Third Country
Country outside the EEA — Chapter V GDPR
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Third-country transfers (Article 44 GDPR) are permitted only under specific conditions: adequacy decision (Article 45), appropriate safeguards (Article 46, e.g. SCCs) or derogations (Article 49).
What is a third country?
Countries with an adequacy decision (as of 04/2026):
- Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Canada (commercial), New Zealand, Switzerland, Uruguay, United Kingdom, South Korea (limited), Japan
- USA: only under the DPF (Data Privacy Framework) — risk increased by the Trump executive order of 01/2025
Practical example
You use a cloud provider with servers in India. India is a third country without an adequacy decision. Required: SCC 2021/914 + TIA + supplementary measures (encryption).
Frequently asked questions
Is the UK still a third country?
Yes, since Brexit. However, the adequacy decision has been extended until 27 June 2025. Status 04/2026: still valid.
Is encryption sufficient?
It helps, but does not replace SCCs. See EDPB Recommendation 01/2020.
What about Switzerland?
Special status: not part of the EEA, but covered by an adequacy decision. The Swiss FADP is harmonised with the GDPR.