GDPR Glossary Also known as: third country transfer, cross-border transfer
Sending personal data outside the EEA — allowed only with a valid transfer mechanism.
Transferring personal data to a 'third country' outside the EEA is only lawful with a transfer tool: an adequacy decision, appropriate safeguards (like SCCs or BCRs), or a narrow derogation.
Since Schrems II, transfers often also need a transfer impact assessment to check the destination's laws.
In the Regulation
Related terms
Adequacy decisionA European Commission decision that a non-EU country offers adequate data protection, allowing free transfers there.Standard Contractual ClausesPre-approved contract terms that provide a safeguard for transferring personal data outside the EEA.Transfer impact assessmentThe Schrems II check on whether the destination country's laws undermine your transfer safeguards.EU–US Data Privacy FrameworkThe 2023 adequacy framework allowing transfers to certified US organisations.
Need this applied to your business?
Our data-protection lawyers turn GDPR terms into a working plan.