Introduction
This checklist provides guidance to in-house counsel and private practitioners on assessing whether a transfer of personal data is a restricted transfer and how to make such a restricted transfer in accordance with Regulation (EU) 2016/679 – General Data Protection Regulation (EU GDPR). The checklist can also be used to assist in-house counsel and private practitioners when advising internal or external clients on these issues.
This checklist is EU-focused and reflects the requirements of the EU GDPR and covers:
- general requirements under the EU GDPR; and
- the European Data Protection Board (EDPB) and, where relevant, EU member states’ supervisory authorities’ interpretation of such EU GDPR requirements.
The checklist addresses the following steps:
- Consider whether you are making a restricted transfer of personal data
- Consider whether your aims can be achieved without transferring personal data outside the European Economic Area (EEA)
- Address the requirements for how to make a restricted transfer according to the EU GDPR.
In this checklist repeated references are made to the ‘EEA’ since the EU GDPR applies to not only all 27 member states of the European Union, but also to all member countries of the EEA. The EEA is an area larger than the EU and includes Iceland, Norway and Liechtenstein.
The legal basis for the applicability and enforceability of the EU GDPR in the EEA is based on an international agreement known as the Agreement on the EEA made in 1992 that brought EU member states and Iceland, Norway and Liechtenstein into a single market. The purpose of this agreement is to strengthen trade and economic relations among the countries by removing trade barriers and imposing equal conditions of competition and compliance with the same rules. The EU GDPR was among a number of EU legal acts incorporated into the EEA Agreement by the EEA Joint Committee during July 2018. When the national legislation in the EEA countries was subsequently amended to incorporate the EU GDPR, the law became applicable throughout the EEA. As a result, for international personal data transfers subject to the EU GDPR, it is more appropriate to consider the compliance requirements for the EEA rather than just the EU.
This checklist does not cover transfers governed by any local EEA data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators (unless essential for the understanding of the EU regime).
The checklist is presented as a list of questions and divided into several key areas of focus, with explanatory notes at the end.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.
This checklist is designed to be used in conjunction with the following How-to guide: How to transfer personal data lawfully outside the European Economic Area, which provides a more in-depth view on how personal data transfers can lawfully be made outside the EEA.
Step 1 – Consider whether you are making a restricted transfer of personal data
| No. | Requirement | Response | Outcome |
|---|---|---|---|
| 1.1 | Does the EU GDPR apply to your processing of the personal data that you intend to transfer? | Yes/No | If yes, you may be making a restricted transfer – go to Step 1.2. If no, you are not making a restricted transfer. |
| 1.2 | Are you agreeing to send personal data, or make it accessible, to a receiving entity located in a country outside the EEA? | Yes/No | If yes, you may be making a restricted transfer – go to Step 1.3. If no, you are not making a restricted transfer. |
| 1.3 | Is the receiver of personal data legally distinct from you in that it is a separate company, organisation or individual? | Yes/No | If yes, you may be making a restricted transfer – go to Step 2. If no, you are not making a restricted transfer. |
Step 2 – Consider whether your aims can be achieved without transferring personal data outside the European Economic Area (EEA)
| No. | Requirement | Response | Outcome |
|---|---|---|---|
| 2.1 | Can you achieve your aims without transferring personal data outside the EEA? | Yes/No | If yes, do not proceed with the personal data transfer, if possible. If no, consider further steps that you can take to protect the data being transferred – go to Step 2.2. |
| 2.2 | Can you achieve your aims by (fully and irreversibly) anonymising personal data before making the transfer? | Yes/No | If yes, anonymise the data and proceed with the transfer without further protections being needed. If no, address the requirements for restricted transfers – go to Step 3. |
Step 3 – Address the requirements for how to make a restricted transfer according to the EU GDPR
If you have determined that a restricted transfer is to be made (according to Step 1 above) and that your aims cannot be achieved without transferring personal data or by anonymising personal data (see Step 2 above), your next step should be to make your restricted transfer compliant with the EU GDPR.
This section includes the requirements you will need to address in order to make the proposed restricted transfer of personal data compliant with the EU GDPR.
