4.4 Transfer Mechanisms & Safeguards
Key Takeaways
- When no adequacy decision exists, exporters can rely on Article 46 appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)
- The Commission's 2021 modular SCCs replaced the old clauses; legacy clauses could no longer be used for new contracts after 27 September 2021 and not at all after 27 December 2022
- After Schrems II exporters must run a Transfer Impact Assessment (TIA) and add supplementary measures where third-country law undermines the safeguards
- Article 49 derogations (explicit consent, contract necessity, important public interest) are exceptions for occasional, non-systematic transfers, not a routine transfer tool
- The EU-US Data Privacy Framework adequacy decision (10 July 2023) survived the Latombe challenge at the EU General Court in September 2025 and remains valid in 2026
The Transfer Toolbox
When there is no adequacy decision, Chapter V offers a layered toolbox the exam expects you to apply in order:
| Tool | GDPR basis | Typical use |
|---|---|---|
| Adequacy decision | Article 45 | Country/territory/sector recognised as equivalent |
| Appropriate safeguards | Article 46 | SCCs, BCRs, approved codes, certification |
| Derogations | Article 49 | Occasional, specific situations only |
The sequence matters: check adequacy first; if none, look for an Article 46 appropriate safeguard; and only fall back on Article 49 derogations for genuinely exceptional, non-repetitive transfers.
Article 46 safeguards are broader than just SCCs and BCRs. The full menu includes: Standard Contractual Clauses adopted by the Commission (46(2)(c)) or by a supervisory authority (46(2)(d)); Binding Corporate Rules (Article 47); approved codes of conduct with binding enforceable commitments (46(2)(e)); approved certification mechanisms (46(2)(f)); and, with supervisory-authority authorisation, ad hoc contractual clauses (46(3)(a)) or provisions in administrative arrangements between public authorities (46(3)(b)).
For private-sector exam scenarios, SCCs are by far the most common right answer when adequacy is missing.
Article 46: SCCs and BCRs
Standard Contractual Clauses (SCCs) under Article 46(2)(c) are model data-protection contract terms adopted by the European Commission. The current 2021 SCCs (Commission Implementing Decision 2021/914, adopted 4 June 2021) are modular, covering four transfer scenarios in one document:
- Module 1 controller-to-controller;
- Module 2 controller-to-processor;
- Module 3 processor-to-processor;
- Module 4 processor-to-controller.
Key 2021 SCC Dates (frequently tested)
| Event | Date |
|---|---|
| New 2021 SCCs available | 27 June 2021 |
| Old SCCs no longer usable for new contracts | 27 September 2021 |
| Old SCCs invalid for existing contracts | 27 December 2022 |
The 2021 SCCs include a built-in docking clause (letting new parties join) and a "Schrems II clause" requiring parties to warrant they have no reason to believe local laws prevent the importer from meeting the clauses.
Binding Corporate Rules (BCRs) under Article 47 are internal, legally binding policies for transfers within a corporate group or group of enterprises engaged in a joint economic activity. They must contain the elements in Article 47(2) (data-protection principles, rights, complaint handling, liability allocation, audits) and must be approved by the competent supervisory authority through the EDPB consistency mechanism under Article 63. BCRs are powerful — they cover intra-group flows globally — but slow and expensive to obtain, which is why most companies still default to SCCs.
Schrems II and the Transfer Impact Assessment
In Schrems II (C-311/18, 16 July 2020) the CJEU invalidated the EU-US Privacy Shield but upheld the SCCs in principle, holding that SCCs remain valid only if the transferred data actually receives essentially equivalent protection in practice. That means exporters must evaluate the importer's local laws — especially government surveillance and intelligence access (the court cited US FISA Section 702 and Executive Order 12333) — and whether those laws would undermine the SCC guarantees.
This created the Transfer Impact Assessment (TIA) (also called a Transfer Risk Assessment), structured by EDPB Recommendations 01/2020 in six steps:
- Map all your transfers (know your data flows).
- Identify the Article 46 transfer tool you rely on.
- Assess whether the third country's law or practice undermines the tool's effectiveness.
- Adopt supplementary measures where needed — technical (strong end-to-end encryption with EEA-held keys, pseudonymisation, split processing), contractual (transparency, audit, challenge commitments), or organisational (policies, government-access logs).
- Implement any procedural steps the SCCs require (e.g., notify the supervisory authority).
- Re-evaluate at appropriate intervals.
Decisive exam point: if no supplementary measure can close the gap and bring protection up to essential equivalence, the transfer must not proceed on that tool — the exporter must suspend or end it. "We will just sign SCCs and ignore the surveillance risk" is always a wrong answer post-Schrems II.
Article 49 Derogations
Article 49 provides derogations for specific situations where neither adequacy nor an Article 46 safeguard is available. The main ones:
- Explicit consent to the proposed transfer after being informed of the possible risks — Article 49(1)(a);
- Contract necessity with the data subject, or pre-contractual steps at their request — Article 49(1)(b);
- A contract concluded in the data subject's interest — Article 49(1)(c);
- Important reasons of public interest — Article 49(1)(d);
- Establishment, exercise, or defence of legal claims — Article 49(1)(e);
- Protection of vital interests where the subject cannot consent — Article 49(1)(f);
- Transfer from a public register — Article 49(1)(g);
- A narrow "compelling legitimate interests" clause (49(1) second subparagraph) for non-repetitive transfers of a limited number of data subjects, with strict conditions and supervisory-authority notification.
The EDPB Guidelines 2/2018 stress these must be interpreted restrictively: most are for occasional and non-repetitive transfers, and consent must be explicit, specific, and informed of the risks of transferring to a country lacking adequacy or safeguards.
Classic trap: using consent or contract necessity to justify a continuous, structural, mass data flow (such as routinely hosting all customer data with a third-country vendor) is wrong — derogations cannot become the standard transfer route. For repetitive operational transfers, the answer is adequacy or an Article 46 tool, not Article 49.
The EU-US Data Privacy Framework (2026 Status)
Following Schrems II, the Commission adopted a new adequacy decision for the EU-US Data Privacy Framework (DPF) on 10 July 2023. US organisations that self-certify to the US Department of Commerce and publicly commit to the DPF Principles are treated as adequate, so EEA exporters need no additional Article 46 tool for transfers to a DPF-certified recipient. The same self-certification underpins the UK Extension to the DPF and the Swiss-US DPF.
The DPF addressed the surveillance concerns that sank Privacy Shield through US Executive Order 14086 (October 2022), which introduced necessity and proportionality limits on signals intelligence and a two-layer redress mechanism: the Civil Liberties Protection Officer of the ODNI and a newly created Data Protection Review Court (DPRC).
Litigation status (verify before exam day)
- The DPF was challenged by French MP Philippe Latombe. On 3 September 2025 the EU General Court dismissed the challenge and upheld the adequacy decision, finding the DPRC sufficiently independent and US bulk-collection limits adequate.
- Latombe appealed to the Court of Justice (Case C-703/25 P); as of 2026 the appeal is pending on points of law, and the DPF remains in force.
Where a US importer is not DPF-certified (or the recipient sector is outside DPF scope, e.g., banking), the exporter falls back to SCCs or BCRs plus a TIA and any needed supplementary measures.
An EEA company transfers data to a US vendor that is NOT certified under the EU-US Data Privacy Framework. Which approach is the most appropriate compliant route in 2026?
What did the CJEU decide about Standard Contractual Clauses in Schrems II?