Advancing Cross-Border Compliance: The Third Country Transfers Module

07/04/2025SCOPE EuropeEU Cloud CoCNews

In line with its commitment to continuous progression, the EU Cloud Code of Conduct’s General Assembly, together with SCOPE Europe, is advancing a new module to respond to emerging challenges: The Third Country Transfers Module. This module will provide structured, Article 46-compliant safeguards for international data transfers, covering the legal requirements for third country transfers as outlined in Chapter V of the GDPR.

While mechanisms such as adequacy decisions and standard contractual clauses remain relevant, recent legal developments have highlighted the importance of redundancy in compliance tools when it comes to GDPR-compliant cross-border data flows. Organizations need a diversified set of mechanisms to ensure legal certainty and maintain high standards of protection when transferring data to multiple jurisdictions.

A Complementary Framework for International Transfers

Following the Schrems II ruling and the increasing complexity of global data flows, the need for resilient legal frameworks has become more pressing. Although the EU-U.S. Data Privacy Framework provides a current path for transatlantic transfers, its long-term durability remains uncertain. It is therefore crucial to develop and maintain additional GDPR-compliant options to support transfers worldwide.

The Third Country Transfers Module offers a structured approach to implementing appropriate safeguards for international transfers. It builds on the EU Cloud CoC framework and is designed specifically for the cloud sector, particularly in business-to-business contexts where providers act as processors.

Click here to read the draft Third Country Transfers Module.

Key Elements of the Module

The draft Module complements the existing EU Cloud CoC adherence system and serves as a practical tool to demonstrate compliance for international transfers.

The module:

Incorporates requirements from EDPB guidance, CJEU case law, and the GDPR’s risk-based approach
Offers a scalable solution that supports transfers to a wide range of jurisdictions
Helps organizations identify and apply appropriate technical, contractual, and organizational safeguards
Includes standardized mechanisms to support documentation and communication between providers and controllers

Engagement and Next Steps

The Module’s dedicated working group, composed of members of the EU Cloud CoC General Assembly, has carefully reviewed the feedback received during the public consultation and is now in the process of finalizing the draft ahead of its submission to the competent supervisory authority.

The development of the Third Country Transfers Module underscores the growing importance of diverse, sector-specific compliance tools. It is intended to equip organizations with a practical solution for international data transfers that supports operational needs while ensuring strong protection of data subjects’ rights.

Click here for more information on the Module.

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your consent to using cookies.	1 year	HTML	Website
fe_typo_user	Assigns your browser to a session on the server.	session	HTTP	Website

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	3 months	HTML	Matomo
_pk_ref	Used to store the attribution information, the referrer initially used to visit the website.	2 weeks	HTML	Matomo
_pk_ses	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo
_pk_cvar	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo
_pk_hsr	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo

Advancing Cross-Border Compliance: The Third Country Transfers Module

About

Public Register

Participate

FAQ

Contact

Twitter