Data Transfers: Contractual Necessity

The GDPR restricts transfers of personal data to most countries outside of the EEA/UK, including transfers to the United States. However, if a business needs to send Europeans’ personal data to a data recipient in the U.S., it still has a few options. 

The best of these is to ensure that the recipient is either a participant in the Data Privacy Framework or has Standard Contractual Clauses in place to cover the transfer.

Without one of these transfer mechanisms to rely on, businesses may want to consider whether an exception applies. One of the most commonly used is the exception based on contractual necessity.

What Is the Rule?

Article 49 of the GDPR states that a transfer of personal data to an “unsafe” country is allowed if:


The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request.


The most common contract for most online businesses is that between buyer and seller. Therefore, transfers of data that are necessary to effectuate a sale—such as for processing a payment and shipping a product—may be covered by this exception.

What Does “Necessary” Mean?

The main thing to consider when deciding if this exception applies is whether the transfer is “necessary” for the contract. Ultimately, what that means can only be determined on a case-by-case basis, but the UK’s data protection authorities have offered some guidance:


"[Necessary] does not mean that the transfer has to be absolutely essential. However, it must be more than just useful and standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The exception does not apply if you can reasonably achieve the same purpose by some other means.

"It is not enough to argue that the transfer is necessary because you have chosen to operate your business in a particular way. The question is whether the transfer is objectively necessary and proportionate for the stated purpose, not whether it is a necessary part of your chosen methods."


Factors to Consider

  • Are there safer alternatives, such as using a vendor that only processes data in the EEA/UK?
  • If so, how feasible is that alternative? Are there practical considerations that prevent you from changing vendors?
  • How frequent are the transfers? Occasional transfers are more likely to be considered necessary and proportionate than transfers that are frequent and predictable.
  • Are there other data protections in place, such as processor documentation?
  • Will the personal data be used for any other purpose besides fulfilling the contract?