Skip to content
Security calendar_today Updated: 7 April 2026 schedule 4 min read

List of Approved Third Countries for Data Transfers Outside the EU

The GDPR restricts transfers of personal data to countries outside the EU, unless an adequacy decision applies. Here you'll find the current list and what it means for you.

summarize Key Takeaways
  • check_circle Data transfers to countries with an adequacy decision are allowed without additional safeguards
  • check_circle The European Commission assesses whether a country offers a comparable level of protection
  • check_circle The United States has the EU-US Data Privacy Framework since 2023, but its durability is uncertain
  • check_circle To countries without an adequacy decision, you may transfer data using Standard Contractual Clauses (SCCs)

Not every country offers the same protection

The GDPR essentially prohibits the transfer of personal data to countries outside the European Economic Area (EEA), unless that country offers a comparable level of data protection. The European Commission assesses this per country and issues a so-called adequacy decision when the assessment is positive.

For you as a business owner, this is relevant as soon as you use software or services from companies outside the EU.

Countries with a full adequacy decision

The following countries and territories have been assessed as adequate by the European Commission (as of April 2026):

  • Andorra
  • Argentina
  • Canada (for commercial organisations under PIPEDA)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Republic of Korea (South Korea)
  • Switzerland
  • Uruguay
  • United Kingdom
  • United States (via the EU-US Data Privacy Framework, only for certified organisations)

You may transfer personal data to these countries without additional safeguards, provided the conditions of the specific decision are met.

The EU-US Data Privacy Framework

The adequacy decision for the United States deserves extra attention. It only applies to US organisations that have actively certified themselves via the Data Privacy Framework. You can check at dataprivacyframework.gov whether a specific company is certified.

Major tech companies like Google, Microsoft, Amazon, and Meta are certified. But not every US company is. Always verify before assuming your data transfer is safe.

It’s worth noting that previous adequacy decisions for the US (Safe Harbor and Privacy Shield) were struck down by the European Court of Justice. The current framework may face the same fate. Keep this in mind.

What if a country is not on the list?

For countries without an adequacy decision, you need additional safeguards:

Standard Contractual Clauses (SCCs)

The most commonly used option. These are standard contract terms approved by the European Commission. You agree to them with the party in the third country. Most major software providers have already included SCCs in their processing agreements.

Binding Corporate Rules (BCRs)

For multinational companies transferring data internally between offices in different countries. Less relevant for SMEs.

In exceptional cases, you may transfer data based on explicit, specified consent from the data subject. This is not a structural solution.

What should you record?

In your GDPRWise third-party dossier, you can record per supplier:

  • In which country the data is processed
  • Whether an adequacy decision applies
  • Which additional safeguards you have in place (SCCs, DPF certification)

This makes it easy to demonstrate during an inspection that your third-country transfers are in order.

auto_awesome Record your data transfers

GDPRWise helps you document per third party where data is processed and which safeguards apply.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.