available to another controller, joint controller, or processor (the importer).
- The importer is in a third country or is an international organisation — regardless of whether the importer is itself subject to the GDPR (e.g., via Article 3(2)).
Remote access to EEA data from a third country (such as a support engineer abroad viewing EEA records) counts as making data available, and so does remote storage on servers located outside the EEA.
| Scenario | Restricted transfer? |
|---|---|
| EEA controller emails files to a US processor | Yes |
| Support staff in India remotely access EEA database | Yes |
| Data subject in the EEA voluntarily types data into a foreign website | No (no exporting controller/processor) |
| EEA company stores EU data on a server in Brazil | Yes |
The last row in this distinction is the classic exam point: a data subject directly entering their own data into a foreign service is not a restricted transfer, because there is no exporting controller or processor at criterion 1. The foreign importer may still be directly caught by Article 3(2), but Chapter V's transfer-tool requirement is not triggered by the individual's own act.
Article 45 Adequacy Decisions
The top of the transfer hierarchy is an Article 45 adequacy decision. The European Commission can decide that a third country, a territory, a specified sector within that country, or an international organisation ensures an essentially equivalent level of protection. Once adequacy exists, data can flow there without any additional safeguard or authorisation — exactly like a transfer within the EEA.
In assessing adequacy, Article 45(2) requires the Commission to weigh: the rule of law, respect for human rights and fundamental freedoms, relevant legislation (including on public security, defence, and government access to data), effective and enforceable data subject rights, independent supervisory authorities, and the country's international commitments.
Crucially, Schrems I (C-362/14, 2015) established that government surveillance and the availability of redress for EU individuals are part of the adequacy test, not just commercial privacy law — that ruling struck down the old Safe Harbor framework. This "essential equivalence" standard (not "identical") is what later doomed Privacy Shield in Schrems II.
Why It Matters on the Exam
Adequacy is the simplest lawful transfer route because it removes any need for SCCs, BCRs, or derogations. If a question states that a valid adequacy decision covers the specific transfer, the answer is almost always "no further Chapter V tool is needed." Watch for distractors that pile SCCs or consent on top of adequacy — those are unnecessary.
Examples and Review
The Commission has issued adequacy decisions for a defined list of countries and territories, including (among others) Andorra, Argentina, Canada (commercial organisations under PIPEDA), Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, the United Kingdom, Uruguay, and the United States (commercial organisations participating in the EU-US Data Privacy Framework).
| Adequacy nuance | Detail |
|---|---|
| Partial / sectoral | Canada covers commercial PIPEDA processing only |
| Conditional | Japan and South Korea include supplementary rules/binding commitments |
| US | Limited to DPF-certified organisations, not all US recipients |
| UK | Granted post-Brexit; subject to periodic review (extended) |
Key exam nuances under Article 45(3)-(5):
- Adequacy can be partial — limited to a sector or to specific safeguards (Canada's covers commercial PIPEDA processing, not public-sector data).
- The Commission must monitor developments and review each decision at least every four years, and must amend, suspend, or repeal it if the country no longer ensures adequate protection.
- An adequacy decision being struck down (as happened to Safe Harbor in 2015 and Privacy Shield in 2020) does not retroactively legalise past transfers; exporters must promptly move to another Chapter V tool such as SCCs. There is typically no automatic grace period once a decision is invalidated by the CJEU.
A controller in Germany wants to send customer data to a company in a third country that benefits from a European Commission adequacy decision covering that processing. What does the controller additionally need under Chapter V?
Which of the following is most clearly NOT a restricted international transfer under EDPB guidance?