GDPR International Data Transfers Template
Compliance checklist for lawful transfers of personal data to third countries under GDPR Chapter V, covering adequacy decisions, SCCs, BCRs, and derogations.
Quick Answer
GDPR Chapter V requires a transfer mechanism for every export of personal data outside the EEA: adequacy decisions for approved countries, Standard Contractual Clauses plus a Transfer Impact Assessment elsewhere, or Binding Corporate Rules for intra-group flows.
Compliance Checklist (8 items)
Penalty if not compliant
Up to €20 million or 4% of global annual turnover; supervisory authorities can order suspension of transfers.
Frequently Asked Questions
Is the US adequate for GDPR personal data transfers?
Partially. Under the EU-US Data Privacy Framework (DPF), US organisations that self-certify are deemed adequate. Transfers to non-DPF US organisations still require SCCs plus a Transfer Impact Assessment.
What is a Transfer Impact Assessment (TIA)?
A TIA evaluates whether the legal framework and surveillance laws of the destination country undermine the protections provided by the SCCs. Required since the Schrems II ruling for all SCC-reliant transfers.
Does the UK post-Brexit count as a third country for GDPR purposes?
Yes. The UK has an EU adequacy decision (valid until June 2025 with renewal in progress — check current status). Even so, UK GDPR requires separate compliance for data received into the UK from the EEA.
Need this turned into a real document?
Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.