Compliance Advisory

Sending EU data outside Europe?

GDPR Chapter V (Articles 44–49) sets strict rules for when and how personal data can leave the EU. There are three legal routes — you need at least one.

10 min read·2026-02-05

Your startup is outside the EU. Your servers are outside the EU. But you process data of people in the EU.

Every time that data moves from the EU to your systems, the GDPR calls that an international transfer. Chapter V sets strict rules for when and how this is allowed.

There are three legal routes. You need at least one.

The three routes

You need at least one.

Route 1Article 45

Adequacy decisions

The simplest path. The European Commission can decide that a country provides adequate data protection. If your country has an adequacy decision, transfers happen freely — no extra steps.

Countries with adequacy decisions include: UK, Japan, South Korea, Switzerland, Canada (commercial), Israel, New Zealand, Argentina, and Uruguay (among others).

What you must do
  • Verify your country is on the Commission’s current adequacy list.
  • Monitor for changes — adequacy decisions are reviewed every four years.
  • Have a contingency plan if the decision is suspended or repealed (this happened with the US Privacy Shield in 2020).

If your country is not on the list — or you cannot rely on the US Data Privacy Framework — move to Route 2.

Source: GDPR Article 45(1)–(9) — Regulation (EU) 2016/679 (CELEX 32016R0679)
Route 2Article 46

Appropriate safeguards

When there is no adequacy decision, you can still transfer data if you put safeguards in place. The most common mechanisms:

Standard Contractual Clauses (SCCs)

Pre-approved contract terms adopted by the Commission. You incorporate them verbatim into your data processing agreements. Since June 2021, you must use the updated SCCs (Commission Implementing Decision 2021/914).

You must also complete a Transfer Impact Assessment (TIA): document the laws of the destination country and assess whether they undermine the protections in the SCCs.

Binding Corporate Rules (BCRs)

Internal rules for multinational groups. These require approval from a supervisory authority through the Article 47 procedure. Typically used by large corporations — unlikely to be practical for startups.

Other mechanisms under Article 46(2)–(3)

Codes of conduct with binding commitments (Article 40); certification mechanisms (Article 42); ad hoc contractual clauses (requires supervisory authority authorisation); administrative arrangements between public bodies.

What you must do
  • Sign SCCs with your EU data partners — this is the most realistic option for startups.
  • Complete a TIA for each transfer route.
  • Verify that data subjects can exercise their rights in your country.
  • Keep documentation available for supervisory authorities.
Source: GDPR Article 46(1)–(5) — Regulation (EU) 2016/679 (CELEX 32016R0679)
Route 3Article 49

Derogations

When you have no adequacy decision and no safeguards in place, Article 49 allows transfers in specific, limited situations:

  • The data subject gave explicit consent after being informed of the risks.
  • The transfer is necessary to perform a contract with the data subject.
  • The transfer is necessary for important reasons of public interest.
  • The transfer is necessary for legal claims.
  • The transfer is necessary to protect vital interests.

These derogations are not a substitute for a proper transfer mechanism. Regulators expect them to be used for occasional, one-off transfers — not as your standard operating procedure.

What you must do
  • Maintain a Transfer Impact Assessment log.
  • Document the necessity and proportionality of each transfer.
  • Record this in your Article 30 processing records.
  • Make records available to supervisory authorities on request.
Source: GDPR Article 49(1)–(6) — Regulation (EU) 2016/679 (CELEX 32016R0679)
Practical checklist

Seven steps for non-EU startups.

  1. 01
    Map your data flows

    Identify every point where EU personal data leaves the EU.

  2. 02
    Check adequacy

    Is your country covered by a Commission adequacy decision?

  3. 03
    If not, sign SCCs

    The standard path for startups. Use the 2021/914 clauses verbatim.

  4. 04
    Complete a TIA for each transfer

    Document the legal landscape of the destination country and whether it undermines the SCC protections.

  5. 05
    Build a contingency plan

    What happens if your legal basis is invalidated? Privacy Shield was struck down in 2020; adequacy decisions can be suspended.

  6. 06
    Update your privacy notice

    Disclose the transfer and the safeguards used under Articles 13(1)(f) and 14(1)(f).

  7. 07
    Keep records

    Article 30 records must document international transfers, including safeguards and supervisory authority interactions.

Sources

GDPR full textRegulation (EU) 2016/679 (CELEX 32016R0679)
Article 44General principle for transfers
Article 45Transfers based on adequacy decision
Article 46Transfers subject to appropriate safeguards
Article 47Binding corporate rules
Article 49Derogations for specific situations
Article 30Records of processing activities
Commission Decision 2021/914Updated Standard Contractual Clauses

RuleMesh data references

graphs/articles/32016R0679_article_459 paragraphs, compliance tips on adequacy decisions, periodic review, contingency planning.
graphs/articles/32016R0679_article_465 paragraphs, compliance tips on SCCs, BCRs, supervisory authority authorisation.
graphs/articles/32016R0679_article_496 paragraphs, compliance tips on derogation-based transfers, TIA logs, Article 30 records.
IT functions coveredData Management, Risk Management, Third-Party Management, Monitoring & Logging, Incident Management, Access Control.

This content is regulatory guidance, not legal advice. Always consult qualified legal counsel for your specific situation.

Transfer requirements, structured.

RuleMesh publishes Articles 44–49 as structured IT requirements with transfer-mechanism decision logic, TIA templates, and mappings to cloud controls.

Browse cloud mappingsarrow_forwardBack to reports