Key Takeaways
- Transfers of personal data outside the EEA still require one of three things: an adequacy decision, appropriate safeguards under Article 46 (most commonly SCCs), or a narrow derogation under Article 49.
- The EU-U.S. Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023, is the current adequacy route for US transfers. It survived its first legal challenge when the EU General Court dismissed the Latombe case on 3 September 2025 — but the decision may still be appealed to the Court of Justice of the EU.
- The current Standard Contractual Clauses (SCCs) come from Commission Implementing Decision 2021/914 (4 June 2021). All existing pre-2021 contracts had to be migrated by 27 December 2022.
- Every organisation relying on SCCs (or other Article 46 tools) must document a Transfer Impact Assessment (TIA) — this is not optional. The EDPB Recommendations 01/2020 set out the six-step methodology.
- For most eCommerce and SaaS teams, the biggest compliance gap is not choosing the right mechanism — it is keeping the TIA current when vendors change, laws change, or the DPF's legal status shifts.
Introduction
If you sell to EU customers, use a US-based CRM, run analytics on a non-EEA cloud, or let a Southeast Asian support agency see customer data, you are making an international transfer under the GDPR. Chapter V of the regulation treats these transfers as a distinct compliance surface, and it has been the most litigated area of the GDPR in the past decade.
After Schrems II in July 2020, the old EU-US Privacy Shield fell. The replacement — the EU-U.S. Data Privacy Framework — has been in force since July 2023, survived a first challenge in September 2025, and is widely expected to face a broader "Schrems III" challenge in due course. Meanwhile, Standard Contractual Clauses remain the workhorse for the rest of the world, and they come with a Transfer Impact Assessment obligation that many teams still underestimate.
This guide is a current, verified playbook. It walks through the three legal routes, the two most important documents (the DPF certification check and the TIA), and a concrete checklist for eCommerce and SaaS teams in 2026.
This article is informational content, not legal advice. For organisation-specific guidance, consult a qualified legal professional.
The Three Transfer Routes Under GDPR
Chapter V of the GDPR sets out a strict hierarchy. A transfer outside the EEA is lawful only when it is covered by:
| Route | Article | Typical use |
|---|---|---|
| Adequacy decision | Art. 45 | Transfer to a country or framework the European Commission has formally recognised (e.g., UK, Japan, Switzerland, DPF-certified US entities) |
| Appropriate safeguards | Art. 46 | SCCs, Binding Corporate Rules, approved codes of conduct or certifications |
| Derogations | Art. 49 | Explicit consent, contract performance, important reasons of public interest — narrow and exceptional |
Most commercial transfers run on adequacy or SCCs. Derogations are genuinely exceptional: the EDPB has repeatedly reminded controllers that Article 49 cannot be used as a routine fallback for regular, structured data flows.
The EU-U.S. Data Privacy Framework: Where It Stands in 2026
The DPF was adopted by the European Commission on 10 July 2023 (Implementing Decision (EU) 2023/1795). It replaced Privacy Shield, which had been struck down in Schrems II because of US surveillance law and the absence of effective redress for EU data subjects.
What the DPF covers
The DPF is an adequacy decision — but a partial one. It only covers transfers to US organisations that have:
- Self-certified to the DPF programme administered by the US Department of Commerce, and
- Committed to the DPF Principles (notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability).
If your US vendor is not on the Data Privacy Framework List at dataprivacyframework.gov, the DPF does not help you. You fall back to SCCs + a TIA.
The Latombe challenge (September 2025)
In September 2025, the European General Court — the first-instance EU court — dismissed a challenge brought by French Member of Parliament Philippe Latombe seeking to annul the DPF. The Court found that, based on the facts and law as they stood at the time of the Commission's adequacy determination in July 2023, the DPF provided an adequate level of protection.
Two things are worth emphasising about this ruling:
- It is appealable. The Latombe judgment may be appealed to the Court of Justice of the EU (CJEU) within two months of notification. Until any such appeal is concluded, the DPF remains valid.
- The Court limited its own scope. The General Court judged the DPF against the facts at the time of adoption in July 2023, which means developments in US oversight practices after that date were not considered. Commentary from law firms including DLA Piper and Freshfields has noted that a future, broader challenge — often called "Schrems III" — is likely, and it would probably include post-2023 developments.
What this means in practice
For now, the DPF works. You can transfer personal data to DPF-certified US entities without SCCs or a TIA. But the DPF is less stable than a classic adequacy decision — such as the UK or Switzerland — and the prudent approach is:
- Verify certification on every US vendor, at onboarding and at annual review. Certification can lapse.
- Keep SCCs as a backup. Many organisations keep SCCs in their vendor contracts alongside the DPF notice, so that an adverse CJEU ruling does not leave the transfer unlawful overnight.
- Monitor the CJEU. If Latombe is appealed, or a separate NOYB action lands, the timeline for replacing the DPF could compress quickly.
Standard Contractual Clauses: The Workhorse
For transfers outside the DPF — to the US outside certified entities, or to any other non-adequate country such as India, the Philippines, or Brazil — Standard Contractual Clauses from Commission Implementing Decision 2021/914 are the primary route. These are not the old 2001/2010 clauses; those were deprecated and could not lawfully be used for new contracts after 27 September 2021, with all existing contracts required to migrate by 27 December 2022.
The 2021/914 clauses use a modular structure:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
Choosing the wrong module is a common mistake. A SaaS vendor acting as a processor for a retailer that transfers data onward to a sub-processor should typically use Module 3 — not Module 2.
The SCCs also require Annex I (parties and transfer details), Annex II (technical and organisational measures) and Annex III (sub-processors, where relevant) to be filled in. A signed SCC template with blank annexes is not a completed SCC.
