Global data transfer contracts
This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.
Published: 17 April 2023
Last updated: 7 May 2024
The proliferation of new and updated data privacy laws around the world has resulted in a marked rise in the number of data transfer mechanisms. One such mechanism – and one of the most prevalent – is the implementation of contractual clauses between the data exporter and the data importer. These contractual clauses purport to govern how the data importer will process the personal data transferred to it. The clauses extend certain privacy safeguards which exist and are applicable to the data exporter and data importer in another jurisdiction.
This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally. There are at least 23 draft, template, or standardized contractual clauses or undertakings for international data transfers covering over 77 jurisdictions.
For information on global data adequacy capabilities, see this companion infographic.
Future research by the IAPP will detail the implementation of data transfer mechanisms across the globe, similarities and differences between them, and key takeaways for privacy professionals.
There are at least 23 draft, template or standardized contractual clauses or undertakings for international data transfers covering transfers from 77 jurisdictions.
List of jurisdictions
These lists provide the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.Association of Southeast Asian Nations
- Brunei
- Cambodia
- Indonesia
- Laos
- Malaysia
- Myanmar
- Philippines
- Singapore
- Thailand
- Vietnam
Council of Europe (Draft)
- All European Economic Area states
- Albania
- Andorra
- Armenia
- Azerbaijan
- Bosnia and Herzegovina
- Georgia
- Moldova
- Monaco
- Montenegro
- North Macedonia
- San Marino
- Turkey
- United Kingdom
Latin American Data Protection Board (RIPD)
- Andorra
- Argentina
- Brazil
- Chile
- Colombia
- Colombia
- Mexico
- Panama
- Peru
- Portugal
- Spain
- Uruguay
European Economic Area
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Latvia
- Liechtenstein
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Norway
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- Argentina†
- Brazil†
- Peru†
- Portugal*
- Spain*
- Uruguay†
† Covered by their own and RIPD contracts.
* Covered by EEA and RIPD contracts.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Global data transfer contracts
This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.
Published: 17 April 2023
Last updated: 7 May 2024
Contributors:
Joe Jones
Research and Insights Director, IAPP
The proliferation of new and updated data privacy laws around the world has resulted in a marked rise in the number of data transfer mechanisms. One such mechanism – and one of the most prevalent – is the implementation of contractual clauses between the data exporter and the data importer. These contractual clauses purport to govern how the data importer will process the personal data transferred to it. The clauses extend certain privacy safeguards which exist and are applicable to the data exporter and data importer in another jurisdiction.
This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally. There are at least 23 draft, template, or standardized contractual clauses or undertakings for international data transfers covering over 77 jurisdictions.
For information on global data adequacy capabilities, see this companion infographic.
Future research by the IAPP will detail the implementation of data transfer mechanisms across the globe, similarities and differences between them, and key takeaways for privacy professionals.
There are at least 23 draft, template or standardized contractual clauses or undertakings for international data transfers covering transfers from 77 jurisdictions.
List of jurisdictions
These lists provide the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.Association of Southeast Asian Nations
- Brunei
- Cambodia
- Indonesia
- Laos
- Malaysia
- Myanmar
- Philippines
- Singapore
- Thailand
- Vietnam
Council of Europe (Draft)
- All European Economic Area states
- Albania
- Andorra
- Armenia
- Azerbaijan
- Bosnia and Herzegovina
- Georgia
- Moldova
- Monaco
- Montenegro
- North Macedonia
- San Marino
- Turkey
- United Kingdom
Latin American Data Protection Board (RIPD)
- Andorra
- Argentina
- Brazil
- Chile
- Colombia
- Colombia
- Mexico
- Panama
- Peru
- Portugal
- Spain
- Uruguay
European Economic Area
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Latvia
- Liechtenstein
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Norway
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- Argentina†
- Brazil†
- Peru†
- Portugal*
- Spain*
- Uruguay†
† Covered by their own and RIPD contracts.
* Covered by EEA and RIPD contracts.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
US State Privacy Legislation Tracker
Organizational Digital Governance Report 2025
US State Comprehensive Privacy Laws Report
US Data Privacy Litigation
