# Data transfers outside the EU

The transfer can be defined as any communication, copy or movement of personal data intended to be processed in a country outside the European Union.

Data transfers outside the European Union are prohibited as a matter of principle. 

[Articles 44 to 49 of the GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e4227-1-1) provide for exceptions to this prohibition. They provide for the use of tools to control this transfer: 

* an adequacy decision by the European Commission regarding certain countries ensuring an adequate level of protection; 
* standard contractual clauses (SCC) of the European Commission;
* internal company rules (BCR); 
* specific contractual clauses (considered to comply with the European Commission's model clauses); 
* standard contractual clauses adopted by a supervisory authority and approved by the European Commission;
* an approved code of conduct (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards);
* an approved certification scheme (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards); 
* an administrative arrangement or a legally binding and enforceable text taken to enable cooperation between public authorities (Memorandum of Understanding or MMOU, international convention, etc.). 

Derogations are provided for in [Article 49 of the GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e4535-1-1). If a derogation justifies the transfer, the nature of the derogation must be indicated and, if necessary, the assessment of the circumstances of the transfer and the appropriate guarantees must be detailed.<br>