| No. | Question | Response | Outcome |
|---|---|---|---|
| 3.1 | Is your personal data transfer covered by adequacy regulations? | Yes/No | If yes, you may make a restricted transfer if the data importer is in a third country or territory or is an international organisation considered ‘adequate’ under EU adequacy regulations. If no, you will need to consider other options – go to Step 3.2. |
| 3.2 | Are you considering using appropriate safeguards for your personal data transfer? | Yes/No | If yes, ensure that you meet the requirements for using the appropriate safeguard to perform the restricted transfer, including performing a transfer risk assessment – go to Step 3.3. If no, and if you are not envisaging relying on an appropriate safeguard for your transfer, go to Step 3.4. |
| 3.3 | Have you undertaken a transfer risk assessment (TRA)? | Yes/No | If yes, and if the results of your TRA allow the restricted transfer, you may rely on an appropriate safeguard to make the restricted transfer. If the results of your TRA do not allow the restricted transfer, go to Step 3.4. If no, and you intend to rely on an appropriate safeguard, carry out a TRA. If you are not envisaging relying on an appropriate safeguard for your transfer, a TRA is not required – go to Step 3.4. |
| 3.4 | Is the restricted transfer covered by a derogation/exception? | Yes/No | If yes, you may rely on that derogation or exception to perform the restricted transfer (noting that these are generally not available for routine transfers). If no, you cannot make the restricted personal data transfer. |
Explanatory notes
Legal framework
For the purposes of this guidance, we refer to the organisation sending data outside the EEA as the ‘data exporter’ or ‘exporter’ and the party receiving the data from the EEA as the ‘data importer’ or ‘importer’.
The EU GDPR does not provide a legal definition of a ‘transfer’ or a ‘restricted transfer’ of personal data to a third country or to an international organisation. ‘Transfer’ is interpreted broadly to refer to a disclosure of personal data or where the personal data is made available in some other way (see Step 1.2 below).
The EDPB has provided guidance on the requirement on restricted transfers in its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.
The EDPB has also provided draft Guidelines 02/2024 on Article 48 GDPR for consultation (closed 27th January 2025) regarding third party requests for disclosure of/access to personal data.
Step 1 – Consider whether you are making a restricted transfer of personal data
This section includes details about what a restricted transfer is and some examples on how to recognise when you are making a restricted transfer.
1.1 Does the EU GDPR apply to your processing of the personal data that you intend to transfer?
The scope of the EU data protection framework is set out in articles 2 (material scope) and 3 (territorial scope) of the EU GDPR. If the data exporter is in the EEA, then the EU GDPR will apply to them and any restricted transfers that they make.
In some cases, the EU GDPR can apply to a controller or processor located outside the EEA (eg, if they are located outside the EEA but ‘target’ data subjects located in the EEA – also known as the ‘targeting criterion’ under article 3(2) of the EU GDPR). The ‘targeting criterion’ makes the EU GDPR applicable to the processing of the personal data of data subjects who are in the EU, by a controller or processor not established in the EU, where the processing activities relate to:
- the offering of goods or services to data subjects in the EU; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
If a processor or controller not established in the EEA is subject to the EU GDPR under the targeting criterion, the requirements regarding restricted transfers will apply to transfers that they make in the same country or to another third country. For example, if a controller or processor located in Australia processes the personal data of EEA data subjects under the targeting criterion established by article 3(2) of the EU GDPR, any transfer of that data either within Australia or to any other third country will be subject to the EU GDPR.
1.2 Are you agreeing to send personal data, or make it accessible, to a receiving entity located in a country outside the EEA or to an international organisation?
A ‘transfer’ can refer to any type of disclosure of personal data or where the personal data is made available or accessible in some other way. A restricted transfer therefore takes place when a person who is part of a legally distinct controller or processor and is located outside the EEA accesses in any way the personal data on another (separate) entity’s system or via a website.
For example, personal data can be ‘made available’ by:
- creating an account on a website or platform;
- putting personal data on a website;
- granting access rights to an existing account;
- confirming or accepting a request to remotely access the personal data;
- embedding a hard drive; or
- submitting a password to a file.
Other common situations encountered in practice that are also considered to be restricted transfers from an EU GDPR perspective are:
- remotely accessing personal data from a third country – for example, by displaying personal data on a screen, such as for the purposes of support services, troubleshooting or administration; or
- storing personal data in a cloud environment (either owned by the data exporter or provided by a third-party service provider) hosted on servers outside the EEA.
1.3 Is the receiver of personal data legally distinct from you in that it is a separate company, organisation or individual?
The exporter and importer must be separate legal entities. They can be either sole traders, partnerships, companies, public authorities or other types of organisations. Transfers occurring between separate entities within the same corporate group may also be restricted transfers.
However, sending personal data within the same legal entity (eg, sending personal data to an employee of the same entity or between branches or offices that do not have a separate legal personality) will not qualify as a restricted transfer.
See How-to guide: How to transfer personal data lawfully outside the European Economic Area for more details.
Step 2 – Consider whether your aims can be achieved without transferring personal data outside the European Economic Area (EEA)
Before making a restricted transfer, you should consider if your objectives can still be met without actually transferring personal data. This can ensure that you can still achieve the same aims without needing to comply with EU GDPR rules on personal data transfers.
For example, consider if you can achieve the same result by making the data fully anonymous. Fully and irreversibly anonymised data is not personal data to which the EU GDPR applies. If this is the case, then the transfer restrictions do not apply, and you are free to transfer the anonymised data outside the EEA.
