← Full glossary

Third-country transfer

A transfer of personal data to countries outside the EU/EEA — for example when a company uses a US cloud service. The transfer requires a valid transfer mechanism under Chapter V of the GDPR: an adequacy decision from the European Commission (such as the EU-U.S. Data Privacy Framework), standard contractual clauses (SCCs) or binding corporate rules. Following the Schrems II ruling, the company must also assess whether the level of protection in the recipient country is genuinely adequate. Third-country transfers must appear in the Article 30 record and the privacy policy.