EU Regulation 2016/679 - Decision Register

ARTICLES 44-49 GDPR / ENFORCEMENT GUIDE

Articles 44-49 GDPR Fines, International Transfer Enforcement (Schrems II)

Chapter V of the GDPR governs transfers of personal data outside the EEA. The Schrems II ruling and the subsequent EU-US Data Privacy Framework restructured how controllers handle international transfers.

Statutory cap

Art 83(5) upper tier

Max fine

€20M or 4% turnover

Largest single fine

€1.2B (Meta 2023)

Key CJEU case

Schrems II C-311/18

US adequacy

DPF since Jul 2023

EDUCATIONAL ONLY

This page is a reference summary of a published regulator decision. It is not legal advice. Consult a qualified data protection lawyer for advice on your specific situation. The UK GDPR is a separate regime from the EU GDPR following Brexit. Always read the source decision in full before relying on any figure or quote.

CHAPTER V FRAMEWORK

The three-tier transfer framework

Articles 44-49 establish a layered framework. Article 44 is the general principle: any transfer of personal data outside the EEA must not undermine the level of protection of natural persons guaranteed by the GDPR. Each subsequent Article in the Chapter operationalises this general principle for a specific transfer mechanism.

Article 45 (adequacy). Transfers to a third country are permitted where the European Commission has formally found that the third country provides an adequate level of protection. Adequacy decisions cover (as of 2026): the UK, Switzerland, Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (commercial), Jersey, New Zealand, Republic of Korea, Uruguay, and the United States (under the EU-US Data Privacy Framework). Adequacy decisions are subject to periodic review.

Article 46 (appropriate safeguards). Where no adequacy decision applies, transfers may proceed on the basis of appropriate safeguards. The most-used safeguards are Standard Contractual Clauses (SCCs, updated in 2021) and Binding Corporate Rules (BCRs, for intra-group transfers). Other safeguards include approved codes of conduct, approved certification mechanisms, and legally-binding instruments between public authorities.

Article 49 (derogations). Where no adequacy and no appropriate safeguards apply, specific transfers may proceed on derogations for specific situations: explicit consent of the data subject, contract necessity, public interest, legal claims, vital interests, public-register access. Derogations are intended for occasional rather than systematic transfers; the EDPB has been clear that derogations cannot serve as standing-basis substitutes for adequacy or safeguards.

Schrems II in detail

On 16 July 2020, the Court of Justice of the European Union delivered its judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, commonly known as Schrems II. The judgment had two principal holdings. First, the Privacy Shield adequacy decision (the predecessor to the DPF) was invalid, primarily because the level of protection for European personal data was not essentially equivalent to that required by the EU Charter of Fundamental Rights, given US surveillance law and the inadequacy of remedies for European data subjects. Second, SCCs remained valid as a transfer mechanism but their validity was conditional on the controller's assessment of the specific transfer context. Where the law of the importer's country did not provide essentially equivalent protection, the controller had to adopt supplementary measures or suspend the transfer.

The EDPB issued Recommendations 01/2020 on supplementary measures in June 2021, providing a standardised framework: identify the transfer, identify the mechanism, assess the law and practice of the third country, identify supplementary measures if needed, take any procedural steps, and re-evaluate at appropriate intervals. The Recommendations include a non-exhaustive list of technical, organisational and contractual supplementary measures, with examples of when each is or is not appropriate.

The practical effect of Schrems II was to make every Chapter V transfer to a high-risk jurisdiction (US, China, Russia and others) a documented decision: a transfer-impact assessment (TIA) is now expected practice, and its absence is an aggravating factor in any Chapter V enforcement.

The EU-US Data Privacy Framework

On 10 July 2023, the European Commission adopted Implementing Decision (EU) 2023/1795 declaring that the United States ensures an adequate level of protection for personal data transferred from the EU to certified organisations under the EU-US Data Privacy Framework. The DPF includes binding safeguards (limiting US intelligence access to what is necessary and proportionate), a redress mechanism (the Data Protection Review Court), and a self-certification framework for participating US organisations.

The DPF faces a challenge before the General Court, brought by NOYB and others, on grounds that the underlying US surveillance framework has not substantively changed despite the procedural improvements. The challenge (Schrems III) was filed in late 2023 and remains pending. The DPF's status as a valid transfer mechanism could change if the Court finds against the Commission. Controllers should document their reliance on the DPF and maintain a fallback mechanism (SCCs with supplementary measures) ready for activation if necessary.

Landmark Chapter V fines

Meta €1.2 billion (DPC, 2023): the leading authority on Article 46 enforcement. Meta's reliance on SCCs for transfers to the US, after Schrems II and before the DPF, was found to be insufficient because the supplementary measures did not address US surveillance law. The accompanying suspension and data-return orders were the operationally significant element of the decision.

TikTok €530 million (DPC, 2025): the extension of the Meta framework to non-US transfers. TikTok's reliance on SCCs for transfers to staff in China was held insufficient given Chinese surveillance and data-access law. The case confirmed that Schrems II is not US-specific.

Uber €290 million (Dutch AP, 2024): unique focus on platform-worker data transfers. Uber's transfer of European driver data to the US under SCCs was found insufficient, with the worker-data dimension treated as an aggravating factor.

Italian Garante cases against multiple French website operators (2022) for their use of Google Analytics: smaller individual fines but cumulatively a landmark establishing that the Schrems II analysis applies to data-importer tooling, not just to controller-led transfers.

Common compliance failures

The recurring Chapter V failure patterns include: undocumented or paper-only transfer-impact assessments that do not engage with the importer's legal context; reliance on SCCs without considering supplementary measures for high-risk jurisdictions; use of analytics and data-import tools (Google Analytics in pre-DPF configurations) without considering the Chapter V dimension; reliance on derogations (Article 49) for systematic processing, contrary to the EDPB's position; inadequate transparency to data subjects about international transfers (Article 13(1)(f)). Each pattern has been the subject of multiple enforcement decisions.

