Visa · Visa Privacy Notice

GDPR and International Data Transfers

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

For users in the EU, UK, or Switzerland, Visa uses Standard Contractual Clauses (SCCs) and other safeguards when transferring personal data outside those regions, as required by GDPR and related laws.

Consumer impact (what this means for users)

If you are in the EU or UK, your personal data is transferred to the U.S. under Standard Contractual Clauses, but the adequacy of these protections in practice depends on Visa's supplementary measures and compliance with the EU-U.S. Data Privacy Framework.

Cross-platform context

See how other platforms handle GDPR and International Data Transfers and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

International data transfers from the EU/UK to the U.S. carry regulatory scrutiny, and SCCs alone may not fully protect consumer data if U.S. surveillance laws allow government access — a concern highlighted by post-Schrems II jurisprudence.

View original clause language
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we comply with applicable data protection laws when transferring your personal information outside of these regions. We use appropriate safeguards, such as standard contractual clauses, to protect your personal information when it is transferred internationally.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision implicates GDPR Chapter V (Arts. 44–49) governing international data transfers, specifically Art. 46(2)(c) standard contractual clauses (SCCs) as adopted by the European Commission in 2021 (Implementing Decision (EU) 2021/914). The EU-U.S. Data Privacy Framework (DPF, adopted July 2023, Commission Implementing Decision (EU) 2023/1795) provides an adequacy mechanism for U.S.-based organizations. The UK International Data Transfer Agreement (IDTA) applies for UK transfers. Swiss Federal Act on Data Protection (revFADP) applies for Switzerland. Enforcement authority rests with EU member state DPAs, the UK ICO, and the Swiss FDPIC.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC is the primary U.S. enforcement authority for the EU-U.S. Data Privacy Framework and has authority to take action against companies that violate their DPF commitments.
    File a complaint →

Provision details

Document information
Document
Visa Privacy Notice
Entity
Visa
Document last updated
April 29, 2026
Tracking information
First tracked
April 27, 2026
Last verified
April 27, 2026
Record ID
CA-P-003385
Document ID
CA-D-00114
Evidence Provenance
Source URL
https://usa.visa.com/legal/privacy-policy.html
Wayback Machine
View archived versions →
SHA-256
0f3b20918fcde3434b1eb83f3ef5b6abd53b678f83f5a8ee823c96cbbe17c540
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Visa | Document: Visa Privacy Notice | Record: CA-P-003385
Captured: 2026-04-27 12:33:46 UTC | SHA-256: 0f3b20918fcde343…
URL: https://conductatlas.com/platform/visa/visa-privacy-notice/gdpr-and-international-data-transfers/
Accessed: April 29, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document