Skip to content
AuditFront
Art.46.Supp GDPR

GDPR Art.46.Supp: Supplementary Measures for International Transfers

What This Control Requires

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

In Plain Language

When your Transfer Impact Assessment shows that SCCs or another transfer mechanism cannot, on their own, guarantee equivalent protection in the destination country, you need supplementary measures to close the gap. Schrems II created this requirement, and the EDPB fleshed it out in Recommendations 01/2020.

The EDPB breaks supplementary measures into three categories. Technical measures are the strongest: encryption where only the exporter holds decryption keys, pseudonymisation with the re-identification mapping kept exclusively in the EEA, split processing so no single entity abroad can reconstruct the full dataset, or transferring only anonymised data. Organisational measures include transparency policies, internal governance, regular audits of importer compliance, and documented procedures for handling government access requests. Contractual measures cover enhanced notification obligations, commitments to challenge disproportionate government demands, audit rights, and strengthened data subject rights provisions.

The critical question is effectiveness. A supplementary measure only works if it genuinely prevents or makes impossible unauthorised government access to personal data. For some processing scenarios, no effective measure exists - if the importer needs the data in cleartext to do the job, encryption cannot stop government-compelled disclosure. In those cases, the transfer simply cannot go ahead.

How to Implement

Review your Transfer Impact Assessments and identify which transfers need supplementary measures. Not every transfer will - if the TIA concludes the destination country's framework provides adequate protection, the transfer mechanism alone may suffice. Focus your effort on transfers to countries where government access laws have been flagged as problematic.

For each transfer needing supplementary measures, assess which measures are technically feasible and genuinely effective. Consider the processing purpose carefully - encryption with EEA-held keys only works if the importer does not need cleartext access. Map each identified risk to candidate supplementary measures and evaluate whether the measure actually neutralises the risk. Document this analysis.

Deploy technical measures where they apply. Use strong encryption (TLS 1.2 or higher) for data in transit. For data at rest, implement encryption where the exporter retains exclusive control of keys and key management. For processing, consider pseudonymisation with the mapping table held exclusively in the EEA, data splitting across multiple jurisdictions, or privacy-preserving computation techniques like homomorphic encryption or secure multi-party computation where they are mature enough for your use case.

Layer on organisational measures. Develop policies requiring the importer to notify you of government access requests (as far as local law allows), challenge requests that look disproportionate, provide only the minimum data necessary, and maintain transparency about requests received. Audit the importer's compliance with these obligations regularly.

Strengthen your contracts. Add specific provisions to your SCCs or DPAs covering government access request handling, enhanced notification obligations, mandatory challenge requirements, warrant canary mechanisms where appropriate, audit rights targeted at government access scenarios, and commitments to relocate processing to the EEA if the legal landscape deteriorates beyond the point where protection can be maintained.

Evidence Your Auditor Will Request

  • Risk-to-measure mapping showing which supplementary measures address which identified risks
  • Technical supplementary measures documentation (encryption configurations, key management, pseudonymisation)
  • Organisational supplementary measures (policies, audit procedures, transparency mechanisms)
  • Contractual supplementary measures in SCCs or DPAs
  • Effectiveness assessment documenting why the combination of measures ensures adequate protection

Common Mistakes

  • Supplementary measures identified as necessary in the TIA but not actually implemented
  • Relying on contractual or organisational measures alone when the risk requires technical measures
  • Encryption implemented but the data importer also holds the decryption keys, rendering the measure ineffective
  • No assessment of whether supplementary measures are actually effective against the identified risks
  • Supplementary measures not reviewed when circumstances change (new laws, new government practices)

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.24 Related
ISO 27001 A.5.34 Related

Frequently Asked Questions

Are contractual supplementary measures sufficient on their own?
Generally, no. The EDPB has been clear that contractual and organisational measures alone cannot address government access risks because they do not bind government authorities. A contract saying 'do not hand over data' means nothing when a government compels disclosure. Contractual measures can support and complement technical measures, but where the core risk is government-compelled access, you need technical measures that physically prevent it.
What if no supplementary measure can effectively protect the data?
Then the transfer cannot happen. If no combination of measures can ensure essentially equivalent protection, you must stop or not start the transfer. Look at alternatives: process the data within the EEA, switch to a provider in a country with an adequacy decision, or restructure the data flow to avoid the problematic jurisdiction entirely.
Does encryption always solve the government access problem?
Only if the importer never sees the decryption keys and never needs the data in cleartext. If the whole point of the transfer is for the importer to process unencrypted data - customer support, data analysis, content moderation - then encryption at rest does not help. The importer will have the data in cleartext during processing, and a government can compel disclosure of that.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment