International transfers

This subtopic discusses the international transfer of personal data under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR). For an introduction to the EU GDPR regime generally, including the data protection principles, terminology, territorial scope and applicability, see Practice Note: The EU’s General Data Protection Regulation (EU GDPR).

The Chapter V restrictions

Article 44 of Regulation (EU) 2016/679, EU GDPR prohibits controllers and processors subject to the EU GDPR from transferring personal data to any country or territory outside the EEA or to an ‘international organisation’ unless the conditions laid out in Chapter V (Transfers of personal data to third countries or international organisations) of the EU GDPR are complied with.

An international organisation under the EU GDPR means any organisation (and its subordinate bodies) governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries.

The transfer restrictions apply both to the initial transfer, and to any onward transfer.

For more information, see Practice Note: EU GDPR—transfers of personal data internationally and to international

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

Commission launches consultation to revise the EU Cybersecurity Act and strengthen the EU cybersecurity framework

The European Commission launched a call for evidence to support the preparation of a legislative proposal to revise the EU Cybersecurity Act. The initiative aims to strengthen EU cyber resilience, update the mandate of the EU Agency for Cybersecurity (ENISA) and improve the effectiveness of the European Cybersecurity Certification Framework. The Commission noted that the cybersecurity landscape has become significantly more complex and threat‑intensive since the Act’s adoption in 2019, while subsequent EU legislation has expanded ENISA’s tasks beyond its original mandate, creating the need to streamline, simplify and supplement the existing framework to ensure coherence, reduce administrative burdens and improve implementation for businesses and users. The initiative focuses on measures to support a secure and resilient Information and Communication Technology supply chain and the EU cybersecurity industrial base, addresses shortcomings in the certification framework such as slow adoption, unclear roles, limited agility and insufficient clarity on covered risks, including non‑technical factors, and considers alignment with newer instruments such as the Cyber Resilience Act. The Commission outlined policy options ranging from non‑legislative measures to targeted or comprehensive regulatory revision, stating that EU‑level action is required to prevent internal market fragmentation and to secure long‑term economic and social benefits through greater harmonisation, stronger cybersecurity and resilience, more efficient incident response and enhanced protection of fundamental rights, including personal data. The call for evidence will run until 20 June 2025.

Commission imposes definitive anti-dumping duties on Chinese steel cylinder imports

The European Commission has imposed definitive anti-dumping duties ranging from 57.7% to 90.3% on high-pressure seamless steel cylinders for compressed or liquefied gas imported from China. The measures follow an investigation that identified unfair trade practices covering cylinders of all diameters and volume capacities. During the investigation period, from 1 July 2023 to 30 June 2024, the EU market totalled 6.4 million units, of which 4.5 million units were imported from China.

Commission announces entry into force of EU-Singapore Digital Trade Agreement

The European Commission has announced that the EU-Singapore Digital Trade Agreement (DTA) entered into force on 2 February 2026, representing the EU's first standalone bilateral digital trade agreement. The DTA establishes rules for cross-border digital transactions and includes commitments on online consumer protection, personal data and privacy protection, as well as safeguards against unsolicited commercial communications. It promotes paperless trade, recognises the validity of electronic signatures, contracts and invoices and prohibits the imposition of customs duties on electronic transmissions. The DTA also prohibits unjustified data localisation requirements and the forced transfer of software source code. The DTA builds on the 2019 EU-Singapore Free Trade Agreement, with negotiations on the agreement having commenced on 20 July 2023.

ACER publishes Rules of Procedure for cross-border REMIT investigations

The Agency for the Cooperation of Energy Regulators (ACER) has published Rules of Procedure setting out how it will investigate suspected cross-border breaches of the EU Regulation on Wholesale Energy Market Integrity and Transparency (REMIT). This followed legislative changes in 2024 that gave ACER a mandate to investigate cases affecting more than one Member State. The rules explain how ACER will examine suspected insider trading, market manipulation, failures to disclose inside information, data reporting breaches and obligations on persons professionally arranging or executing transactions. They set out ACER’s investigatory powers, including on-site inspections, requests for information and interviews, while confirming that enforcement remains the responsibility of national regulatory authorities. The Rules of Procedure describe the stages of investigations, the decision-making process and the rights and obligations of the parties concerned. They are intended to ensure legal certainty, due process, fairness and efficiency. ACER is expected to begin using these cross-border investigatory powers from the second half of 2026.