Explanation & accessibility

Glossary

Transfers to third countries are full of legal terms. Below, each term is explained in plain language, with its source. Intended for anyone following along, even if the GDPR is still new to you.

Accountability

The duty not only to comply with the GDPR, but also to be able to demonstrate that compliance with documentation. A DTIA dossier is one example.

See also: Data Transfer Impact Assessment (DTIA)

Adequacy decision

A decision by the European Commission that a third country offers a level of protection broadly equivalent to that of the EU. Data may be transferred to such a country without an additional instrument.

See also: Data Privacy Framework (DPF), Third country

Anonymous data (relative approach)

Data that can no longer be traced back to a person by means that can reasonably be deployed. Anonymous data falls outside the GDPR (Recital 26).

For a long time, ‘anonymous’ only counted if re-identification was permanently and for everyone impossible. The Court of Justice now takes the relative approach: whether data is personal data depends on the specific recipient and the means it can reasonably deploy. It is about identifiability in a broad sense, not the presence of names: singling someone out, linking to other data, or inferring from context all count too (Recital 26 GDPR; WP29 Opinion 05/2014; Breyer C-582/14; EDPS/SRB C-413/23 P).

For transfers this means: if you pseudonymise such that the recipient cannot reach a person by any reasonable means (technical, organisational and legal), not even through singling out, linkage or inference, then the data is anonymous in that recipient's hands, while it remains personal data for you. That can sharply reduce the risk of meaningful government access at the importer. Record which attributes you removed or obscured, and revisit that judgement if technology or context changes.

See also: Personal data, Pseudonymisation

Appropriate safeguards (Article 46)

Instruments that make a transfer to a third country without an adequacy decision lawful nonetheless, such as Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs).

See also: Standard Contractual Clauses (SCCs), Binding corporate rules (BCRs), Derogations (Article 49)

Article 3(2) GDPR

The provision that makes the GDPR apply to organisations outside the EEA as well, where they offer goods or services to people in the EEA or monitor their behaviour.

See also: Third country

Binding corporate rules (BCRs)

Internal rules of conduct, approved by a supervisory authority, that allow a corporate group to transfer personal data to third countries within its own group.

See also: Appropriate safeguards (Article 46)

CLOUD Act

A US law that grants access to data under the control of a US provider, regardless of where that data is stored. So also to data located within the EEA.

See also: FISA Section 702

Controller

The party that determines why and, in broad terms, how personal data is processed. Whoever sets the purpose of the processing is the controller.

It is about control, not about who actually touches the data. An organisation that decides for itself which data is used for what is the controller, even if it outsources the operational work.

See also: Processor, Personal data

Data Privacy Framework (DPF)

The EU-US Data Privacy Framework: the adequacy framework for transfers to the US. It covers only importers that have actively self-certified for the relevant data categories.

See also: Adequacy decision

Data Transfer Impact Assessment (DTIA)

The assessment of whether a transfer of personal data to a third country, in light of the law and practice there, maintains an equivalent level of protection in practice. Required since the Schrems II ruling. Sometimes called a TIA for short; we write DTIA because it concerns a data transfer specifically.

See also: Schrems II, European Essential Guarantees (EUEG), DPIA

Derogations (Article 49)

Exceptions that permit a transfer in specific situations without an adequacy decision or appropriate safeguards, for example with explicit consent. Intended for occasional cases, not for structural transfers.

See also: Appropriate safeguards (Article 46)

DPIA

Data Protection Impact Assessment: a broader risk assessment of a processing operation itself (Article 35 GDPR). A DTIA concerns the transfer specifically; the two complement each other.

See also: Data Transfer Impact Assessment (DTIA)

Electronic communication service provider (ECSP)

A provider of electronic communication services, including cloud, hosting and communications services. FISA Section 702 targets this category of providers.

See also: FISA Section 702

Encryption

Making data unreadable with a key, so that only whoever holds the key can read it. As a supplementary measure for a transfer, encryption only truly works if the key stays beyond the reach of the importer and the foreign authorities.

Encryption ‘in transit’ protects data on the move; encryption ‘at rest’ protects stored data. For a transfer to a third country the key question is who manages the key: if the keys lie solely with the exporter or an EEA party, then on a government order the importer cannot provide readable data. In the EDPB use cases this is one of the few measures that actually removes access.

See also: Key management, Pseudonymisation, Supplementary measures

European Economic Area (EEA)

The EU Member States plus Iceland, Liechtenstein and Norway. Within the EEA the GDPR applies and personal data may flow freely, without a transfer instrument.

