Adequacy decisions & SCCs: how your data lawfully leaves Europe
Two mechanisms carry nearly all legal data exports: countries the Commission has certified as “adequate”, and standard contractual clauses for everywhere else. Knowing which one a company relies on tells you how solid your protection is.
Chapter V’s logic: your data may leave the EU/EEA only if protection travels with it. Route 1 — adequacy (Art. 45): the Commission certifies a country’s law as essentially equivalent; data then flows as freely as inside the EU. The club includes the UK, Switzerland, Japan, South Korea, Canada (commercial), New Zealand, Israel, Argentina, Uruguay — and the US via the Data Privacy Framework, for certified companies only. Adequacy is reviewable and revocable — the UK’s, notably, gets re-examined against its own reform plans. Route 2 — SCCs (Art. 46): Commission-drafted contract modules binding the foreign recipient to GDPR-grade duties. Post-Schrems II, SCCs alone are not enough on paper: the exporter must assess whether the destination’s surveillance law guts the clauses, and bolt on supplementary measures — encryption the recipient cannot break being the gold standard. Route 3 — the fine print: derogations (Art. 49: your explicit consent, contract necessity) for occasional transfers, and binding corporate rules for multinationals. What you can ask any company: Art. 13(1)(f) obliges them to disclose transfers and the safeguard used — “which countries, under which Art. 46 mechanism?” is a legitimate, answerable question, and “we don’t know” is a finding in itself.
Verified against the sources above on 18 July 2026. Information, not legal advice.