For more details on anonymisation, please review Ireland’s supervisory authority’s (the Data Protection Commissioner) Guidance Note on anonymisation and pseudonymisation.
Step 3 – Address the requirements for how to make a restricted transfer according to the EU GDPR
Chapter V of the EU GDPR sets out the different mechanisms (or ‘appropriate safeguards’) available to data controllers and processors which permit restricted transfers to be carried out lawfully.
To lawfully transfer personal data outside the EEA, the data exporter must:
- meet the requirement to have a lawful basis to process the personal data under article 6 (and article 9 if transferring special category personal data) – see How-to guide: How to establish a valid lawful basis for processing personal data under the GDPR for more information; and
- have established appropriate safeguards (also known as transfer mechanisms) for the restricted transfer under Chapter V.
Chapter V of the EU GDPR sets out a hierarchical approach for the various safeguards. It is designed to ensure that data subjects’ rights are protected when their personal data leaves the EEA. Details about these different mechanisms are set out below. See How-to guide: How to transfer personal data lawfully outside the European Economic Area for more details.
3.1 Is your personal data transfer covered by adequacy regulations?
If a country to which data is being transferred is the subject of adequacy decisions issued by the European Commission, then the envisaged transfer will not be restricted and can be made freely. In this case, such a transfer will take place in compliance with Chapter V requirements on international data transfers.
As of the date of this checklist, the European Commission has issued adequacy decisions in relation to:
- Andorra;
- Argentina;
- Canada (this only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA));
- Faroe Islands;
- Guernsey;
- Israel;
- Isle of Man;
- Japan;
- Jersey
- New Zealand;
- Republic of (South) Korea;
- Switzerland;
- United Kingdom;
- United States (commercial organisations participating in the EU-US Data Privacy Framework); and
- Uruguay.
3.2 Are you considering using appropriate safeguards for your personal data transfer?
If no European Commission adequacy decision is in place for the country or territory where the personal data is intended to be transferred, the restricted transfer can be made subject to ‘appropriate safeguards’.
Article 46 of the EU GDPR lists the transfer mechanisms that can be used for performing restricted transfers. Each mechanism ensures that both the transferor and the receiver of the restricted transfer are legally required to protect people’s rights and freedoms in connection with their personal data. Each transfer mechanism is explained below.
A transfer risk assessment will usually need to be undertaken to support the relevant adequate safeguards (see Step 3.3 below). If none of the listed transfer mechanisms can be relied on, derogations need to be considered instead (see Step 3.4 below).
3.2.1 Standard contractual clauses
Standard contractual clauses (SCCs) are standardised and pre-approved model data protection clauses that allow controllers and processors to transfer personal data to a third country. They remain the most widely used article 46 appropriate safeguard and refer to the SCCs issued by the European Commission in June 2021 (replacing the SCCs approved between 2001 and 2010 under Directive (EC) 95/46 – Data Protection Directive (Legacy EU SCCs)) (the New EU SCCs).
The use of Legacy EU SCCs was phased out over a period of time – new transfer arrangements relying on SCCs have been required to use the New EU SCCs since 27 September 2021 and transfer agreements relying on SCCs entered into before 27 September 2021 were granted a transition period until 27 December 2022 to switch to the New EU SCCs (ie, replace the Legacy EU SCCs with the New EU SCCs, including the annexes).
3.2.2 Binding corporate rules
In an EU context, binding corporate rules (BCRs) are legally binding internal organisational rules relied on by EU-based organisations (acting as either controller or processor) in order to perform restricted transfers. BCRs for organisations established in the EU can be used by a group of undertakings (ie, a controlling undertaking and its controlled undertakings, more commonly known as a corporate group) or a group of enterprises (ie, a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity) if:
- both the exporter and the importer have signed up to the same BCRs; and
- in order to ensure that data subjects’ rights are enforceable, the organisation submits BCRs for approval to the appropriate competent data protection authority in a member state of the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in article 63 of the EU GDPR. This procedure may necessarily involve several data protection authorities where a corporate group applying for approval of its BCRs has entities in more than one EU member state.
The BCRs’ purpose is that an adequate level of protection is afforded when personal data is transferred across jurisdictions between members of a corporate group, or groups of enterprises engaged in joint activity.
The concept of using BCRs to provide adequate safeguards for making restricted transfers was developed under EU law.
Prior to effecting any restricted transfers to high-risk countries (meaning countries that are not considered adequate under EU data protection rules) under BCRs, a transfer risk assessment (see Step 3.3 below) will need to be conducted.
3.2.3 Other transfer mechanisms
The following alternative transfer mechanisms may also be available.
Codes of conduct
Under article 40 of the EU GDPR, relevant data protection regulators and EU bodies encourage drawing up of codes of conduct to contribute to the proper application of the EU GDPR, taking account of the specific features of the various processing sectors and the needs of micro, small and medium-sized enterprises.