See also: Third country

European Essential Guarantees (EUEG)

Four minimum guarantees that surveillance by a third country must meet for government access to be compatible with the EU fundamental rights. The benchmark for step 3 of the DTIA.

See also: Data Transfer Impact Assessment (DTIA), Schrems II

FISA Section 702

A US surveillance power that permits the targeted collection of communications data from providers of electronic communication services. Directly relevant to cloud and communications importers.

See also: Electronic communication service provider (ECSP), CLOUD Act

Key management

Who manages the encryption keys and where they reside. This determines whether encryption truly protects a transfer: if the keys stay with the exporter or an EEA third party, the importer cannot be compelled to provide readable data.

See also: Encryption, Supplementary measures

Personal data

Any information relating to an identified or identifiable natural person. Not only a name or email, but also indirect data such as an IP address, cookie ID or customer number.

See also: Special categories (Article 9), Anonymous data (relative approach)

Processor

The party that processes personal data solely on behalf of and according to the instructions of the controller, without its own say over the purpose. Think of a cloud service or SaaS provider.

If a service provider also uses the data for its own purposes, it becomes a (joint) controller for that part itself.

See also: Controller, Sub-processor

Pseudonymisation

Replacing direct identifiers with pseudonyms, where the key needed to trace them back is kept separately and protected (Article 4(5) GDPR). A widely used supplementary measure for transfers.

Pseudonymised data remains personal data for whoever holds the key, or another way back. But since CJEU C-413/23 P (EDPS/SRB, 2025) the relative approach applies: for a recipient who cannot re-identify the data by any reasonable means, it may be anonymous in that recipient's hands. If you keep the key within the EEA and the importer cannot get back to the person, then what it receives is effectively anonymous for it, while it remains personal data for you.

Well-executed pseudonymisation separates the key from the data technically and organisationally and limits who can access it. ENISA describes usable techniques (key-based hashing, tokenisation, encryption of identifiers) and the associated pitfalls.

See also: Personal data, Anonymous data (relative approach), Encryption, Key management, Supplementary measures

SCC module

The 2021 SCCs have four modules, depending on the roles of exporter and importer (controller or processor). The right module follows from that combination of roles; the tool derives it automatically.

See also: Standard Contractual Clauses (SCCs), Controller, Processor

Schrems II

The Court of Justice ruling (2020) that invalidated the Privacy Shield and required you to assess, per transfer, whether the third country offers sufficient protection. The reason the DTIA obligation exists.

See also: Data Transfer Impact Assessment (DTIA), European Essential Guarantees (EUEG)

Special categories (Article 9)

Particularly sensitive personal data, such as data on health, racial or ethnic origin, religion, political opinions or sexual orientation. Processing is in principle prohibited, unless an exception applies.

See also: Personal data

Standard Contractual Clauses (SCCs)

Standard clauses adopted by the European Commission between exporter and importer. The most widely used instrument for transfers to third countries without an adequacy decision.

See also: Appropriate safeguards (Article 46), SCC module

Sub-processor

A party the processor engages to carry out part of the processing, for example the underlying hosting party. The processor remains answerable to the controller for what the sub-processor does.

See also: Processor

Supplementary measures

Additional technical, contractual or organisational measures on top of the transfer instrument, required where the law of the third country undermines the safeguards (Schrems II). Only measures that effectively prevent access in practice truly count.

The EDPB distinguishes three kinds: technical (strong encryption with keys in the EEA, robust pseudonymisation, data minimisation, split or multi-party processing), contractual (notification duty, duty to challenge requests, transparency) and organisational (policies for government requests, access control). Technical measures are usually decisive; contractual and organisational ones support but rarely stop a legal order on their own.

The benchmark is effectiveness, not paper presence: what matters is whether the measure deprives the competent authority of effective access. Besides the EDPB, sources such as ENISA also offer practical technical guidance.

See also: Encryption, Pseudonymisation, Key management, Appropriate safeguards (Article 46)

Third country

A country outside the European Economic Area (EEA). Transfers to a third country are subject to the additional requirements of Chapter V GDPR.

See also: European Economic Area (EEA), Transfer, Adequacy decision

Transfer

Making personal data available to a recipient in a country outside the EEA. Remote access or viewing from a third country also already counts as a transfer, even if the data physically stays within the EEA.

See also: Third country, Appropriate safeguards (Article 46)

This explanation is intended as accessible guidance, not as legal advice. The full assessment of your situation runs through the assessment.

Glossary · DTIA Bridge