Defensive controls

Map every Chapter V transfer in the Article 30 ROPA. For each transfer, identify the mechanism (adequacy, SCCs, BCRs, derogation) and document the rationale. For SCC-based transfers, conduct a documented transfer-impact assessment that engages with the importer's legal environment. Where the TIA identifies risks, adopt substantive supplementary measures: technical (end-to-end encryption with EU-held keys, pseudonymisation), organisational (transfer-policy controls, legal-process notification commitments), or contractual (specific clauses requiring importer to challenge access requests). Re-evaluate transfers at least annually and when the importer-jurisdiction context changes (new surveillance law, new adequacy decision, new CJEU ruling).

For transparency (Article 13(1)(f)), surface in the privacy notice the specific third countries to which personal data is transferred, the mechanism relied on, and the safeguards in place. Generic references to "our group companies worldwide" or "our service providers in third countries" are inadequate; the WhatsApp DPC 2021 transparency decision is the leading authority on this point.

Fine band you can expect

For small national controllers with limited international transfers, Chapter V fines have been in the low tens-of-thousands of euros, often paired with other minor infringements. For mid-sized controllers with documented SCC reliance but inadequate TIAs, fines range from €100,000 to several million euros. For Big Tech entities with systematic cross-border processing on high-risk transfers, fines reach hundreds of millions of euros, with the Meta €1.2B figure as the current top of the range. The trajectory is upward, particularly as the AI-system context introduces additional cross-border training-data and inference-data flows that engage Chapter V.

FREQUENTLY ASKED

About Chapter V GDPR fines

What is Chapter V of the GDPR?
Articles 44-49 constitute Chapter V, governing the transfer of personal data to third countries (countries outside the EEA) or international organisations. The framework is: transfers are prohibited unless they fall within Article 44's general principle (overall level of protection must not be undermined), and rely on one of three mechanisms: adequacy (Article 45), appropriate safeguards (Article 46, including SCCs and BCRs), or derogations (Article 49) for specific situations.
What is Schrems II and why does it matter?
Schrems II is the colloquial name for the CJEU's judgment in Case C-311/18 (16 July 2020). The Court invalidated the EU-US Privacy Shield adequacy decision and held that controllers relying on SCCs (the most common alternative mechanism) must verify, in the specific context of each transfer, whether the law of the importing country provides essentially equivalent protection to the GDPR. Where it does not, the controller must adopt supplementary measures or suspend the transfer. The judgment fundamentally reshaped transfer-compliance practice across the EU.
Is there a current adequacy decision for the US?
Yes. On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF), succeeding the invalidated Privacy Shield. US organisations that self-certify to the DPF can be relied on as Article 45 adequate transfer recipients. The DPF faces a 'Schrems III' challenge pending before the General Court. Pending the outcome, controllers should monitor the DPF's status and have a fallback transfer mechanism ready.
Does adequacy exist for other countries?
As of 2026, the European Commission has adopted adequacy decisions for: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (commercial organisations), Jersey, New Zealand, Republic of Korea, Switzerland, UK (under GDPR and LED), Uruguay, and the United States (under the DPF). Transfers to any other third country require Article 46 safeguards or Article 49 derogations.
What is the typical Chapter V fine?
Article 44-49 infringements fall within the Article 83(5) upper tier, with a maximum of €20 million or 4% of total worldwide annual turnover. In practice, Chapter V fines have ranged from a few thousand euros (small national-only transfer questions) to €1.2 billion (Meta DPC 2023). Recent enforcement signals indicate Chapter V is a primary DPA priority.
Can I rely on SCCs for transfers to China or Russia?
Theoretically yes; in practice, the Schrems II analysis applied to Chinese law (the TikTok 2025 case) or Russian law would likely conclude that essentially equivalent protection is not available, and therefore SCCs would be insufficient without supplementary measures that fundamentally alter the picture. The practical implication for China is data localisation through EU-based infrastructure, as TikTok has pursued with Project Clover.
What are the Article 49 derogations?
Article 49 allows transfers without Article 45 or Article 46 cover in specific situations: explicit consent of the data subject (49(1)(a)), transfer necessary for the performance of a contract with the data subject (49(1)(b)), transfer necessary for important reasons of public interest (49(1)(d)), transfer necessary for the establishment, exercise or defence of legal claims (49(1)(e)), transfer necessary to protect vital interests (49(1)(f)), transfer from a register intended to provide public information (49(1)(g)). The derogations are intended for occasional, not systematic, transfers.

CROSS-REFERENCES

Chapter V cases and references

CHAPTER V CASE

Meta €1.2B (2023)

The leading Article 46 authority. US transfers, supplementary-measures inadequacy.

Open reference →

CHAPTER V CASE

TikTok €530M (2025)

Schrems II applied to China transfers. The most-recent landmark.

Open reference →

SUPERVISORY AUTHORITY

Irish DPC Profile

The lead authority for the largest Chapter V cases due to Big Tech HQs in Ireland.

Open reference →

SUPERVISORY AUTHORITY

Dutch AP Profile

The Uber €290M case is the leading non-DPC Chapter V decision.

Open reference →

ARTICLE 5

Article 5 Enforcement

Minimisation principles apply to Chapter V transfers (don't transfer more than necessary).

Open reference →

REGISTER

Full Decision Register

Browse all major Chapter V fines.

Open reference →

SOURCES & CITATIONS

Primary sources

Figures as of May 2026. Verified against published DPA decisions.

REGISTER UPDATED 2026-04-28