The GDPR imposes strict conditions on the transfer of personal data from the EU to third countries that are not considered to provide an adequate level of protection . As a general rule, such transfers are prohibited unless the receiving country has been granted an adequacy decision by the European Commission, confirming that its legal framework ensures a level of protection that is essentially equivalent to that within the EU . In the absence of such a decision, organizations may only transfer data if they implement appropriate safeguards. The most common of these are the Standard Contractual Clauses (SCCs), which are pre-approved contractual commitments between the data exporter and importer . However, following the landmark “Schrems II” ruling, the Court of Justice of the European Union clarified that SCCs are not sufficient on their own. Data exporters must now also conduct a case-by-case Transfer Adequacy Risk Assessment (TARA) to evaluate whether the laws of the destination country might undermine the protection offered by the SCCs .