Art.46 GDPR

GDPR Art.46: Transfers Subject to Appropriate Safeguards

What This Control Requires

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

In Plain Language

When there is no adequacy decision for a destination country, you need to build your own bridge. Article 46 lets controllers and processors transfer personal data abroad by putting appropriate safeguards in place - mechanisms that ensure enforceable data subject rights and effective legal remedies, compensating for the lack of adequacy. The GDPR lists several safeguard options. Some need supervisory authority approval (ad hoc contractual clauses, administrative arrangements between public bodies). Others do not: Binding Corporate Rules, Standard Contractual Clauses adopted by the Commission, approved codes of conduct with binding commitments from the importer, and approved certification mechanisms with equivalent commitments. In reality, Standard Contractual Clauses dominate. The Commission adopted new modular SCCs in June 2021, covering four transfer scenarios: controller-to-controller (Module 1), controller-to-processor (Module 2), processor-to-processor (Module 3), and processor-to-controller (Module 4). Since Schrems II, signing SCCs alone is not enough. You also need a Transfer Impact Assessment for each transfer, and supplementary measures wherever the TIA identifies gaps.

How to Implement

Pick the right safeguard mechanism for each transfer that lacks adequacy coverage. SCCs work for most transfers to individual third-country recipients. BCRs suit intra-group transfers within multinational organisations. Approved codes of conduct and certifications may fit specific sectors. Choose what matches your transfer scenario. When using SCCs, use the 2021 Commission set (Decision 2021/914). Select the correct module - Module 1 for C2C, Module 2 for C2P, Module 3 for P2P, Module 4 for P2C. Fill in every clause and complete the annexes with real detail: parties, data categories, purposes, retention periods, technical and organisational measures. Generic or half-completed annexes are a red flag for regulators. Sign the SCCs with your data importer. Run a Transfer Impact Assessment for each transfer relying on Article 46 safeguards. Focus on the destination country's government access laws and surveillance powers, whether those laws exceed what is necessary and proportionate in a democratic society, whether data subjects have effective remedies, and the practical risks given your specific circumstances - what type of data is being transferred, in which sector, by what method, and in what volume. Where the TIA surfaces risks that the safeguard alone cannot handle, layer on supplementary measures. Technical measures carry the most weight: encryption with keys held exclusively in the EEA, pseudonymisation before transfer, or split processing so no single entity abroad sees the full dataset. Back these up with organisational measures (transparency policies, access restrictions, resistance mechanisms for government access requests) and contractual measures (enhanced notification obligations around government demands). Keep everything documented: executed SCCs, the TIA, supplementary measures, and your reasoning for concluding the transfer can go ahead. Review at least annually and whenever the destination country's legal framework shifts, your importer's circumstances change, or new regulatory guidance comes out.

Evidence Your Auditor Will Request

Executed Standard Contractual Clauses or other Article 46 safeguard mechanisms for each transfer
Transfer Impact Assessments for all transfers relying on appropriate safeguards
Documentation of supplementary measures implemented where identified as necessary
Records of regular reviews of transfer mechanisms and TIAs
Completed SCCs annexes detailing specific transfer circumstances

Common Mistakes

Using outdated or superseded versions of Standard Contractual Clauses
SCCs executed but no Transfer Impact Assessment conducted as required by Schrems II
TIA identifies risks but no supplementary measures implemented to address them
SCCs annexes left incomplete or containing only generic descriptions
No regular review of transfers, TIAs, or the effectiveness of supplementary measures

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related
ISO 27001	A.5.20	Related

Frequently Asked Questions

Which SCCs should we use?

The 2021 set adopted by Commission Implementing Decision (EU) 2021/914. Pick the module that matches your relationship: Module 1 for C2C, Module 2 for C2P, Module 3 for P2P, Module 4 for P2C. The older SCC sets from 2001, 2004, and 2010 are no longer valid for new transfers. Make sure you complete all clauses and annexes properly - incomplete SCCs are as good as no SCCs.

What should a Transfer Impact Assessment cover?

Focus on the destination country's legal framework, especially government access and surveillance powers. Assess whether these laws go beyond what is necessary and proportionate. Look at the specific circumstances of your transfer - data type, sector, volume, and format. Factor in the data importer's practical experience with government access requests. Then determine whether supplementary measures can close any gaps you find.

What if the TIA shows we cannot adequately protect the data?

Then you cannot proceed with the transfer. Full stop. If the safeguard mechanism plus supplementary measures still cannot guarantee essentially equivalent protection, the transfer must be suspended or terminated. Look at alternatives - process the data within the EEA, find a provider in an adequate country, or restructure the data flow to avoid the problematic jurisdiction.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment