Chapter 14: The GDPR and International Privacy Issues

Appropriate Safeguards and Derogations

For third countries, transfers need an appropriate safeguard. The two most common are SCCs (the most widely used) and BCRs (for intra-group transfers, after DPA certification). Derogations are narrow exceptions like explicit consent.

For third countries (no adequacy, outside the EEA), an appropriate safeguard is required. Two key mechanisms enable lawful EU-to-U.S. transfers:

Standard contractual clauses (SCCs): a company contractually promises to comply with EU law and submit to DPA supervision - in practice the most common legal basis for transfers
Binding corporate rules (BCRs): let a multinational transfer data among affiliated entities after certification of its practices by a DPA

Derogations are narrow

A Derogation is the EU term for an exception. Derogations allow a transfer on explicit consent or where necessary for: a contract with the subject (and the transfer is occasional), a contract in the subject's interest with a third party (occasional), important public-interest reasons, legal claims (occasional), or vital interests. Regulators read these narrowly - only so far as strictly necessary.

Key terms - quick answers

What is “Standard contractual clauses (SCCs)”?

Contractual commitments to comply with EU law and submit to DPA supervision; the most common legal basis for transfers.

What is “Binding corporate rules (BCRs)”?

Rules allowing a multinational to transfer data among affiliated entities after certification of its practices by a DPA.

What is “Derogation”?

An EU term for an exception permitting a transfer where no adequacy decision or safeguard applies, interpreted narrowly.

← International Transfers and Adequate Countries EU-U.S. Transfers: Schrems I, Schrems II, and the Data Privacy Framework →