Transfers outside the EU - without adequate protection

When a country is not recognized as offering an adequate level of protection, there are various possibilities offered by article 46 of the GDPR for a data transfer: standard contractual clauses made available by the European Commission or binding corporate rules. There is also the possibility of appealing to certain exemptions defined by article 49 of the GDPR.


There are a series of derogations enabling transfers to countries not offering an adequate level of protection. In order to provide legal security to economic actors, EU member states have made it compulsory to apply these derogations to transfers to third countries not offering an adequate level of protection. One of these derogations is the possibility for controllers to offer adequate protection themselves, by means of a contract. Protection can be offered, for example, through a contract which is binding for those who send the data and those who receive them, and which contains
sufficient safeguards regarding data protection.

1. European Commission's standard contractual clauses

To help controllers, the European Commission has provided for standard contractual clauses that are considered automatically as sufficient safeguards in light of the applicable data protection rules.

Below you will find the available standard contractual clauses:

  • contractual clauses for transfers from a controller to a controller
    (first model 2001/497/CE);
  • contractual clauses for transfers from a controller to a controller
    (second model 2004/915/CE);
  • contractual clauses for transfers from a controller to a processor
    (for contracts prior to 15 May 2010: 2002/16/CE; for new contracts since 15 May 2010: 2010/87/EU). Please be advised that the Article 29 Working Party has elaborated FAQs (WP176) about contractual clauses following Decision 2010/87/EU.

The notification of standard contractual clauses is no longer required. Nevertheless the controller or processor should always be able to submit its standard contractual clauses when requested so by the Belgian Data Protection Authority.

2. Contractual clauses proposed by the company in question itself.

If controllers do not chose for the European Commission's standard contractual clauses, they can nevertheless draw up their own contractual clauses (ad hoc clauses) offering sufficient data protection safeguards. These clauses have to be submitted to the Authority according to article 46.3.a) of the GDPR and subsequently these clauses will have to be approved by the European Data Protection Board in accordance with article 46.4 GDPR through the consistency mechanism

There are some “exceptions” which may – under strict conditions – allow for the transfer of personal data to a third country in absence of an adequacy decision, adequate safeguards or binding corporate rules (article 49.1 GDPR).

One of these exceptions can be invoked when the data subjects have given their unambiguous consent to the transfer of their data to such a country, when the transfer is necessary to perform a contract with the data subject or when the data come from a public register intended to inform the public (for example telephone book, trade register). These exceptions should be interpreted restrictively and cannot constitute the normal framework for data transfers, especially massive and repeated data flows. For this type of data flows, it is therefore recommended to quickly come to a contractual solution, because in this case the recipient of the data enters into a legal commitment.

All transfers of personal data outside the European Union have to guarantee an adequate level of protection of personal data (article 44 GDPR). This level of adequate protection can be established in different ways, one of them being the adoption of Binding Corporate Rules (article 47 GDPR). BCR’s allow a companies to exchange personal data – also outside the EU – within their corporate structure, whilst preserving the level of protection offered by the GDPR.

Which procedure has to be followed to submit a BCR-application?

Step 1

Are you a controller ? Fill out form WP264
Are you a processor ? Fill out form WP265

Step 2

Following section 1.3 of forms WP264 and WP265 mentioned in step 1, you will have to indicate a lead supervisory authority (article 64 GDPR) and justify the reasons for your choice according to the criteria listed in in section 1.2 of form WP263 rev.01. You will provide to the authority – which is in your view the lead authority – the information set out in section 1.5 of form WP263 rev.01.

Step 3
2 weeks
(+ max. 2 weeks)

The designated data protection authority will take a decision on whether or not it is competent. We can ask extra information if necessary in order to verify our competence. If the data protection authority deems it is competent to examine your BCR application, it will inform the other data protection authorities which are affected by your BCR-application, of its decision. These other data protection authorities will have two week to raise objections against the proposed decision on the competence of the lead
authority for the BCR-application.

In the context of BCR-proceedings, the affected data protection authorities will be:
• For controller-BCR’s : all data protection authorities of the member states from which transfers of personal data are originating.
• For processor-BCR’s: all data protection authorities are affected.

1 month If the designated lead authority deems it is not competent, it will inform the applicant by a motivated decision and will suggest a data protection authority which is better placed to deal with the BCR-application.
Step 4
No deadline

If none of the affected data protection authorities have raised objections, the competence of the designated lead authority is established. The lead authority will chose one or two co-reviewing data protection authorities (two when 14 or more member states are affected by the BCR) which will assist the lead supervisory authority in checking the submitted BCR’s against the criteria set out in WP256 (for controllers) and WP257 (for processors).

1 month

When the competent lead authority is of the opinion that the criteria listed in in WP256 (for controllers) and WP257 (for processors) are met, it will send over the BCR’s to the co-reviewing authorities. The co-reviewing authorities will have one month to provide feedback and raise objections. If objections are raised, the lead supervisory authority will relay those to the applicant.

Step 5
Max 1 month When the competent lead authority and the co-reviewing authorities agree that the submitted BCR’s guarantee an adequate level of protection, the BCR’s will be submitted to all affected data protection authorities for final feedback.
No deadline  If the affected data protection authorities raise objections against the BCR’s, the lead supervisory authority will relay those to the applicant.
Step 6
8 weeks
(+ max 6 weeks)
If no objections are raised, the lead supervisory authority will submit its draft approval decision to the European Data Protection Board (EDPB). The EDPB will issue an opinion within 8 weeks according to the procedures set out in article 64.3 of the GDPR and article 10 of its rules of procedure. The deadline of 8 weeks can be extended with 6 extra weeks if necessary.
No deadline a. If the EDPB approved the BCR, the lead supervisory authority will adopt an approval decision;
b. If the EDPB considers that further amendments are necessary, the lead supervisory authority will relay those to the applicant.
Step 7
No deadline

When the BCR’s have been approved by the lead supervisory authority, the approval decision and the finalised BCR’s will be communicated to all affected data protection authorities.