GDPR Article 46: Transfers Subject to Appropriate Safeguards
International data transfers require robust safeguards when no adequacy decision exists. GDPR Article 46 mandates you document and implement appropriate mechanisms—Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, or certifications—to protect personal data in transit. Non-compliance exposes your organization to fines and data breach liability.
What this means
Article 46 permits data transfers outside the EEA only when appropriate safeguards are in place to ensure an adequate level of protection. These safeguards replace the need for an adequacy decision by the European Commission and include: Standard Contractual Clauses (SCCs) between organizations, Binding Corporate Rules (BCRs) for intra-group transfers, approved codes of conduct with contractual commitments, and approved certification mechanisms demonstrating compliance. You must identify every data transfer, classify the recipient jurisdiction's risk level, select the appropriate safeguard mechanism, and maintain documentation proving the safeguard was in place and effective at the time of transfer.
How to comply
- 1.Conduct a data transfer inventory: map all personal data flows to third countries and identify recipient organizations and jurisdictions
- 2.Assess adequacy decisions: confirm whether the destination country has an adequacy decision from the European Commission
- 3.Select appropriate safeguard(s): choose SCCs for standard transfers, BCRs for group companies, codes of conduct for industry associations, or certifications like Standard Contractual Clauses with supplementary measures
- 4.Execute and sign required agreements: implement SCCs or BCRs with contractual terms that meet GDPR requirements and include data subject rights
- 5.Document supplementary measures: where SCCs alone may not suffice (e.g., transfers to countries with government surveillance laws), add supplementary technical and organizational measures like encryption or pseudonymization
- 6.Review and update safeguards: monitor regulatory changes, court decisions (e.g., Schrems II), and adequacy decisions that may affect your chosen mechanism
- 7.Maintain transfer documentation: keep records of safeguard agreements, adequacy assessments, and supplementary measures for audit and DPA inquiries
Evidence auditors look for
- Executed Standard Contractual Clauses (SCCs) with defined Module 1–4 structure matching the parties and transfer type
- Binding Corporate Rules (BCRs) document approved by DPA showing binding commitments across group entities
- Supplementary measures log: encryption specifications, pseudonymization protocols, and access controls applied to transfers
- Data transfer impact assessment (DTIA) or Transfer Impact Assessment (TIA) documenting legal framework review and safeguard selection rationale
- Register of third-country recipients with safeguard mechanism, jurisdiction, and effective date
- Copies of adequacy decision confirmations or SCCs Module selection justification in data processing records
- Approval documentation from Data Protection Officer or legal review confirming safeguard adequacy for the destination jurisdiction
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates your transfer inventory, tracks SCC/BCR execution status, flags jurisdictions with adequacy changes, and maintains a single audit-ready register of all data transfer safeguards—eliminating manual spreadsheets and DPA follow-up delays.
See how GRCWatch handles this control automatically
Start free trial