The Transfer Impact Assessment: The Step People Skip
This is the part most teams underestimate. The SCCs themselves — specifically Clause 14 — require that the exporter and importer have assessed whether the laws and practices of the importer's country prevent the importer from complying with the SCCs. That assessment is the Transfer Impact Assessment.
The EDPB Recommendations 01/2020 (final version adopted 18 June 2021, following Schrems II) describe a six-step methodology:
- Know your transfers. Map every transfer — what data, to whom, where, and why. You cannot assess what you have not mapped.
- Identify the transfer tool you rely on (adequacy, SCCs, BCRs, etc.).
- Assess whether the tool is effective in the importer country's legal context. In particular, whether the importer can be compelled to hand over the data to local public authorities in ways that conflict with EU law.
- Adopt supplementary measures where the tool alone is not effective. These can be technical (end-to-end encryption, pseudonymisation, split-key architectures), contractual (notification of requests, transparency reports), or organisational (internal policies, data minimisation, staff training).
- Take procedural steps — for example, notify your supervisory authority if you rely on derogations, or update the contract if new supplementary measures change the scope.
- Re-evaluate at regular intervals. The TIA is not a one-off artefact. Laws change. Vendors change. You are expected to revisit it.
A TIA is not a five-minute form. For a typical US processor outside the DPF, the analysis needs to touch on Section 702 of FISA, Executive Order 12333, and the availability of redress — and whether your supplementary measures neutralise those risks for the specific data you send.
The Practical 2026 Checklist
For an eCommerce or SaaS team, the realistic annual workflow looks like this.
Step 1: Build and maintain a transfer register
List every vendor, sub-processor, and intra-group entity that processes personal data outside the EEA. For each row, capture: categories of data, categories of data subjects, purposes, legal entity location, transfer mechanism (DPF / SCCs / adequacy / BCRs / derogation), and date of last review. This register is the foundation for everything that follows and maps cleanly to your [Record of Processing Activities](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities).
Step 2: Segment by mechanism
- Adequacy countries (UK, Switzerland, Japan, Korea, Israel, New Zealand, Argentina, Canada-commercial, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, Uruguay) — no additional mechanism required for the transfer itself, but your GDPR obligations still apply in full.
- US DPF-certified entities — verify on the official DPF List, re-check at least annually, keep SCCs as a contractual backup.
- Everything else — SCCs + TIA.
Step 3: Execute or refresh SCCs with correct modules
Where you rely on SCCs, check that each contract uses the correct module and has all three annexes filled in. Pre-2021 legacy SCCs are no longer valid; if you still see them, that is a priority fix.
Step 4: Run a real TIA for each non-adequate destination
Work through the EDPB's six steps for each destination country. Where the risk analysis does not clear, add supplementary measures — typically end-to-end encryption, pseudonymisation, or data minimisation at source.
Step 5: Review privacy notice and DPA updates
Your customer-facing privacy notice should disclose the categories of recipients and the safeguards in place (adequacy, SCCs, etc.) — this is an Articles 13/14 obligation, not just good practice. Your DPAs with customers should reflect the same.
Step 6: Set a recurring review date
Put a calendar event on for at least an annual review of the transfer register and all TIAs — and a shorter trigger if significant legal events occur (new CJEU ruling, adequacy change, major vendor change). A TIA that was written in 2023 and has not been touched since is a TIA that a supervisory authority will challenge.
Common Mistakes to Avoid
- Treating DPF certification as permanent. Certification is annual and can lapse or be withdrawn. Check each year.
- Using Article 49 derogations as default. Consent or contract necessity are narrow bases for transfers, not routine ones. The EDPB has been explicit about this.
- Signing SCCs without annexes. Blank Annex II (technical and organisational measures) is a consistent audit finding.
- No TIA, or a TIA that is a single page. A real TIA addresses the third-country legal regime, your specific data, and the supplementary measures that close the gap.
- Assuming intra-group transfers are safe. A transfer from your EU entity to your US parent is still an international transfer and still needs a mechanism — typically intra-group SCCs or Binding Corporate Rules.
- Forgetting onward transfers. When your US processor uses an Indian sub-processor, the onward transfer still needs a lawful basis.
How PrivacyForge Helps
PrivacyForge's vendor management and data mapping tooling is designed to make transfer compliance a continuous workflow rather than a one-off annual scramble:
- Vendor register with transfer metadata — every processor and sub-processor captured with its country, mechanism (DPF / SCCs / adequacy), DPF certification status where relevant, and review date.
- TIA templates aligned to EDPB Recommendations 01/2020 — six-step workflow per destination country, with re-review reminders.
- SCC module picker — contract workflow that guides you to the right module (controller-controller, controller-processor, processor-processor, processor-controller) and prompts for the required annexes.
- Privacy notice sync — the recipients and safeguards section of your customer-facing privacy notice kept in step with the transfer register automatically.
- Alerts on regulatory change — when adequacy decisions change, or the DPF status shifts, your active transfers are flagged.
For teams still mapping where their data actually goes, our [data mapping guide](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities) is the natural first step. If you want a fast read on your current compliance posture, the free [compliance scan](/scan) covers transfers alongside consent, DSARs, and AI governance.
Conclusion
International transfers are the area where GDPR enforcement has been most visible and most expensive, and the legal ground continues to shift. The DPF has held in its first court challenge but will not be the last case. SCCs remain the steady workhorse, but only when paired with a real Transfer Impact Assessment and kept current as vendors and laws change.
There is no secret to getting this right. A complete transfer register, the correct mechanism for each flow, a documented TIA for every non-adequate destination, and a recurring review date — that is the whole job. Start with the register, and the rest follows.