Trade associations and representative bodies take the lead on developing and monitoring compliance with codes of conduct. A specific approval process is involved, as set out in article 40. Codes of conduct are voluntary sets of rules that assist members of that code with data protection compliance and accountability in specific sectors or relating to particular processing operations.
Codes of conduct can either be ‘national codes’ (which cover processing activities in a particular jurisdiction) or ‘transnational codes’ (which cover processing activities in more than one member state). The EDPB and supervisory authorities encourage the creation of Codes of conduct by actively engaging with sectors to encourage development and uptake of codes where the sector would benefit. To date, a limited number of codes of conduct have been approved.
Adherence to codes of conduct can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default) of the EU GDPR). The EDPB has published guidelines on codes of conduct.
Certifications
Under article 41 of the EU GDPR, relevant data protection regulators and EU bodies encourage the establishment of data protection certification mechanisms and data protection seals and marks to demonstrate compliance with the EU GDPR of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises must be considered.
During 2022, the EDPB adopted an opinion on the approval of the Europrivacy certification criteria submitted by the Luxembourg data protection authority. This was the first such certification approved by the EDPB. Under the certification scheme, Europrivacy enables organisations to assess and certify the compliance of their data processing with the EU GDPR and complementary national data protection laws. Adherence to approved certification mechanisms can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default) of the EU GDPR).
The EDPB have also provided Guidelines on Certification as a Tool for Transfers. These provide guidance regarding Art 46(2)(f) GDPR on transfers of personal data to third countries on the basis of certification.
EU member state supervisory authority-approved bespoke contractual clauses
A transfer risk assessment may also need to be performed prior to concluding the contract, but this will depend on the specific transfer, the content of the contract and any conditions imposed as part of the relevant member state supervisory authority’s approval.
These are explained in more detail in How-to guide: How to transfer personal data lawfully outside the European Economic Area.
EU member state supervisory authority-approved administrative arrangements between public bodies
These are explained in more detail in How-to guide: How to transfer personal data lawfully outside the European Economic Area.
3.3 Have you undertaken a transfer risk assessment (TRA)?
To support your reliance on an appropriate safeguard to make a restricted transfer, you must undertake a TRA, which considers the protections contained in your selected safeguard and the protection afforded to data subjects in the destination country.
If the risk assessment concludes that the envisaged transfer mechanism does not provide the required level of protection, before making the transfer additional steps and protections (such as technical and organisational measures) have to be taken or put in place so that it does provide the required level of protection. In the situation where, even with those additional protections in place, there is not ‘essential equivalence’ with the EU GDPR and such measures are insufficient to compensate for any inadequacies in the data importer’s regulatory framework and surveillance practices, the transfer would not be allowed to proceed.
The EDPB provides helpful guidance on TRAs that can be used as a mechanism to carry out an assessment.
See How-to guide: How to transfer personal data lawfully outside the European Economic Area for more details.
3.4 Is the restricted transfer covered by a derogation/exemption?
If none of the above appropriate safeguard options are available, the data exporter is left with seeing if one of the specific exemptions or derogations listed in article 49(1) of the EU GDPR can be applied.
The specific circumstances of the transfer will need to be considered in detail to decide which (if any) derogations may apply to your transfer scenario. Note that, as many derogations cannot be used for regular or frequent transfers or they are subject to restrictive conditions, in practice they tend to not be used often.
The derogations/exceptions are listed below:
- The data subject gives valid explicit consent which must be both specific and informed.
- The transfer must be necessary for the performance of a contract between the data subject and the data exporter, or it must be necessary as a pre-contractual step to enter into the contract.
- The transfer is necessary for the performance of a contract made in the interests of the data subject between the controller of the data (usually the data exporter) and another natural or legal person.
- The transfer is necessary for important reasons of public interest (with a basis in EU law).
- The transfer is necessary for the establishment of legal claims, to make a legal claim or to defend a legal claim. However, the exception can only be used for occasional restricted transfers. The claim will need to have a basis in law and a formally legally defined process. A legal claim will be interpreted widely to include:
- all judicial legal claims, in civil and criminal law; and
- administrative or regulatory procedures, such as to defend an investigation (or potential investigation) in competition law or financial services regulation, or to seek approval for a merger.
- The transfer is necessary for the vital interests of an individual (where the data subject is incapable of physically or legally of giving consent).
- The transfer is being made from a register which under an EU law is intended to provide information to the public.
- The transfer is a one-off, and it is for compelling legitimate interests – this exception is for exceptional circumstances, and a number of strict conditions need to be met in order to rely on it.
The EDPB’s guidelines on article 49 derogations explains each of these derogations in more detail.
Additional resources
European Data Protection Board – Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.